Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nKHN8rvjmN.exe

Overview

General Information

Sample name:nKHN8rvjmN.exe
renamed because original name is a hash value
Original sample name:2545b47e98ffb00e68912dbedcb8f5db.exe
Analysis ID:1523562
MD5:2545b47e98ffb00e68912dbedcb8f5db
SHA1:0612d0f4417ebb63e52ad1da47db3209e848332a
SHA256:18240be396f8b7a2a28669dfb20f4fb311daf0b1fd4c1d81df26d7f8419444d4
Tags:exenjratRATuser-abuse_ch
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables the Windows task manager (taskmgr)
Disables zone checking for all users
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nKHN8rvjmN.exe (PID: 3304 cmdline: "C:\Users\user\Desktop\nKHN8rvjmN.exe" MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
    • server.exe (PID: 6044 cmdline: "C:\Users\user\AppData\Local\Temp\server.exe" MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
      • netsh.exe (PID: 5972 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 4668 cmdline: netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 5900 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5352 cmdline: schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • StUpdate.exe (PID: 5548 cmdline: C:\Users\user\AppData\Local\Temp/StUpdate.exe MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
  • StUpdate.exe (PID: 5960 cmdline: C:\Users\user\AppData\Local\Temp/StUpdate.exe MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
  • Explore.exe (PID: 1848 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe" MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
  • Microsoft Corporation.exe (PID: 744 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe" MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
  • StUpdate.exe (PID: 5540 cmdline: C:\Users\user\AppData\Local\Temp/StUpdate.exe MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
  • StUpdate.exe (PID: 5780 cmdline: C:\Users\user\AppData\Local\Temp/StUpdate.exe MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
  • StUpdate.exe (PID: 4332 cmdline: C:\Users\user\AppData\Local\Temp/StUpdate.exe MD5: 2545B47E98FFB00E68912DBEDCB8F5DB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "SQWICK", "Version": "0.7d", "Install Name": "32cf646479fb52a6cecce80a3bf8d7de", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nKHN8rvjmN.exeJoeSecurity_NjratYara detected NjratJoe Security
    nKHN8rvjmN.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a25:$a2: SEE_MASK_NOZONECHECKS
    • 0x156c7:$a3: Download ERROR
    • 0x15c77:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c04:$a5: netsh firewall delete allowedprogram "
    nKHN8rvjmN.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15c77:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x13790:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x156e5:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156c7:$s6: Download ERROR
    • 0x13752:$s8: Select * From AntiVirusProduct
    nKHN8rvjmN.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a25:$reg: SEE_MASK_NOZONECHECKS
    • 0x156ab:$msg: Execute ERROR
    • 0x156ff:$msg: Execute ERROR
    • 0x15c77:$ping: cmd.exe /c ping 0 -n 2 & del
    nKHN8rvjmN.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13c04:$s1: netsh firewall delete allowedprogram
    • 0x13c56:$s2: netsh firewall add allowedprogram
    • 0x15c77:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x156ab:$s4: Execute ERROR
    • 0x156ff:$s4: Execute ERROR
    • 0x156c7:$s5: Download ERROR

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\StUpdate.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Program Files (x86)\Explore.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Program Files (x86)\Explore.exeJoeSecurity_NjratYara detected NjratJoe Security
          C:\Users\user\AppData\Local\Temp\StUpdate.exeWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x115d2:$a1: get_Registry
          • 0x15a25:$a2: SEE_MASK_NOZONECHECKS
          • 0x156c7:$a3: Download ERROR
          • 0x15c77:$a4: cmd.exe /c ping 0 -n 2 & del "
          • 0x13c04:$a5: netsh firewall delete allowedprogram "
          C:\Program Files (x86)\Explore.exeWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x115d2:$a1: get_Registry
          • 0x15a25:$a2: SEE_MASK_NOZONECHECKS
          • 0x156c7:$a3: Download ERROR
          • 0x15c77:$a4: cmd.exe /c ping 0 -n 2 & del "
          • 0x13c04:$a5: netsh firewall delete allowedprogram "
          Click to see the 45 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x115f2:$a1: get_Registry
            • 0x15a45:$a2: SEE_MASK_NOZONECHECKS
            • 0x156e7:$a3: Download ERROR
            • 0x15c97:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13c24:$a5: netsh firewall delete allowedprogram "
            00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x15a45:$reg: SEE_MASK_NOZONECHECKS
            • 0x156cb:$msg: Execute ERROR
            • 0x1571f:$msg: Execute ERROR
            • 0x15c97:$ping: cmd.exe /c ping 0 -n 2 & del
            00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
              00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
              • 0x113d2:$a1: get_Registry
              • 0x15825:$a2: SEE_MASK_NOZONECHECKS
              • 0x154c7:$a3: Download ERROR
              • 0x15a77:$a4: cmd.exe /c ping 0 -n 2 & del "
              • 0x13a04:$a5: netsh firewall delete allowedprogram "
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.nKHN8rvjmN.exe.a0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                0.0.nKHN8rvjmN.exe.a0000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
                • 0x115d2:$a1: get_Registry
                • 0x15a25:$a2: SEE_MASK_NOZONECHECKS
                • 0x156c7:$a3: Download ERROR
                • 0x15c77:$a4: cmd.exe /c ping 0 -n 2 & del "
                • 0x13c04:$a5: netsh firewall delete allowedprogram "
                0.0.nKHN8rvjmN.exe.a0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
                • 0x15c77:$x1: cmd.exe /c ping 0 -n 2 & del "
                • 0x13790:$s1: winmgmts:\\.\root\SecurityCenter2
                • 0x156e5:$s3: Executed As
                • 0x124f0:$s5: Stub.exe
                • 0x156c7:$s6: Download ERROR
                • 0x13752:$s8: Select * From AntiVirusProduct
                0.0.nKHN8rvjmN.exe.a0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
                • 0x15a25:$reg: SEE_MASK_NOZONECHECKS
                • 0x156ab:$msg: Execute ERROR
                • 0x156ff:$msg: Execute ERROR
                • 0x15c77:$ping: cmd.exe /c ping 0 -n 2 & del
                0.0.nKHN8rvjmN.exe.a0000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
                • 0x13c04:$s1: netsh firewall delete allowedprogram
                • 0x13c56:$s2: netsh firewall add allowedprogram
                • 0x15c77:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
                • 0x156ab:$s4: Execute ERROR
                • 0x156ff:$s4: Execute ERROR
                • 0x156c7:$s5: Download ERROR

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server.exe, ProcessId: 6044, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe, CommandLine: schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server.exe, ParentProcessId: 6044, ParentProcessName: server.exe, ProcessCommandLine: schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe, ProcessId: 5352, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe, CommandLine: schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server.exe, ParentProcessId: 6044, ParentProcessName: server.exe, ProcessCommandLine: schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe, ProcessId: 5352, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T19:22:05.570773+020020211761Malware Command and Control Activity Detected192.168.2.5497043.67.161.13314355TCP
                2024-10-01T19:22:07.961648+020020211761Malware Command and Control Activity Detected192.168.2.5497053.67.161.13314355TCP
                2024-10-01T19:22:12.121634+020020211761Malware Command and Control Activity Detected192.168.2.5497063.67.161.13314355TCP
                2024-10-01T19:22:15.113972+020020211761Malware Command and Control Activity Detected192.168.2.5497093.67.161.13314355TCP
                2024-10-01T19:22:18.151614+020020211761Malware Command and Control Activity Detected192.168.2.5497143.67.161.13314355TCP
                2024-10-01T19:22:21.403273+020020211761Malware Command and Control Activity Detected192.168.2.5497153.67.161.13314355TCP
                2024-10-01T19:22:24.316827+020020211761Malware Command and Control Activity Detected192.168.2.5497173.67.161.13314355TCP
                2024-10-01T19:22:28.374155+020020211761Malware Command and Control Activity Detected192.168.2.5497183.67.161.13314355TCP
                2024-10-01T19:22:31.519603+020020211761Malware Command and Control Activity Detected192.168.2.5497193.67.161.13314355TCP
                2024-10-01T19:22:34.832589+020020211761Malware Command and Control Activity Detected192.168.2.5497203.67.161.13314355TCP
                2024-10-01T19:22:38.113336+020020211761Malware Command and Control Activity Detected192.168.2.5497213.67.161.13314355TCP
                2024-10-01T19:22:42.179629+020020211761Malware Command and Control Activity Detected192.168.2.5497223.67.161.13314355TCP
                2024-10-01T19:22:45.622433+020020211761Malware Command and Control Activity Detected192.168.2.5497233.67.161.13314355TCP
                2024-10-01T19:22:48.662189+020020211761Malware Command and Control Activity Detected192.168.2.5497243.67.161.13314355TCP
                2024-10-01T19:22:51.511706+020020211761Malware Command and Control Activity Detected192.168.2.5497253.67.161.13314355TCP
                2024-10-01T19:22:54.112897+020020211761Malware Command and Control Activity Detected192.168.2.5497263.67.161.13314355TCP
                2024-10-01T19:22:57.363488+020020211761Malware Command and Control Activity Detected192.168.2.5497283.67.161.13314355TCP
                2024-10-01T19:23:00.688538+020020211761Malware Command and Control Activity Detected192.168.2.5497293.67.161.13314355TCP
                2024-10-01T19:23:04.260352+020020211761Malware Command and Control Activity Detected192.168.2.54973018.158.58.20514355TCP
                2024-10-01T19:23:07.305485+020020211761Malware Command and Control Activity Detected192.168.2.54973118.158.58.20514355TCP
                2024-10-01T19:23:10.722244+020020211761Malware Command and Control Activity Detected192.168.2.54973218.158.58.20514355TCP
                2024-10-01T19:23:14.219259+020020211761Malware Command and Control Activity Detected192.168.2.54973318.158.58.20514355TCP
                2024-10-01T19:23:17.043161+020020211761Malware Command and Control Activity Detected192.168.2.54973418.158.58.20514355TCP
                2024-10-01T19:23:22.204240+020020211761Malware Command and Control Activity Detected192.168.2.54973518.158.58.20514355TCP
                2024-10-01T19:23:25.772944+020020211761Malware Command and Control Activity Detected192.168.2.54973618.158.58.20514355TCP
                2024-10-01T19:23:29.750221+020020211761Malware Command and Control Activity Detected192.168.2.54973718.158.58.20514355TCP
                2024-10-01T19:23:34.341100+020020211761Malware Command and Control Activity Detected192.168.2.54973818.158.58.20514355TCP
                2024-10-01T19:23:37.347851+020020211761Malware Command and Control Activity Detected192.168.2.54973918.158.58.20514355TCP
                2024-10-01T19:23:40.829037+020020211761Malware Command and Control Activity Detected192.168.2.54974018.158.58.20514355TCP
                2024-10-01T19:23:47.098118+020020211761Malware Command and Control Activity Detected192.168.2.54974118.158.58.20514355TCP
                2024-10-01T19:23:51.097857+020020211761Malware Command and Control Activity Detected192.168.2.54974218.158.58.20514355TCP
                2024-10-01T19:23:58.919701+020020211761Malware Command and Control Activity Detected192.168.2.54974318.158.58.20514355TCP
                2024-10-01T19:24:06.331479+020020211761Malware Command and Control Activity Detected192.168.2.5497443.127.181.11514355TCP
                2024-10-01T19:24:13.906350+020020211761Malware Command and Control Activity Detected192.168.2.5497453.127.181.11514355TCP
                2024-10-01T19:24:24.978852+020020211761Malware Command and Control Activity Detected192.168.2.5497463.127.181.11514355TCP
                2024-10-01T19:24:27.832466+020020211761Malware Command and Control Activity Detected192.168.2.5497473.127.181.11514355TCP
                2024-10-01T19:24:33.904491+020020211761Malware Command and Control Activity Detected192.168.2.5497483.127.181.11514355TCP
                2024-10-01T19:24:37.302132+020020211761Malware Command and Control Activity Detected192.168.2.5497493.127.181.11514355TCP
                2024-10-01T19:24:42.470605+020020211761Malware Command and Control Activity Detected192.168.2.5497503.127.181.11514355TCP
                2024-10-01T19:25:06.925611+020020211761Malware Command and Control Activity Detected192.168.2.5497513.127.181.11514355TCP
                2024-10-01T19:25:20.816734+020020211761Malware Command and Control Activity Detected192.168.2.5497523.64.4.19814355TCP
                2024-10-01T19:25:28.783719+020020211761Malware Command and Control Activity Detected192.168.2.5497533.64.4.19814355TCP
                2024-10-01T19:25:32.675749+020020211761Malware Command and Control Activity Detected192.168.2.5497543.64.4.19814355TCP
                2024-10-01T19:25:36.785631+020020211761Malware Command and Control Activity Detected192.168.2.5497553.64.4.19814355TCP
                2024-10-01T19:25:39.506680+020020211761Malware Command and Control Activity Detected192.168.2.5497563.64.4.19814355TCP
                2024-10-01T19:25:42.979877+020020211761Malware Command and Control Activity Detected192.168.2.5497573.64.4.19814355TCP
                2024-10-01T19:25:46.883212+020020211761Malware Command and Control Activity Detected192.168.2.5497583.64.4.19814355TCP
                2024-10-01T19:25:50.712666+020020211761Malware Command and Control Activity Detected192.168.2.5497593.64.4.19814355TCP
                2024-10-01T19:25:54.472864+020020211761Malware Command and Control Activity Detected192.168.2.5497603.64.4.19814355TCP
                2024-10-01T19:25:57.723543+020020211761Malware Command and Control Activity Detected192.168.2.5497613.64.4.19814355TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T19:22:05.570773+020020331321Malware Command and Control Activity Detected192.168.2.5497043.67.161.13314355TCP
                2024-10-01T19:22:07.961648+020020331321Malware Command and Control Activity Detected192.168.2.5497053.67.161.13314355TCP
                2024-10-01T19:22:12.121634+020020331321Malware Command and Control Activity Detected192.168.2.5497063.67.161.13314355TCP
                2024-10-01T19:22:15.113972+020020331321Malware Command and Control Activity Detected192.168.2.5497093.67.161.13314355TCP
                2024-10-01T19:22:18.151614+020020331321Malware Command and Control Activity Detected192.168.2.5497143.67.161.13314355TCP
                2024-10-01T19:22:21.403273+020020331321Malware Command and Control Activity Detected192.168.2.5497153.67.161.13314355TCP
                2024-10-01T19:22:24.316827+020020331321Malware Command and Control Activity Detected192.168.2.5497173.67.161.13314355TCP
                2024-10-01T19:22:28.374155+020020331321Malware Command and Control Activity Detected192.168.2.5497183.67.161.13314355TCP
                2024-10-01T19:22:31.519603+020020331321Malware Command and Control Activity Detected192.168.2.5497193.67.161.13314355TCP
                2024-10-01T19:22:34.832589+020020331321Malware Command and Control Activity Detected192.168.2.5497203.67.161.13314355TCP
                2024-10-01T19:22:38.113336+020020331321Malware Command and Control Activity Detected192.168.2.5497213.67.161.13314355TCP
                2024-10-01T19:22:42.179629+020020331321Malware Command and Control Activity Detected192.168.2.5497223.67.161.13314355TCP
                2024-10-01T19:22:45.622433+020020331321Malware Command and Control Activity Detected192.168.2.5497233.67.161.13314355TCP
                2024-10-01T19:22:48.662189+020020331321Malware Command and Control Activity Detected192.168.2.5497243.67.161.13314355TCP
                2024-10-01T19:22:51.511706+020020331321Malware Command and Control Activity Detected192.168.2.5497253.67.161.13314355TCP
                2024-10-01T19:22:54.112897+020020331321Malware Command and Control Activity Detected192.168.2.5497263.67.161.13314355TCP
                2024-10-01T19:22:57.363488+020020331321Malware Command and Control Activity Detected192.168.2.5497283.67.161.13314355TCP
                2024-10-01T19:23:00.688538+020020331321Malware Command and Control Activity Detected192.168.2.5497293.67.161.13314355TCP
                2024-10-01T19:23:04.260352+020020331321Malware Command and Control Activity Detected192.168.2.54973018.158.58.20514355TCP
                2024-10-01T19:23:07.305485+020020331321Malware Command and Control Activity Detected192.168.2.54973118.158.58.20514355TCP
                2024-10-01T19:23:10.722244+020020331321Malware Command and Control Activity Detected192.168.2.54973218.158.58.20514355TCP
                2024-10-01T19:23:14.219259+020020331321Malware Command and Control Activity Detected192.168.2.54973318.158.58.20514355TCP
                2024-10-01T19:23:17.043161+020020331321Malware Command and Control Activity Detected192.168.2.54973418.158.58.20514355TCP
                2024-10-01T19:23:22.204240+020020331321Malware Command and Control Activity Detected192.168.2.54973518.158.58.20514355TCP
                2024-10-01T19:23:25.772944+020020331321Malware Command and Control Activity Detected192.168.2.54973618.158.58.20514355TCP
                2024-10-01T19:23:29.750221+020020331321Malware Command and Control Activity Detected192.168.2.54973718.158.58.20514355TCP
                2024-10-01T19:23:34.341100+020020331321Malware Command and Control Activity Detected192.168.2.54973818.158.58.20514355TCP
                2024-10-01T19:23:37.347851+020020331321Malware Command and Control Activity Detected192.168.2.54973918.158.58.20514355TCP
                2024-10-01T19:23:40.829037+020020331321Malware Command and Control Activity Detected192.168.2.54974018.158.58.20514355TCP
                2024-10-01T19:23:47.098118+020020331321Malware Command and Control Activity Detected192.168.2.54974118.158.58.20514355TCP
                2024-10-01T19:23:51.097857+020020331321Malware Command and Control Activity Detected192.168.2.54974218.158.58.20514355TCP
                2024-10-01T19:23:58.919701+020020331321Malware Command and Control Activity Detected192.168.2.54974318.158.58.20514355TCP
                2024-10-01T19:24:06.331479+020020331321Malware Command and Control Activity Detected192.168.2.5497443.127.181.11514355TCP
                2024-10-01T19:24:13.906350+020020331321Malware Command and Control Activity Detected192.168.2.5497453.127.181.11514355TCP
                2024-10-01T19:24:24.978852+020020331321Malware Command and Control Activity Detected192.168.2.5497463.127.181.11514355TCP
                2024-10-01T19:24:27.832466+020020331321Malware Command and Control Activity Detected192.168.2.5497473.127.181.11514355TCP
                2024-10-01T19:24:33.904491+020020331321Malware Command and Control Activity Detected192.168.2.5497483.127.181.11514355TCP
                2024-10-01T19:24:37.302132+020020331321Malware Command and Control Activity Detected192.168.2.5497493.127.181.11514355TCP
                2024-10-01T19:24:42.470605+020020331321Malware Command and Control Activity Detected192.168.2.5497503.127.181.11514355TCP
                2024-10-01T19:25:06.925611+020020331321Malware Command and Control Activity Detected192.168.2.5497513.127.181.11514355TCP
                2024-10-01T19:25:20.816734+020020331321Malware Command and Control Activity Detected192.168.2.5497523.64.4.19814355TCP
                2024-10-01T19:25:28.783719+020020331321Malware Command and Control Activity Detected192.168.2.5497533.64.4.19814355TCP
                2024-10-01T19:25:32.675749+020020331321Malware Command and Control Activity Detected192.168.2.5497543.64.4.19814355TCP
                2024-10-01T19:25:36.785631+020020331321Malware Command and Control Activity Detected192.168.2.5497553.64.4.19814355TCP
                2024-10-01T19:25:39.506680+020020331321Malware Command and Control Activity Detected192.168.2.5497563.64.4.19814355TCP
                2024-10-01T19:25:42.979877+020020331321Malware Command and Control Activity Detected192.168.2.5497573.64.4.19814355TCP
                2024-10-01T19:25:46.883212+020020331321Malware Command and Control Activity Detected192.168.2.5497583.64.4.19814355TCP
                2024-10-01T19:25:50.712666+020020331321Malware Command and Control Activity Detected192.168.2.5497593.64.4.19814355TCP
                2024-10-01T19:25:54.472864+020020331321Malware Command and Control Activity Detected192.168.2.5497603.64.4.19814355TCP
                2024-10-01T19:25:57.723543+020020331321Malware Command and Control Activity Detected192.168.2.5497613.64.4.19814355TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T19:22:38.471730+020028255641Malware Command and Control Activity Detected192.168.2.5497213.67.161.13314355TCP
                2024-10-01T19:22:38.810544+020028255641Malware Command and Control Activity Detected192.168.2.5497213.67.161.13314355TCP
                2024-10-01T19:23:17.623088+020028255641Malware Command and Control Activity Detected192.168.2.54973418.158.58.20514355TCP
                2024-10-01T19:24:25.020132+020028255641Malware Command and Control Activity Detected192.168.2.5497463.127.181.11514355TCP
                2024-10-01T19:25:52.232550+020028255641Malware Command and Control Activity Detected192.168.2.5497593.64.4.19814355TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: nKHN8rvjmN.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Program Files (x86)\Explore.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Program Files (x86)\Explore.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Program Files (x86)\Explore.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Users\user\AppData\Local\Temp\server.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Program Files (x86)\Explore.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Program Files (x86)\Explore.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Program Files (x86)\Explore.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Found malware configuration
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "SQWICK", "Version": "0.7d", "Install Name": "32cf646479fb52a6cecce80a3bf8d7de", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
                Multi AV Scanner detection for dropped file
                Source: C:\Program Files (x86)\Explore.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explore.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explore.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Local\Temp\server.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\Documents\Explore.exeReversingLabs: Detection: 86%
                Source: C:\Windows\SysWOW64\Explore.exeReversingLabs: Detection: 86%
                Multi AV Scanner detection for submitted file
                Source: nKHN8rvjmN.exeReversingLabs: Detection: 86%
                Yara detected Njrat
                Source: Yara matchFile source: nKHN8rvjmN.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nKHN8rvjmN.exe PID: 3304, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: server.exe PID: 6044, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Explore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Explore.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Explore.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Explore.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\server.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Explore.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Explore.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeJoe Sandbox ML: detected
                Source: C:\Program Files (x86)\Explore.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: nKHN8rvjmN.exeJoe Sandbox ML: detected
                Source: nKHN8rvjmN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                Source: nKHN8rvjmN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Spreading

                barindex
                Contains functionality to spread to USB devices (.Net source)
                Source: nKHN8rvjmN.exe, Usb1.cs.Net Code: infect
                Source: server.exe.0.dr, Usb1.cs.Net Code: infect
                Source: Explore.exe.2.dr, Usb1.cs.Net Code: infect
                Source: Explore.exe0.2.dr, Usb1.cs.Net Code: infect
                Source: StUpdate.exe.2.dr, Usb1.cs.Net Code: infect
                Source: Explore.exe1.2.dr, Usb1.cs.Net Code: infect
                Source: Microsoft Corporation.exe.2.dr, Usb1.cs.Net Code: infect
                Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Usb1.cs.Net Code: infect
                Source: Explore.exe2.2.dr, Usb1.cs.Net Code: infect
                Source: Explore.exe3.2.dr, Usb1.cs.Net Code: infect
                Source: Explore.exe4.2.dr, Usb1.cs.Net Code: infect
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \autorun.inf
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: nKHN8rvjmN.exe, 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
                Source: nKHN8rvjmN.exe, 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                Source: nKHN8rvjmN.exe, 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                Source: nKHN8rvjmN.exeBinary or memory string: \autorun.inf
                Source: nKHN8rvjmN.exeBinary or memory string: [autorun]
                Source: nKHN8rvjmN.exeBinary or memory string: autorun.inf
                Source: StUpdate.exe.2.drBinary or memory string: \autorun.inf
                Source: StUpdate.exe.2.drBinary or memory string: [autorun]
                Source: StUpdate.exe.2.drBinary or memory string: autorun.inf
                Source: Explore.exe1.2.drBinary or memory string: \autorun.inf
                Source: Explore.exe1.2.drBinary or memory string: [autorun]
                Source: Explore.exe1.2.drBinary or memory string: autorun.inf
                Source: Microsoft Corporation.exe.2.drBinary or memory string: \autorun.inf
                Source: Microsoft Corporation.exe.2.drBinary or memory string: [autorun]
                Source: Microsoft Corporation.exe.2.drBinary or memory string: autorun.inf
                Source: Explore.exe0.2.drBinary or memory string: \autorun.inf
                Source: Explore.exe0.2.drBinary or memory string: [autorun]
                Source: Explore.exe0.2.drBinary or memory string: autorun.inf
                Source: Explore.exe4.2.drBinary or memory string: \autorun.inf
                Source: Explore.exe4.2.drBinary or memory string: [autorun]
                Source: Explore.exe4.2.drBinary or memory string: autorun.inf
                Source: server.exe.0.drBinary or memory string: \autorun.inf
                Source: server.exe.0.drBinary or memory string: [autorun]
                Source: server.exe.0.drBinary or memory string: autorun.inf
                Source: Explore.exe2.2.drBinary or memory string: \autorun.inf
                Source: Explore.exe2.2.drBinary or memory string: [autorun]
                Source: Explore.exe2.2.drBinary or memory string: autorun.inf
                Source: Explore.exe.2.drBinary or memory string: \autorun.inf
                Source: Explore.exe.2.drBinary or memory string: [autorun]
                Source: Explore.exe.2.drBinary or memory string: autorun.inf
                Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.drBinary or memory string: \autorun.inf
                Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.drBinary or memory string: [autorun]
                Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.drBinary or memory string: autorun.inf
                Source: Explore.exe3.2.drBinary or memory string: \autorun.inf
                Source: Explore.exe3.2.drBinary or memory string: [autorun]
                Source: Explore.exe3.2.drBinary or memory string: autorun.inf
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49706 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49704 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49704 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49706 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49720 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49720 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49709 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49724 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49733 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49724 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49709 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49734 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49718 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49752 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49718 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49734 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49719 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49719 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49723 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49741 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49741 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49760 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49760 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49737 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49737 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49752 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49733 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49723 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49749 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49749 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49725 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49722 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49715 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49740 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49728 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49721 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49739 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49738 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49739 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49715 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49751 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49726 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49751 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49726 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49728 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49730 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49725 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49730 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49754 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49754 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49721 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49722 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49705 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49738 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49705 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49729 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49721 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49729 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49731 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49734 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49740 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49736 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49743 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49736 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49735 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49717 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49717 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49735 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49743 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49731 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49753 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49753 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49747 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49747 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49761 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49742 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49742 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49714 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49714 -> 3.67.161.133:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49748 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49759 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49732 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49746 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49746 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49744 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49746 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49748 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49745 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49744 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49761 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49758 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49759 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49758 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:49759 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49757 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49757 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49732 -> 18.158.58.205:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49745 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49755 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49756 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49756 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49755 -> 3.64.4.198:14355
                Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.5:49750 -> 3.127.181.115:14355
                Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.5:49750 -> 3.127.181.115:14355
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 3.67.161.133:14355
                Source: global trafficTCP traffic: 192.168.2.5:49730 -> 18.158.58.205:14355
                Source: global trafficTCP traffic: 192.168.2.5:49744 -> 3.127.181.115:14355
                Source: global trafficTCP traffic: 192.168.2.5:49752 -> 3.64.4.198:14355
                Source: Joe Sandbox ViewIP Address: 18.158.58.205 18.158.58.205
                Source: Joe Sandbox ViewIP Address: 3.64.4.198 3.64.4.198
                Source: Joe Sandbox ViewIP Address: 3.127.181.115 3.127.181.115
                Source: Joe Sandbox ViewIP Address: 3.67.161.133 3.67.161.133
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: 5.tcp.eu.ngrok.io
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                E-Banking Fraud

                barindex
                Yara detected Njrat
                Source: Yara matchFile source: nKHN8rvjmN.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nKHN8rvjmN.exe PID: 3304, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: server.exe PID: 6044, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Explore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: nKHN8rvjmN.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: nKHN8rvjmN.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                Source: nKHN8rvjmN.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: nKHN8rvjmN.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_0155BDCA NtQuerySystemInformation,2_2_0155BDCA
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_0155BD99 NtQuerySystemInformation,2_2_0155BD99
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\SysWOW64\Explore.exeJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048742980_2_04874298
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048750000_2_04875000
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_0487470F0_2_0487470F
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_04874C8F0_2_04874C8F
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048742910_2_04874291
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_04874F9D0_2_04874F9D
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_0487499D0_2_0487499D
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_04874F2F0_2_04874F2F
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048749360_2_04874936
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048746300_2_04874630
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048745440_2_04874544
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048747D40_2_048747D4
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_0487505D0_2_0487505D
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_04874B5B0_2_04874B5B
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048754590_2_04875459
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048750E30_2_048750E3
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_0487536F0_2_0487536F
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048744F10_2_048744F1
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeCode function: 0_2_048749F90_2_048749F9
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_057279002_2_05727900
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_057274C72_2_057274C7
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_057242902_2_05724290
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_0572427F2_2_0572427F
                Source: nKHN8rvjmN.exe, 00000000.00000002.2029601766.00000000007CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs nKHN8rvjmN.exe
                Source: nKHN8rvjmN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: nKHN8rvjmN.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: nKHN8rvjmN.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: nKHN8rvjmN.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: nKHN8rvjmN.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Program Files (x86)\Explore.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: classification engineClassification label: mal100.spre.phis.troj.adwa.evad.winEXE@24/18@4/4
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_0155BC4E AdjustTokenPrivileges,2_2_0155BC4E
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_0155BC17 AdjustTokenPrivileges,2_2_0155BC17
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Program Files (x86)\Explore.exeJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:652:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\server.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Users\user\AppData\Local\Temp\server.exeMutant created: \Sessions\1\BaseNamedObjects\32cf646479fb52a6cecce80a3bf8d7de
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
                Source: nKHN8rvjmN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: nKHN8rvjmN.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: nKHN8rvjmN.exeReversingLabs: Detection: 86%
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeFile read: C:\Users\user\Desktop\nKHN8rvjmN.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\nKHN8rvjmN.exe "C:\Users\user\Desktop\nKHN8rvjmN.exe"
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe"
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe"
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\StUpdate.exe C:\Users\user\AppData\Local\Temp/StUpdate.exe
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLEJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLEJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exeJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: nKHN8rvjmN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                Source: nKHN8rvjmN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: nKHN8rvjmN.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: server.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: Explore.exe.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: Explore.exe0.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: StUpdate.exe.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: Explore.exe1.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: Microsoft Corporation.exe.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: Explore.exe2.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: Explore.exe3.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: Explore.exe4.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

                Persistence and Installation Behavior

                barindex
                Drops PE files to the document folder of the user
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\Documents\Explore.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\SysWOW64\Explore.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Local\Temp\StUpdate.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\Documents\Explore.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explore.exeJump to dropped file
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeFile created: C:\Users\user\AppData\Local\Temp\server.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Program Files (x86)\Explore.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explore.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Program Files (x86)\Explore.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Windows\SysWOW64\Explore.exeJump to dropped file

                Boot Survival

                barindex
                Drops PE files to the startup folder
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to dropped file
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeMemory allocated: A60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeMemory allocated: A60000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 17C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 3520000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 5520000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 66E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 76E0000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 7A10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 8A10000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 7A10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 8E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: AF60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: BF60000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: C400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: D400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: E400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: C400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: F580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 10580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 9BA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: AF60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: E400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 11580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 12580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 13580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 14580000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 14EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 15EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 16EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 17EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 18EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 19EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 1AEC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 1BEC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 1CEC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 1DEC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 1EEC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 1FEC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 20EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 21EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 22EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 23EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 24EC0000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 26140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 27140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 28140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 29140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 2A140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 2B140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 13980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 14980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 15980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 16980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: FD80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 10D80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 11D80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 17980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 18980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 19980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 2C140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 2D140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 2E140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeMemory allocated: 2F140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeMemory allocated: 2C20000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeMemory allocated: 14A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeMemory allocated: 14A0000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMemory allocated: 1700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMemory allocated: 3470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMemory allocated: 5470000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeWindow / User API: threadDelayed 2289Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeWindow / User API: threadDelayed 1884Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeWindow / User API: foregroundWindowGot 388Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeWindow / User API: foregroundWindowGot 404Jump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exe TID: 5956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 6420Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3556Thread sleep time: -1144500s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exe TID: 3556Thread sleep time: -942000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe TID: 7116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe TID: 6556Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe TID: 5560Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 2136Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: server.exe, 00000002.00000002.4452062075.000000000163B000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000003.00000003.2046412720.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.2093561425.0000000000E31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: netsh.exe, 00000005.00000003.2084636306.0000000003741000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\nKHN8rvjmN.exeProcess created: C:\Users\user\AppData\Local\Temp\server.exe "C:\Users\user\AppData\Local\Temp\server.exe" Jump to behavior
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 15:18:50 - Program Manager
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:21:53 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:37 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/04 | 04:58:15 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:24 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:56 - Program Manager
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\Ol
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/04 | 01:05:29 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:08 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:15 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:40 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:29 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:23 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 14:05:49 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:30 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:20 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:21:57 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:24:16 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:22 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:04 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/03 | 21:37:25 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:51 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:41 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 14:00:28 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:31 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:49:46 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:21:56 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:53 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:03 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/04 | 00:47:57 - Program Manager
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030970856.0000000004ACB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: "dProgram Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/04 | 04:51:07 - Program Manager
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030970856.0000000004ACB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:46 - Program Manager
                Source: nKHN8rvjmN.exe, StUpdate.exe.2.dr, Explore.exe1.2.dr, Microsoft Corporation.exe.2.dr, Explore.exe0.2.dr, Explore.exe4.2.dr, server.exe.0.dr, Explore.exe2.2.dr, Explore.exe.2.dr, 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Explore.exe3.2.drBinary or memory string: ProgMan
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:34 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 14:57:34 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 14:08:17 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:19 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:06 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:42:41 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/04 | 06:39:16 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:21 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 16:32:19 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 16:38:25 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:39 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:46 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 14:00:13 - Program Manager
                Source: nKHN8rvjmN.exe, StUpdate.exe.2.dr, Explore.exe1.2.dr, Microsoft Corporation.exe.2.dr, Explore.exe0.2.dr, Explore.exe4.2.dr, server.exe.0.dr, Explore.exe2.2.dr, Explore.exe.2.dr, 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Explore.exe3.2.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:24:51 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 16:55:44 - Program Manager
                Source: Microsoft Corporation.exe, 00000013.00000002.2371091247.00000000058BB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dProgram Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 14:22:38 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:24:09 - Program Manager
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:21:54 - Program Manager
                Source: nKHN8rvjmN.exe, StUpdate.exe.2.dr, Explore.exe1.2.dr, Microsoft Corporation.exe.2.dr, Explore.exe0.2.dr, Explore.exe4.2.dr, server.exe.0.dr, Explore.exe2.2.dr, Explore.exe.2.dr, 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Explore.exe3.2.drBinary or memory string: Shell_TrayWnd
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:15 - Program Manager
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002711000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -ledProgram Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:24:21 - Program Manager
                Source: nKHN8rvjmN.exe, 00000000.00000002.2030389992.0000000002743000.00000004.00000800.00020000.00000000.sdmp, nKHN8rvjmN.exe, 00000000.00000002.2030389992.000000000274A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:21:52 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:35 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:22:25 - Program Manager
                Source: server.exe, 00000002.00000002.4452062075.000000000163B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Rh Program Manager$
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:24:02 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 14:13:29 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 16:09:07 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:23:16 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/04 | 07:06:19 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:24:28 - Program Manager
                Source: server.exe, 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/10/01 | 13:27:41 - Program Manager
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\server.exeCode function: 2_2_0155A72E GetUserNameW,2_2_0155A72E
                Source: C:\Users\user\AppData\Local\Temp\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Contains functionality to disable the Task Manager (.Net Source)
                Source: nKHN8rvjmN.exe, Fransesco.cs.Net Code: INS
                Source: server.exe.0.dr, Fransesco.cs.Net Code: INS
                Source: Explore.exe.2.dr, Fransesco.cs.Net Code: INS
                Source: Explore.exe0.2.dr, Fransesco.cs.Net Code: INS
                Source: StUpdate.exe.2.dr, Fransesco.cs.Net Code: INS
                Source: Explore.exe1.2.dr, Fransesco.cs.Net Code: INS
                Source: Microsoft Corporation.exe.2.dr, Fransesco.cs.Net Code: INS
                Source: 32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.2.dr, Fransesco.cs.Net Code: INS
                Source: Explore.exe2.2.dr, Fransesco.cs.Net Code: INS
                Source: Explore.exe3.2.dr, Fransesco.cs.Net Code: INS
                Source: Explore.exe4.2.dr, Fransesco.cs.Net Code: INS
                Disables the Windows task manager (taskmgr)
                Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
                Disables zone checking for all users
                Source: C:\Users\user\AppData\Local\Temp\server.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
                Modifies the windows firewall
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Users\user\AppData\Local\Temp\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE

                Stealing of Sensitive Information

                barindex
                Yara detected Njrat
                Source: Yara matchFile source: nKHN8rvjmN.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nKHN8rvjmN.exe PID: 3304, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: server.exe PID: 6044, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Explore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED

                Remote Access Functionality

                barindex
                Yara detected Njrat
                Source: Yara matchFile source: nKHN8rvjmN.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.nKHN8rvjmN.exe.a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: nKHN8rvjmN.exe PID: 3304, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: server.exe PID: 6044, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, type: DROPPED
                Source: Yara matchFile source: C:\Program Files (x86)\Explore.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\server.exe, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure11
                Replication Through Removable Media                		1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Access Token Manipulation                		32
                Masquerading                		OS Credential Dumping11
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job12
                Registry Run Keys / Startup Folder                		12
                Process Injection                		51
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Clipboard Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                DLL Side-Loading                		1
                Scheduled Task/Job                		31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                DLL Side-Loading                		12
                Process Injection                		LSA Secrets1
                Peripheral Device Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Software Packing                		Cached Domain Credentials1
                Account Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync1
                System Owner/User Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                File and Directory Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow12
                System Information Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523562 Sample: nKHN8rvjmN.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 52 5.tcp.eu.ngrok.io 2->52 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 11 other signatures 2->66 9 nKHN8rvjmN.exe 7 2->9         started        12 StUpdate.exe 2->12         started        15 Explore.exe 3 2->15         started        17 7 other processes 2->17 signatures3 process4 file5 48 C:\Users\user\AppData\Local\Temp\server.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\...\nKHN8rvjmN.exe.log, ASCII 9->50 dropped 19 server.exe 2 13 9->19         started        76 Antivirus detection for dropped file 12->76 78 Multi AV Scanner detection for dropped file 12->78 80 Machine Learning detection for dropped file 12->80 signatures6 process7 dnsIp8 54 18.158.58.205, 14355, 49730, 49731 AMAZON-02US United States 19->54 56 3.127.181.115, 14355, 49744, 49745 AMAZON-02US United States 19->56 58 2 other IPs or domains 19->58 40 C:\Windows\SysWOW64xplore.exe, PE32 19->40 dropped 42 C:\Users\user\Documentsxplore.exe, PE32 19->42 dropped 44 C:\Users\user\...\Microsoft Corporation.exe, PE32 19->44 dropped 46 6 other malicious files 19->46 dropped 68 Antivirus detection for dropped file 19->68 70 Multi AV Scanner detection for dropped file 19->70 72 Drops PE files to the document folder of the user 19->72 74 7 other signatures 19->74 24 netsh.exe 2 19->24         started        26 netsh.exe 2 19->26         started        28 netsh.exe 2 19->28         started        30 schtasks.exe 1 19->30         started        file9 signatures10 process11 process12 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                nKHN8rvjmN.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                nKHN8rvjmN.exe100%AviraTR/Dropper.Gen
                nKHN8rvjmN.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\StUpdate.exe100%AviraTR/Dropper.Gen
                C:\Program Files (x86)\Explore.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe100%AviraTR/Dropper.Gen
                C:\Program Files (x86)\Explore.exe100%AviraTR/Dropper.Gen
                C:\Program Files (x86)\Explore.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Local\Temp\server.exe100%AviraTR/Dropper.Gen
                C:\Program Files (x86)\Explore.exe100%AviraTR/Dropper.Gen
                C:\Program Files (x86)\Explore.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe100%AviraTR/Dropper.Gen
                C:\Program Files (x86)\Explore.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Local\Temp\StUpdate.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Explore.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Explore.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Explore.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\server.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Explore.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Explore.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Explore.exe100%Joe Sandbox ML
                C:\Program Files (x86)\Explore.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Users\user\AppData\Local\Microsoft\Windows\History\Explore.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explore.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Users\user\AppData\Local\Temp\StUpdate.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Users\user\AppData\Local\Temp\server.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Users\user\Documents\Explore.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                C:\Windows\SysWOW64\Explore.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                5.tcp.eu.ngrok.io
                		3.67.161.133
                		truetrue
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  18.158.58.205
                  		unknownUnited States
                  		16509AMAZON-02UStrue
                  3.64.4.198
                  		unknownUnited States
                  		16509AMAZON-02UStrue
                  3.127.181.115
                  		unknownUnited States
                  		16509AMAZON-02UStrue
                  3.67.161.133
                  		5.tcp.eu.ngrok.ioUnited States
                  		16509AMAZON-02UStrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1523562
                  Start date and time:2024-10-01 19:21:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 44s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:23
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:nKHN8rvjmN.exe
                  renamed because original name is a hash value
                  Original Sample Name:2545b47e98ffb00e68912dbedcb8f5db.exe
                  Detection:MAL
                  Classification:mal100.spre.phis.troj.adwa.evad.winEXE@24/18@4/4
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 96%
                  • Number of executed functions: 257
                  • Number of non-executed functions: 19
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: nKHN8rvjmN.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  13:22:36API Interceptor105410x Sleep call for process: server.exe modified
                  19:21:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe
                  19:21:59Task SchedulerRun new task: StUpdate path: C:\Users\user\AppData\Local\Temp/StUpdate.exe
                  19:22:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe
                  19:22:17AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  18.158.58.205Injector.exeGet hashmaliciousZTratBrowse
                    s4gr7c1k4r.exeGet hashmaliciousNjratBrowse
                      RHen9DNEy6.exeGet hashmaliciousNjratBrowse
                        MSRSAAP.EXE.exeGet hashmaliciousDarkCometBrowse
                          D828CZjRLi.exeGet hashmaliciousNanocoreBrowse
                            sg4Mw15RpV.exeGet hashmaliciousNjratBrowse
                              m_zcxd.exeGet hashmaliciousNjratBrowse
                                8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exeGet hashmaliciousNjratBrowse
                                  EVoLxNbDkh.exeGet hashmaliciousNjratBrowse
                                    s8FO8OkNPk.exeGet hashmaliciousNjratBrowse
                                      3.64.4.198dg7zkyyiEZ.exeGet hashmaliciousNjratBrowse
                                        kWDK4Wvmt6.exeGet hashmaliciousNjratBrowse
                                          s4gr7c1k4r.exeGet hashmaliciousNjratBrowse
                                            RHen9DNEy6.exeGet hashmaliciousNjratBrowse
                                              MSRSAAP.EXE.exeGet hashmaliciousDarkCometBrowse
                                                qTBtkrv95Q.exeGet hashmaliciousNjratBrowse
                                                  D828CZjRLi.exeGet hashmaliciousNanocoreBrowse
                                                    QRFMuwplbn.exeGet hashmaliciousNjratBrowse
                                                      1E1A475D7B9C949BFB9CB6C7CC90EC13C18057FD6BD0C.exeGet hashmaliciousNjratBrowse
                                                        m_zcxd.exeGet hashmaliciousNjratBrowse
                                                          3.127.181.115dg7zkyyiEZ.exeGet hashmaliciousNjratBrowse
                                                            kWDK4Wvmt6.exeGet hashmaliciousNjratBrowse
                                                              wLFRqIw3cY.exeGet hashmaliciousNjratBrowse
                                                                RXDIFP5OXK.exeGet hashmaliciousNjratBrowse
                                                                  RHen9DNEy6.exeGet hashmaliciousNjratBrowse
                                                                    D828CZjRLi.exeGet hashmaliciousNanocoreBrowse
                                                                      sg4Mw15RpV.exeGet hashmaliciousNjratBrowse
                                                                        KsrDBL027L.exeGet hashmaliciousNjratBrowse
                                                                          sam.exeGet hashmaliciousNjrat, RevengeRATBrowse
                                                                            P1qURiDOE1.exeGet hashmaliciousNjratBrowse
                                                                              3.67.161.133dg7zkyyiEZ.exeGet hashmaliciousNjratBrowse
                                                                                kWDK4Wvmt6.exeGet hashmaliciousNjratBrowse
                                                                                  xuPFIoUdut.exeGet hashmaliciousNjratBrowse
                                                                                    s4gr7c1k4r.exeGet hashmaliciousNjratBrowse
                                                                                      qTBtkrv95Q.exeGet hashmaliciousNjratBrowse
                                                                                        D828CZjRLi.exeGet hashmaliciousNanocoreBrowse
                                                                                          QRFMuwplbn.exeGet hashmaliciousNjratBrowse
                                                                                            1E1A475D7B9C949BFB9CB6C7CC90EC13C18057FD6BD0C.exeGet hashmaliciousNjratBrowse
                                                                                              sg4Mw15RpV.exeGet hashmaliciousNjratBrowse
                                                                                                EVoLxNbDkh.exeGet hashmaliciousNjratBrowse

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  5.tcp.eu.ngrok.iodg7zkyyiEZ.exeGet hashmaliciousNjratBrowse
                                                                                                  • 3.64.4.198
                                                                                                  Injector.exeGet hashmaliciousZTratBrowse
                                                                                                  • 18.158.58.205
                                                                                                  Minecraft.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 3.67.112.102
                                                                                                  kWDK4Wvmt6.exeGet hashmaliciousNjratBrowse
                                                                                                  • 3.67.161.133
                                                                                                  wLFRqIw3cY.exeGet hashmaliciousNjratBrowse
                                                                                                  • 3.127.181.115
                                                                                                  RXDIFP5OXK.exeGet hashmaliciousNjratBrowse
                                                                                                  • 3.67.62.142
                                                                                                  xuPFIoUdut.exeGet hashmaliciousNjratBrowse
                                                                                                  • 3.67.161.133
                                                                                                  s4gr7c1k4r.exeGet hashmaliciousNjratBrowse
                                                                                                  • 3.67.62.142
                                                                                                  RHen9DNEy6.exeGet hashmaliciousNjratBrowse
                                                                                                  • 3.64.4.198
                                                                                                  MSRSAAP.EXE.exeGet hashmaliciousDarkCometBrowse
                                                                                                  • 18.158.58.205

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  AMAZON-02USmoba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 52.30.160.207
                                                                                                  Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                                                                                                  • 3.71.149.231
                                                                                                  moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 52.213.197.159
                                                                                                  https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgridGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.46.109
                                                                                                  https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCAGet hashmaliciousUnknownBrowse
                                                                                                  • 52.28.39.231
                                                                                                  https://k7qo.sarnerholz.cam/APRjVfmkGet hashmaliciousUnknownBrowse
                                                                                                  • 18.195.235.189
                                                                                                  https://pt9w4x.nauleacepr.com/9QLzRhIr/#Ygovernment.relations@rolls-royce.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.86.73
                                                                                                  https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 13.33.187.96
                                                                                                  document.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 13.248.252.114
                                                                                                  https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 3.5.130.130
                                                                                                  AMAZON-02USmoba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 52.30.160.207
                                                                                                  Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                                                                                                  • 3.71.149.231
                                                                                                  moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 52.213.197.159
                                                                                                  https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgridGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.46.109
                                                                                                  https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCAGet hashmaliciousUnknownBrowse
                                                                                                  • 52.28.39.231
                                                                                                  https://k7qo.sarnerholz.cam/APRjVfmkGet hashmaliciousUnknownBrowse
                                                                                                  • 18.195.235.189
                                                                                                  https://pt9w4x.nauleacepr.com/9QLzRhIr/#Ygovernment.relations@rolls-royce.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.86.73
                                                                                                  https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 13.33.187.96
                                                                                                  document.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 13.248.252.114
                                                                                                  https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 3.5.130.130
                                                                                                  AMAZON-02USmoba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 52.30.160.207
                                                                                                  Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                                                                                                  • 3.71.149.231
                                                                                                  moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 52.213.197.159
                                                                                                  https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgridGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.46.109
                                                                                                  https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCAGet hashmaliciousUnknownBrowse
                                                                                                  • 52.28.39.231
                                                                                                  https://k7qo.sarnerholz.cam/APRjVfmkGet hashmaliciousUnknownBrowse
                                                                                                  • 18.195.235.189
                                                                                                  https://pt9w4x.nauleacepr.com/9QLzRhIr/#Ygovernment.relations@rolls-royce.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.86.73
                                                                                                  https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 13.33.187.96
                                                                                                  document.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 13.248.252.114
                                                                                                  https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 3.5.130.130
                                                                                                  AMAZON-02USmoba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 52.30.160.207
                                                                                                  Audio_Msg..00299229202324Transcript.htmlGet hashmaliciousUnknownBrowse
                                                                                                  • 3.71.149.231
                                                                                                  moba-24.2-installer_M64ZB-1.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                  • 52.213.197.159
                                                                                                  https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgridGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.46.109
                                                                                                  https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCAGet hashmaliciousUnknownBrowse
                                                                                                  • 52.28.39.231
                                                                                                  https://k7qo.sarnerholz.cam/APRjVfmkGet hashmaliciousUnknownBrowse
                                                                                                  • 18.195.235.189
                                                                                                  https://pt9w4x.nauleacepr.com/9QLzRhIr/#Ygovernment.relations@rolls-royce.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 18.245.86.73
                                                                                                  https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 13.33.187.96
                                                                                                  document.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 13.248.252.114
                                                                                                  https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 3.5.130.130

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Program Files (x86)\Explore.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explore.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explore.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explore.exe, Author: unknown
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explore.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explore.exe, Author: Florian Roth
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explore.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explore.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explore.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explore.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explore.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explore.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explore.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explore.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explore.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explore.exe, Author: ditekSHen
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Reputation:low
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):525
                                                                                                  Entropy (8bit):5.259753436570609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                  MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                  SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                  SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                  SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                  Malicious:false
                                                                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explore.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):525
                                                                                                  Entropy (8bit):5.259753436570609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                  MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                  SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                  SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                  SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                  Malicious:false
                                                                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):525
                                                                                                  Entropy (8bit):5.259753436570609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                  MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                  SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                  SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                  SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                  Malicious:false
                                                                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\nKHN8rvjmN.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\nKHN8rvjmN.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):525
                                                                                                  Entropy (8bit):5.259753436570609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                                  MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                                  SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                                  SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                                  SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                                  Malicious:true
                                                                                                  Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\History\Explore.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explore.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Users\user\AppData\Local\Temp\StUpdate.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: ditekSHen
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Users\user\AppData\Local\Temp\server.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\nKHN8rvjmN.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: ditekSHen
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Users\user\AppData\Roaming\app

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\nKHN8rvjmN.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4
                                                                                                  Entropy (8bit):2.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:R:R
                                                                                                  MD5:4D853D9C7197EE7FA81C6535B1F7D655
                                                                                                  SHA1:EAC3D866E991967B385F3DD22DA25E410D8F7F49
                                                                                                  SHA-256:5ABDB6175F820F0AC3D8647FBB1F7A0BCC91757A782A8A145570944CA6A00C96
                                                                                                  SHA-512:DC5A09D8586EB9F591F6E00187817C19F693E9328A1B2E5838C61C0B234E9608EECC45BBF7F4A90912E9A456D0AB469ED2503BAFB4988B276CEC8D5F0B18FDA7
                                                                                                  Malicious:false
                                                                                                  Preview:.1

                                                                                                  C:\Users\user\Documents\Explore.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  C:\Windows\SysWOW64\Explore.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95232
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  MD5:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  SHA1:0612D0F4417EBB63E52AD1DA47DB3209E848332A
                                                                                                  SHA-256:18240BE396F8B7A2A28669DFB20F4FB311DAF0B1FD4C1D81DF26D7F8419444D4
                                                                                                  SHA-512:D480F7713618938A6239445C4E5CCDBDC1305FA3D45E958D7B4656CEE09E792AD5892E18C0C590F2AA9C2E904F00A271FBBB8DA5DB3D14846A9819BA5CBA7788
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................p............... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                  \Device\ConDrv

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):313
                                                                                                  Entropy (8bit):4.971939296804078
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                                                                  MD5:689E2126A85BF55121488295EE068FA1
                                                                                                  SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                                                                  SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                                                                  SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                                                                  Malicious:false
                                                                                                  Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):5.560972006356616
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  File name:nKHN8rvjmN.exe
                                                                                                  File size:95'232 bytes
                                                                                                  MD5:2545b47e98ffb00e68912dbedcb8f5db
                                                                                                  SHA1:0612d0f4417ebb63e52ad1da47db3209e848332a
                                                                                                  SHA256:18240be396f8b7a2a28669dfb20f4fb311daf0b1fd4c1d81df26d7f8419444d4
                                                                                                  SHA512:d480f7713618938a6239445c4e5ccdbdc1305fa3d45e958d7b4656cee09e792ad5892e18c0c590f2aa9c2e904f00a271fbbb8da5db3d14846a9819ba5cba7788
                                                                                                  SSDEEP:1536:jwfR8lZc+/2HK1j+fzdljEwzGi1dDaDlgS:jwfKc+/2HK1ozdSi1dMy
                                                                                                  TLSH:2C93E74977E43424E5BF56F39971B2404F34B5871602E39E58F218AA1B33AC44F89FEA
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................p............... ........@.. ....................................@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x418efe
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:false
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x66F986F2 [Sun Sep 29 16:57:22 2024 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x18ea40x57.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000x16f040x1700009879cd9a0a99d990b80cf57dd6222a6False0.36818529211956524data5.59271339646758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x1a0000xc0x20002466978873e232bef309f048b95192fFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-10-01T19:22:05.570773+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497043.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:05.570773+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497043.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:07.961648+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497053.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:07.961648+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497053.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:12.121634+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497063.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:12.121634+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497063.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:15.113972+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497093.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:15.113972+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497093.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:18.151614+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497143.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:18.151614+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497143.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:21.403273+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497153.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:21.403273+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497153.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:24.316827+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497173.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:24.316827+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497173.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:28.374155+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497183.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:28.374155+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497183.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:31.519603+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497193.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:31.519603+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497193.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:34.832589+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497203.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:34.832589+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497203.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:38.113336+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497213.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:38.113336+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497213.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:38.471730+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.5497213.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:38.810544+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.5497213.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:42.179629+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497223.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:42.179629+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497223.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:45.622433+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497233.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:45.622433+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497233.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:48.662189+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497243.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:48.662189+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497243.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:51.511706+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497253.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:51.511706+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497253.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:54.112897+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497263.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:54.112897+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497263.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:57.363488+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497283.67.161.13314355TCP
                                                                                                  2024-10-01T19:22:57.363488+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497283.67.161.13314355TCP
                                                                                                  2024-10-01T19:23:00.688538+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497293.67.161.13314355TCP
                                                                                                  2024-10-01T19:23:00.688538+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497293.67.161.13314355TCP
                                                                                                  2024-10-01T19:23:04.260352+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973018.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:04.260352+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973018.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:07.305485+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973118.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:07.305485+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973118.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:10.722244+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973218.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:10.722244+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973218.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:14.219259+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973318.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:14.219259+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973318.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:17.043161+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973418.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:17.043161+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973418.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:17.623088+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.54973418.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:22.204240+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973518.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:22.204240+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973518.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:25.772944+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973618.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:25.772944+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973618.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:29.750221+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973718.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:29.750221+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973718.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:34.341100+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973818.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:34.341100+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973818.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:37.347851+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54973918.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:37.347851+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54973918.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:40.829037+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54974018.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:40.829037+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54974018.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:47.098118+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54974118.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:47.098118+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54974118.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:51.097857+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54974218.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:51.097857+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54974218.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:58.919701+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.54974318.158.58.20514355TCP
                                                                                                  2024-10-01T19:23:58.919701+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.54974318.158.58.20514355TCP
                                                                                                  2024-10-01T19:24:06.331479+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497443.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:06.331479+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497443.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:13.906350+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497453.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:13.906350+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497453.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:24.978852+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497463.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:24.978852+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497463.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:25.020132+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.5497463.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:27.832466+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497473.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:27.832466+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497473.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:33.904491+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497483.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:33.904491+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497483.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:37.302132+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497493.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:37.302132+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497493.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:42.470605+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497503.127.181.11514355TCP
                                                                                                  2024-10-01T19:24:42.470605+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497503.127.181.11514355TCP
                                                                                                  2024-10-01T19:25:06.925611+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497513.127.181.11514355TCP
                                                                                                  2024-10-01T19:25:06.925611+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497513.127.181.11514355TCP
                                                                                                  2024-10-01T19:25:20.816734+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497523.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:20.816734+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497523.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:28.783719+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497533.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:28.783719+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497533.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:32.675749+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497543.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:32.675749+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497543.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:36.785631+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497553.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:36.785631+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497553.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:39.506680+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497563.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:39.506680+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497563.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:42.979877+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497573.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:42.979877+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497573.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:46.883212+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497583.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:46.883212+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497583.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:50.712666+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497593.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:50.712666+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497593.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:52.232550+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.5497593.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:54.472864+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497603.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:54.472864+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497603.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:57.723543+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.5497613.64.4.19814355TCP
                                                                                                  2024-10-01T19:25:57.723543+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.5497613.64.4.19814355TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 1, 2024 19:22:02.907404900 CEST4970414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:02.912636995 CEST14355497043.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:02.912740946 CEST4970414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:05.570772886 CEST4970414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:05.575710058 CEST14355497043.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:05.575819016 CEST4970414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:05.580945015 CEST14355497043.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:05.794044971 CEST14355497043.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:05.794184923 CEST4970414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:07.798789024 CEST4970414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:07.803837061 CEST14355497043.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:07.806442976 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:07.811343908 CEST14355497053.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:07.811436892 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:07.961647987 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:07.966588974 CEST14355497053.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:07.966670036 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:07.971519947 CEST14355497053.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:09.026276112 CEST14355497053.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:09.026422977 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:11.044859886 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:11.045792103 CEST4970614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:11.497940063 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.076061964 CEST4970614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.107279062 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.120049953 CEST14355497053.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:12.120096922 CEST14355497063.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:12.120130062 CEST14355497053.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:12.120186090 CEST4970614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.120213032 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.121634007 CEST4970614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.121681929 CEST14355497063.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:12.121736050 CEST4970614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.121751070 CEST14355497053.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:12.121804953 CEST4970514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.126529932 CEST14355497063.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:12.126600981 CEST4970614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:12.131453037 CEST14355497063.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:13.099083900 CEST14355497063.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:13.099175930 CEST4970614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:15.107557058 CEST4970614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:15.108392000 CEST4970914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:15.112550020 CEST14355497063.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:15.113296032 CEST14355497093.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:15.113409042 CEST4970914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:15.113971949 CEST4970914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:15.118835926 CEST14355497093.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:15.118908882 CEST4970914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:15.123698950 CEST14355497093.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:15.919899940 CEST14355497093.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:15.919984102 CEST4970914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:17.938194036 CEST4970914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:17.943100929 CEST14355497093.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:18.028924942 CEST4971414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:18.150417089 CEST14355497143.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:18.150616884 CEST4971414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:18.151613951 CEST4971414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:18.158163071 CEST14355497143.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:18.158250093 CEST4971414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:18.166733980 CEST14355497143.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:19.129570961 CEST14355497143.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:19.129671097 CEST4971414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:21.139465094 CEST4971414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:21.144424915 CEST14355497143.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:21.388170004 CEST4971514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:21.393343925 CEST14355497153.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:21.393445969 CEST4971514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:21.403273106 CEST4971514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:21.408107042 CEST14355497153.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:21.408181906 CEST4971514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:21.413006067 CEST14355497153.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:22.307636023 CEST14355497153.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:22.307707071 CEST4971514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:24.310467005 CEST4971514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:24.311316013 CEST4971714355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:24.315278053 CEST14355497153.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:24.316217899 CEST14355497173.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:24.316304922 CEST4971714355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:24.316827059 CEST4971714355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:24.321685076 CEST14355497173.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:24.321799994 CEST4971714355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:24.326653957 CEST14355497173.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:25.394229889 CEST14355497173.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:25.394304991 CEST4971714355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:27.404313087 CEST4971714355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:27.405493975 CEST4971814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:27.810444117 CEST4971714355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:28.372874975 CEST14355497173.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:28.372891903 CEST14355497183.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:28.372900963 CEST14355497173.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:28.373023987 CEST4971814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:28.373182058 CEST4971714355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:28.374155045 CEST4971814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:28.379225969 CEST14355497183.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:28.379278898 CEST4971814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:28.384155035 CEST14355497183.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:29.182723045 CEST14355497183.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:29.182812929 CEST4971814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:31.206691027 CEST4971814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:31.211673975 CEST14355497183.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:31.514025927 CEST4971914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:31.518898010 CEST14355497193.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:31.519021034 CEST4971914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:31.519603014 CEST4971914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:31.524404049 CEST14355497193.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:31.623169899 CEST4971914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:31.628112078 CEST14355497193.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:32.358258009 CEST14355497193.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:32.358386040 CEST4971914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:34.373528004 CEST4971914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:34.378421068 CEST14355497193.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:34.701489925 CEST4972014355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:34.831361055 CEST14355497203.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:34.831469059 CEST4972014355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:34.832588911 CEST4972014355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:34.837372065 CEST14355497203.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:34.837440968 CEST4972014355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:34.842319965 CEST14355497203.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:36.065593004 CEST14355497203.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:36.065835953 CEST4972014355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:38.081892967 CEST4972014355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:38.086931944 CEST14355497203.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:38.107593060 CEST4972114355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:38.112406015 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:38.112546921 CEST4972114355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:38.113336086 CEST4972114355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:38.118100882 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:38.118181944 CEST4972114355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:38.122983932 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:38.471729994 CEST4972114355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:38.810544014 CEST4972114355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:39.394062996 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:39.394145012 CEST4972114355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:39.394320011 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:39.395771980 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:39.395832062 CEST4972114355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:39.395845890 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:39.399857044 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:39.401642084 CEST14355497213.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:41.530139923 CEST4972214355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:42.178821087 CEST14355497223.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:42.178913116 CEST4972214355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:42.179629087 CEST4972214355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:42.184534073 CEST14355497223.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:42.184588909 CEST4972214355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:42.189588070 CEST14355497223.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:43.419039011 CEST14355497223.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:43.420006037 CEST4972214355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:45.435523033 CEST4972214355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:45.436697960 CEST4972314355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:45.440418959 CEST14355497223.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:45.441673040 CEST14355497233.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:45.441745996 CEST4972314355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:45.622432947 CEST4972314355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:45.627660036 CEST14355497233.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:45.627744913 CEST4972314355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:45.632905006 CEST14355497233.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:46.304214001 CEST14355497233.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:46.304306030 CEST4972314355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:48.357361078 CEST4972314355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:48.363301992 CEST14355497233.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:48.656390905 CEST4972414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:48.661387920 CEST14355497243.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:48.661515951 CEST4972414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:48.662189007 CEST4972414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:48.666935921 CEST14355497243.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:48.667033911 CEST4972414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:48.671818972 CEST14355497243.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:49.333849907 CEST14355497243.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:49.333928108 CEST4972414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:51.341895103 CEST4972414355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:51.342801094 CEST4972514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:51.346802950 CEST14355497243.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:51.347599983 CEST14355497253.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:51.347686052 CEST4972514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:51.511706114 CEST4972514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:51.516554117 CEST14355497253.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:51.516619921 CEST4972514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:51.521434069 CEST14355497253.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:52.016061068 CEST14355497253.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:52.016160965 CEST4972514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:54.086075068 CEST4972514355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:54.090950966 CEST14355497253.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:54.106347084 CEST4972614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:54.111154079 CEST14355497263.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:54.112071991 CEST4972614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:54.112896919 CEST4972614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:54.117774010 CEST14355497263.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:54.117846966 CEST4972614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:54.122721910 CEST14355497263.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:55.355279922 CEST14355497263.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:55.355411053 CEST4972614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:57.357347965 CEST4972614355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:57.358124018 CEST4972814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:57.362122059 CEST14355497263.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:57.362932920 CEST14355497283.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:57.363006115 CEST4972814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:57.363487959 CEST4972814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:57.368592024 CEST14355497283.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:57.368642092 CEST4972814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:22:57.373501062 CEST14355497283.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:58.290011883 CEST14355497283.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:22:58.290087938 CEST4972814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:23:00.308777094 CEST4972814355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:23:00.313604116 CEST14355497283.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:23:00.420675039 CEST4972914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:23:00.425508022 CEST14355497293.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:23:00.425591946 CEST4972914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:23:00.688538074 CEST4972914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:23:00.693490028 CEST14355497293.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:23:00.693579912 CEST4972914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:23:00.698306084 CEST14355497293.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:23:01.682166100 CEST14355497293.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:23:01.682241917 CEST4972914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:23:03.778723001 CEST4972914355192.168.2.53.67.161.133
                                                                                                  Oct 1, 2024 19:23:03.783694983 CEST14355497293.67.161.133192.168.2.5
                                                                                                  Oct 1, 2024 19:23:04.253479004 CEST4973014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:04.258761883 CEST143554973018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:04.258862972 CEST4973014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:04.260351896 CEST4973014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:04.265613079 CEST143554973018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:04.265682936 CEST4973014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:04.270622969 CEST143554973018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:05.249814987 CEST143554973018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:05.250030994 CEST4973014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:07.282104969 CEST4973014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:07.291776896 CEST4973114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:07.304872036 CEST143554973018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:07.304892063 CEST143554973118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:07.304990053 CEST4973114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:07.305485010 CEST4973114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:07.310262918 CEST143554973118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:07.310324907 CEST4973114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:07.315156937 CEST143554973118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:07.973817110 CEST143554973118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:07.973929882 CEST4973114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:10.008430004 CEST4973114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:10.253190994 CEST4973214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:10.310528040 CEST4973114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:10.721420050 CEST143554973118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:10.721438885 CEST143554973218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:10.721447945 CEST143554973118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:10.721549034 CEST4973114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:10.722244024 CEST4973214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:10.722244024 CEST4973214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:10.726979971 CEST143554973218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:10.727036953 CEST4973214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:10.731829882 CEST143554973218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:11.650341988 CEST143554973218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:11.650439978 CEST4973214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:13.659326077 CEST4973214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:13.664244890 CEST143554973218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:14.212970972 CEST4973314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:14.218072891 CEST143554973318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:14.218194008 CEST4973314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:14.219259024 CEST4973314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:14.224200010 CEST143554973318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:14.224273920 CEST4973314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:14.229105949 CEST143554973318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:14.896898985 CEST143554973318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:14.897003889 CEST4973314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:16.904503107 CEST4973314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:16.909699917 CEST143554973318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:17.034636974 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:17.039628983 CEST143554973418.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:17.039720058 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:17.043160915 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:17.047928095 CEST143554973418.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:17.047997952 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:17.052869081 CEST143554973418.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:17.623087883 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:17.627942085 CEST143554973418.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:18.727183104 CEST143554973418.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:18.727472067 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:18.727539062 CEST143554973418.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:18.727597952 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:18.727689028 CEST143554973418.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:18.727735996 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:20.823441029 CEST4973414355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:20.828473091 CEST143554973418.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:21.149583101 CEST4973514355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:22.169809103 CEST4973514355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:22.203536034 CEST143554973518.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:22.203552961 CEST143554973518.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:22.203732014 CEST4973514355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:22.204240084 CEST4973514355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:22.209037066 CEST143554973518.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:22.209091902 CEST4973514355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:22.213906050 CEST143554973518.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:23.488065004 CEST143554973518.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:23.488152027 CEST4973514355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:25.504465103 CEST4973514355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:25.509366989 CEST143554973518.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:25.765696049 CEST4973614355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:25.771822929 CEST143554973618.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:25.771950960 CEST4973614355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:25.772943974 CEST4973614355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:25.777710915 CEST143554973618.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:25.777868032 CEST4973614355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:25.782695055 CEST143554973618.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:26.848176956 CEST143554973618.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:26.848360062 CEST4973614355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:28.865927935 CEST4973614355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:28.871071100 CEST143554973618.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:28.875679016 CEST4973714355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:28.880629063 CEST143554973718.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:28.880805016 CEST4973714355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:29.750221014 CEST4973714355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:29.755139112 CEST143554973718.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:29.755196095 CEST4973714355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:29.760008097 CEST143554973718.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:30.319767952 CEST143554973718.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:30.319958925 CEST4973714355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:32.326251984 CEST4973714355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:32.382282972 CEST143554973718.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:34.335273027 CEST4973814355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:34.340327024 CEST143554973818.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:34.340415955 CEST4973814355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:34.341099977 CEST4973814355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:34.346633911 CEST143554973818.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:34.346724987 CEST4973814355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:34.351551056 CEST143554973818.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:35.286156893 CEST143554973818.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:35.286354065 CEST4973814355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:37.303814888 CEST4973814355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:37.308726072 CEST143554973818.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:37.342005014 CEST4973914355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:37.346904993 CEST143554973918.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:37.347170115 CEST4973914355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:37.347851038 CEST4973914355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:37.352662086 CEST143554973918.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:37.352739096 CEST4973914355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:37.357614040 CEST143554973918.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:38.779978037 CEST143554973918.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:38.780050993 CEST4973914355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:38.780455112 CEST143554973918.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:38.780507088 CEST4973914355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:38.780878067 CEST143554973918.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:38.780921936 CEST4973914355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:40.809813976 CEST4973914355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:40.814824104 CEST143554973918.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:40.823441982 CEST4974014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:40.828300953 CEST143554974018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:40.828419924 CEST4974014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:40.829036951 CEST4974014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:40.833930016 CEST143554974018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:40.834017038 CEST4974014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:40.839405060 CEST143554974018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:41.505377054 CEST143554974018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:41.505461931 CEST4974014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:43.513703108 CEST4974014355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:43.518706083 CEST143554974018.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:47.091957092 CEST4974114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:47.097039938 CEST143554974118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:47.097141027 CEST4974114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:47.098118067 CEST4974114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:47.102935076 CEST143554974118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:47.103008032 CEST4974114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:47.107868910 CEST143554974118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:47.947573900 CEST143554974118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:47.947721958 CEST4974114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:49.967133999 CEST4974114355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:49.972326994 CEST143554974118.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:51.091944933 CEST4974214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:51.097085953 CEST143554974218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:51.097204924 CEST4974214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:51.097856998 CEST4974214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:51.102878094 CEST143554974218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:51.102953911 CEST4974214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:51.108036041 CEST143554974218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:51.797533035 CEST143554974218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:51.797605038 CEST4974214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:53.963983059 CEST4974214355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:53.968976021 CEST143554974218.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:58.913691998 CEST4974314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:58.918924093 CEST143554974318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:58.919013977 CEST4974314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:58.919701099 CEST4974314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:58.924518108 CEST143554974318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:58.924587965 CEST4974314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:23:58.929856062 CEST143554974318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:59.913670063 CEST143554974318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:23:59.913918972 CEST4974314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:24:01.989137888 CEST4974314355192.168.2.518.158.58.205
                                                                                                  Oct 1, 2024 19:24:01.994136095 CEST143554974318.158.58.205192.168.2.5
                                                                                                  Oct 1, 2024 19:24:06.325160980 CEST4974414355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:06.330260992 CEST14355497443.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:06.330411911 CEST4974414355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:06.331479073 CEST4974414355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:06.336591005 CEST14355497443.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:06.336677074 CEST4974414355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:06.341573000 CEST14355497443.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:07.320728064 CEST14355497443.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:07.320873022 CEST4974414355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:09.330497026 CEST4974414355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:09.335468054 CEST14355497443.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:12.446248055 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:12.451380968 CEST14355497453.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:12.451471090 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:13.906349897 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:13.911627054 CEST14355497453.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:13.911710024 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:13.916594982 CEST14355497453.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:14.443182945 CEST14355497453.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:14.443255901 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:16.455329895 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:16.484220982 CEST4974614355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:16.763550043 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:17.372939110 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:17.528258085 CEST14355497453.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:17.528275013 CEST14355497463.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:17.528284073 CEST14355497453.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:17.528386116 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:17.529346943 CEST4974614355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:17.531692028 CEST14355497453.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:17.531740904 CEST4974514355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:24.978852034 CEST4974614355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:24.983742952 CEST14355497463.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:24.983815908 CEST4974614355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:24.988646984 CEST14355497463.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:25.020132065 CEST4974614355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:25.024945974 CEST14355497463.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:25.524611950 CEST14355497463.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:25.524668932 CEST4974614355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:27.575984955 CEST4974614355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:27.580914974 CEST14355497463.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:27.826560974 CEST4974714355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:27.831728935 CEST14355497473.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:27.831849098 CEST4974714355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:27.832465887 CEST4974714355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:27.837296963 CEST14355497473.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:27.837379932 CEST4974714355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:27.842178106 CEST14355497473.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:29.107357025 CEST14355497473.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:29.107435942 CEST4974714355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:31.126336098 CEST4974714355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:31.131186008 CEST14355497473.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:31.138966084 CEST4974814355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:31.143749952 CEST14355497483.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:31.143850088 CEST4974814355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:33.904490948 CEST4974814355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:34.263732910 CEST4974814355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:34.716494083 CEST14355497483.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:34.716511965 CEST14355497483.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:35.281356096 CEST14355497483.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:35.281431913 CEST4974814355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:37.294951916 CEST4974814355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:37.296243906 CEST4974914355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:37.299871922 CEST14355497483.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:37.301107883 CEST14355497493.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:37.301187038 CEST4974914355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:37.302131891 CEST4974914355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:37.306948900 CEST14355497493.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:37.307022095 CEST4974914355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:37.311830044 CEST14355497493.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:38.373837948 CEST14355497493.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:38.374038935 CEST4974914355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:40.413868904 CEST4974914355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:40.418781996 CEST14355497493.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:40.437951088 CEST4975014355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:40.442981005 CEST14355497503.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:40.443062067 CEST4975014355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:42.470604897 CEST4975014355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:42.779192924 CEST4975014355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:43.098786116 CEST14355497503.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:43.098807096 CEST14355497503.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:43.646085978 CEST14355497503.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:24:43.646178007 CEST4975014355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:45.677583933 CEST4975014355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:24:45.682485104 CEST14355497503.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:25:00.328857899 CEST4975114355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:25:00.928955078 CEST14355497513.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:25:00.929194927 CEST4975114355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:25:06.925611019 CEST4975114355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:25:06.930514097 CEST14355497513.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:25:06.930579901 CEST4975114355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:25:06.935456991 CEST14355497513.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:25:07.483666897 CEST14355497513.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:25:07.483889103 CEST4975114355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:25:09.628073931 CEST4975114355192.168.2.53.127.181.115
                                                                                                  Oct 1, 2024 19:25:09.633032084 CEST14355497513.127.181.115192.168.2.5
                                                                                                  Oct 1, 2024 19:25:20.810870886 CEST4975214355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:20.815771103 CEST14355497523.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:20.815874100 CEST4975214355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:20.816734076 CEST4975214355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:20.821580887 CEST14355497523.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:20.821656942 CEST4975214355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:20.826479912 CEST14355497523.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:21.737509012 CEST14355497523.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:21.737652063 CEST4975214355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:23.762590885 CEST4975214355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:23.767743111 CEST14355497523.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:28.777369022 CEST4975314355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:28.782799006 CEST14355497533.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:28.782898903 CEST4975314355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:28.783719063 CEST4975314355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:28.790216923 CEST14355497533.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:28.790292978 CEST4975314355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:28.796312094 CEST14355497533.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:29.823596001 CEST14355497533.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:29.823712111 CEST4975314355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:31.840001106 CEST4975314355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:31.854785919 CEST4975414355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:32.169795990 CEST4975314355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:32.674941063 CEST14355497533.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:32.674957037 CEST14355497543.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:32.674967051 CEST14355497533.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:32.675069094 CEST4975314355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:32.675749063 CEST4975414355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:32.675749063 CEST4975414355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:32.680511951 CEST14355497543.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:32.680588961 CEST4975414355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:32.686047077 CEST14355497543.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:33.929568052 CEST14355497543.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:33.929630995 CEST4975414355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:35.935606956 CEST4975414355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:35.936369896 CEST4975514355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:35.940599918 CEST14355497543.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:35.941224098 CEST14355497553.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:35.941293955 CEST4975514355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:36.785630941 CEST4975514355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:36.928989887 CEST14355497553.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:36.929075003 CEST4975514355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:36.934139013 CEST14355497553.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:37.463299990 CEST14355497553.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:37.463404894 CEST4975514355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:39.491530895 CEST4975514355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:39.496422052 CEST14355497553.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:39.501075029 CEST4975614355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:39.505939960 CEST14355497563.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:39.506017923 CEST4975614355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:39.506680012 CEST4975614355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:39.511504889 CEST14355497563.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:39.511579990 CEST4975614355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:39.516390085 CEST14355497563.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:40.429954052 CEST14355497563.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:40.430037022 CEST4975614355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:42.435775995 CEST4975614355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:42.440706968 CEST14355497563.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:42.970114946 CEST4975714355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:42.975058079 CEST14355497573.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:42.975128889 CEST4975714355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:42.979876995 CEST4975714355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:42.984811068 CEST14355497573.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:42.984878063 CEST4975714355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:42.989777088 CEST14355497573.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:44.221853018 CEST14355497573.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:44.221925974 CEST4975714355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:46.237648010 CEST4975714355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:46.242593050 CEST14355497573.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:46.580080986 CEST4975814355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:46.585179090 CEST14355497583.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:46.585270882 CEST4975814355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:46.883212090 CEST4975814355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:46.888175964 CEST14355497583.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:46.888237000 CEST4975814355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:46.893430948 CEST14355497583.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:47.498544931 CEST14355497583.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:47.498621941 CEST4975814355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:49.514934063 CEST4975814355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:49.519892931 CEST14355497583.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:50.701399088 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:50.711623907 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:50.711759090 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:50.712666035 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:50.717658997 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:50.717741013 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:50.722719908 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.232549906 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:52.439167976 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.439250946 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:52.440335989 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.440397024 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:52.443689108 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.443742990 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:52.445713997 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.445765972 CEST4975914355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:52.446474075 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.447756052 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.447763920 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.449863911 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:52.450581074 CEST14355497593.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:54.467287064 CEST4976014355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:54.472291946 CEST14355497603.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:54.472377062 CEST4976014355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:54.472863913 CEST4976014355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:54.477783918 CEST14355497603.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:54.477869987 CEST4976014355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:54.483050108 CEST14355497603.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:55.713640928 CEST14355497603.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:55.713866949 CEST4976014355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:57.716989994 CEST4976014355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:57.717919111 CEST4976114355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:57.722011089 CEST14355497603.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:57.722948074 CEST14355497613.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:57.723018885 CEST4976114355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:57.723542929 CEST4976114355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:57.728444099 CEST14355497613.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:57.728493929 CEST4976114355192.168.2.53.64.4.198
                                                                                                  Oct 1, 2024 19:25:57.733371973 CEST14355497613.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:58.968419075 CEST14355497613.64.4.198192.168.2.5
                                                                                                  Oct 1, 2024 19:25:58.970093012 CEST4976114355192.168.2.53.64.4.198

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 1, 2024 19:22:02.586038113 CEST5295253192.168.2.51.1.1.1
                                                                                                  Oct 1, 2024 19:22:02.598268032 CEST53529521.1.1.1192.168.2.5
                                                                                                  Oct 1, 2024 19:23:03.983534098 CEST5052953192.168.2.51.1.1.1
                                                                                                  Oct 1, 2024 19:23:03.993117094 CEST53505291.1.1.1192.168.2.5
                                                                                                  Oct 1, 2024 19:24:04.218755007 CEST5734053192.168.2.51.1.1.1
                                                                                                  Oct 1, 2024 19:24:04.233175039 CEST53573401.1.1.1192.168.2.5
                                                                                                  Oct 1, 2024 19:25:10.947036982 CEST5474953192.168.2.51.1.1.1
                                                                                                  Oct 1, 2024 19:25:10.957207918 CEST53547491.1.1.1192.168.2.5

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Oct 1, 2024 19:22:02.586038113 CEST192.168.2.51.1.1.10x992cStandard query (0)5.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                  Oct 1, 2024 19:23:03.983534098 CEST192.168.2.51.1.1.10x7bfStandard query (0)5.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                  Oct 1, 2024 19:24:04.218755007 CEST192.168.2.51.1.1.10x2306Standard query (0)5.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                                  Oct 1, 2024 19:25:10.947036982 CEST192.168.2.51.1.1.10x323fStandard query (0)5.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Oct 1, 2024 19:22:02.598268032 CEST1.1.1.1192.168.2.50x992cNo error (0)5.tcp.eu.ngrok.io3.67.161.133A (IP address)IN (0x0001)false
                                                                                                  Oct 1, 2024 19:23:03.993117094 CEST1.1.1.1192.168.2.50x7bfNo error (0)5.tcp.eu.ngrok.io18.158.58.205A (IP address)IN (0x0001)false
                                                                                                  Oct 1, 2024 19:24:04.233175039 CEST1.1.1.1192.168.2.50x2306No error (0)5.tcp.eu.ngrok.io3.127.181.115A (IP address)IN (0x0001)false
                                                                                                  Oct 1, 2024 19:25:10.957207918 CEST1.1.1.1192.168.2.50x323fNo error (0)5.tcp.eu.ngrok.io3.64.4.198A (IP address)IN (0x0001)false

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:13:21:52
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\Desktop\nKHN8rvjmN.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\nKHN8rvjmN.exe"
                                                                                                  Imagebase:0xa0000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.2030472622.0000000003718000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.2002277926.00000000000A2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:13:21:54
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\server.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Temp\server.exe"
                                                                                                  Imagebase:0xf50000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.4452471336.0000000003521000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\server.exe, Author: ditekSHen
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 87%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:13:21:55
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                  Imagebase:0x1080000
                                                                                                  File size:82'432 bytes
                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:13:21:55
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:13:21:57
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe"
                                                                                                  Imagebase:0x1080000
                                                                                                  File size:82'432 bytes
                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:13:21:57
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                                                                                  Imagebase:0x1080000
                                                                                                  File size:82'432 bytes
                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:13:21:57
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:13:21:57
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:13:21:58
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\user\AppData\Local\Temp/StUpdate.exe
                                                                                                  Imagebase:0x420000
                                                                                                  File size:187'904 bytes
                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:13:21:58
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:13:21:59
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\StUpdate.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp/StUpdate.exe
                                                                                                  Imagebase:0x6e0000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Local\Temp\StUpdate.exe, Author: ditekSHen
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 87%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:13:22:01
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\StUpdate.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp/StUpdate.exe
                                                                                                  Imagebase:0xa30000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:13:22:06
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe"
                                                                                                  Imagebase:0x8a0000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe, Author: ditekSHen
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 87%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:13:22:09
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32cf646479fb52a6cecce80a3bf8d7deWindows Update.exe"
                                                                                                  Imagebase:0xb20000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:13:22:15
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explore.exe"
                                                                                                  Imagebase:0xc30000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 87%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:19
                                                                                                  Start time:13:22:25
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
                                                                                                  Imagebase:0xec0000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown
                                                                                                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth
                                                                                                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 87%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:21
                                                                                                  Start time:13:23:00
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\StUpdate.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp/StUpdate.exe
                                                                                                  Imagebase:0x3b0000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:22
                                                                                                  Start time:13:24:00
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\StUpdate.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp/StUpdate.exe
                                                                                                  Imagebase:0x7ff632ac0000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:23
                                                                                                  Start time:13:25:00
                                                                                                  Start date:01/10/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\StUpdate.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Users\user\AppData\Local\Temp/StUpdate.exe
                                                                                                  Imagebase:0x230000
                                                                                                  File size:95'232 bytes
                                                                                                  MD5 hash:2545B47E98FFB00E68912DBEDCB8F5DB
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:2.6%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:58
                                                                                                    Total number of Limit Nodes:4
                                                                                                    execution_graph 13983 79a59a 13984 79a5d8 DuplicateHandle 13983->13984 13985 79a610 13983->13985 13986 79a5e6 13984->13986 13985->13984 14022 79ab7c 14025 79abbe CloseHandle 14022->14025 14024 79abf8 14025->14024 14058 79a9bf 14061 79a9c9 SetErrorMode 14058->14061 14060 79aa53 14061->14060 13987 79a65e 13988 79a68a OleInitialize 13987->13988 13989 79a6c0 13987->13989 13990 79a698 13988->13990 13989->13988 13991 79abbe 13992 79ac29 13991->13992 13993 79abea CloseHandle 13991->13993 13992->13993 13994 79abf8 13993->13994 14050 79a61e 14051 79a65e OleInitialize 14050->14051 14053 79a698 14051->14053 14026 79a573 14027 79a59a DuplicateHandle 14026->14027 14029 79a5e6 14027->14029 13995 79aa12 13996 79aa3e SetErrorMode 13995->13996 13997 79aa67 13995->13997 13998 79aa53 13996->13998 13997->13996 14030 79aa75 14032 79aaa6 CreateFileW 14030->14032 14033 79ab2d 14032->14033 14034 79ae77 14035 79aeae WriteFile 14034->14035 14037 79af15 14035->14037 14038 79ac37 14039 79ac6a GetFileType 14038->14039 14041 79accc 14039->14041 14042 79b036 14044 79b06a CreateMutexW 14042->14044 14045 79b0e5 14044->14045 13999 79b06a 14001 79b0a2 CreateMutexW 13999->14001 14002 79b0e5 14001->14002 14010 79aeae 14013 79aee3 WriteFile 14010->14013 14012 79af15 14013->14012 14054 79a6ce 14055 79a72e OleGetClipboard 14054->14055 14057 79a78c 14055->14057 14046 79b424 14047 79b446 ShellExecuteExW 14046->14047 14049 79b488 14047->14049 14014 79b446 14016 79b46c ShellExecuteExW 14014->14016 14017 79b488 14016->14017 14018 79aaa6 14019 79aade CreateFileW 14018->14019 14021 79ab2d 14019->14021

                                                                                                    Executed Functions

                                                                                                    Function 04874298 Relevance: 14.4, Strings: 10, Instructions: 1950COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 4874298-48742c9 2 4874352-487435a 0->2 3 48742cf-4874350 0->3 4 4874366-487437a 2->4 3->2 30 487435c 3->30 5 4874380-48743bc 4->5 6 487452f-487467d 4->6 17 48743be-48743e6 5->17 18 48743ed-48744ea 5->18 43 4874683-48747d2 6->43 44 487480d-4874821 6->44 17->18 138 48744ef 18->138 30->4 43->44 46 4874827-4874934 44->46 47 487496f-4874983 44->47 46->47 50 48749d6-48749ea 47->50 51 4874985-487499b call 4874210 47->51 52 4874a32-4874a46 50->52 53 48749ec-48749f7 50->53 51->50 56 4874b94-4874ba8 52->56 57 4874a4c-4874b59 52->57 53->52 62 4874cd4-4874ce8 56->62 63 4874bae-4874bc2 56->63 57->56 69 4874f74-4874f88 62->69 70 4874cee-4874f2d 62->70 65 4874bc4-4874bcb 63->65 66 4874bd0-4874be4 63->66 76 4874c48-4874c5c 65->76 73 4874be6-4874bed 66->73 74 4874bef-4874c03 66->74 77 4874fe2-4874ff6 69->77 78 4874f8a-4874f9b 69->78 70->69 73->76 82 4874c05-4874c0c 74->82 83 4874c0e-4874c22 74->83 84 4874c76-4874c82 76->84 85 4874c5e-4874c74 76->85 80 4875045-4875059 77->80 81 4874ff8-4874ffe 77->81 78->77 90 48750a2-48750b6 80->90 91 487505b 80->91 81->80 82->76 92 4874c24-4874c2b 83->92 93 4874c2d-4874c41 83->93 94 4874c8d 84->94 85->94 101 487512d-4875141 90->101 102 48750b8-48750e1 90->102 91->90 92->76 93->76 96 4874c43-4874c45 93->96 94->62 96->76 106 4875147-4875363 101->106 107 48753b4-48753c8 101->107 102->101 486 4875367 106->486 487 4875365 106->487 109 487549e-48754b2 107->109 110 48753ce-4875457 107->110 117 487566f-4875683 109->117 118 48754b8-4875628 109->118 110->109 121 48757e6-48757fa 117->121 122 4875689-487579f 117->122 118->117 132 4875800-4875916 121->132 133 487595d-4875971 121->133 122->121 132->133 139 4875977-4875a8d 133->139 140 4875ad4-4875ae8 133->140 138->6 139->140 142 4875aee-4875c04 140->142 143 4875c4b-4875c5f 140->143 142->143 153 4875c65-4875d7b 143->153 154 4875dc2-4875dd6 143->154 153->154 160 4875ddc-4875ef2 154->160 161 4875f39-4875f4d 154->161 160->161 167 4875f53-4876069 161->167 168 48760b0-48760c4 161->168 167->168 178 4876227-487623b 168->178 179 48760ca-48761e0 168->179 185 4876241-4876357 178->185 186 487639e-48763b2 178->186 179->178 185->186 196 4876536-487654a 186->196 197 48763b8-48763fd call 4874278 186->197 207 4876550-487656f 196->207 208 487668d-48766a1 196->208 328 48764bd-48764df 197->328 242 4876614-4876636 207->242 220 48766a7-48767a7 208->220 221 48767ee-4876802 208->221 220->221 227 487694f-4876963 221->227 228 4876808-4876908 221->228 236 4876ab0-4876ada 227->236 237 4876969-4876a69 227->237 228->227 268 4876ae0-4876b53 236->268 269 4876b9a-4876bae 236->269 237->236 253 4876574-4876583 242->253 254 487663c 242->254 262 487663e 253->262 263 4876589-48765bc 253->263 254->208 281 4876643-487668b 262->281 353 4876603-487660c 263->353 354 48765be-48765f8 263->354 268->269 273 4876bb4-4876c44 269->273 274 4876c8b-4876c9f 269->274 273->274 292 4876de5-4876df9 274->292 293 4876ca5-4876d9e 274->293 281->208 301 4876dff-4876e4f 292->301 302 487705c-4877070 292->302 293->292 413 4876e51-4876e77 301->413 414 4876ebd-4876ee8 301->414 315 4877076-4877111 call 4874278 * 2 302->315 316 4877158-487715f 302->316 315->316 342 48764e5 328->342 343 4876402-4876411 328->343 342->196 351 48764e7 343->351 352 4876417-48764b5 343->352 379 48764ec-4876534 351->379 352->379 488 48764b7 352->488 353->281 371 487660e 353->371 354->353 371->242 379->196 491 4876e79-4876e99 413->491 492 4876eb8 413->492 489 4876fc6-4877057 414->489 490 4876eee-4876fc1 414->490 497 487536d 486->497 487->497 488->328 489->302 490->302 491->492 492->302 497->107
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$:@k$:@k$:@k$:@k$@$\Ol$|tz$2l
                                                                                                    • API String ID: 0-1496641537
                                                                                                    • Opcode ID: 452795d0528d5f388b02f8b9e470950537ef1861114b3e7dce2258d77d542a90
                                                                                                    • Instruction ID: 91d4b23375b782e0c6f6b51dcc355cffc357c6bf085ff794183c7cecab9161ea
                                                                                                    • Opcode Fuzzy Hash: 452795d0528d5f388b02f8b9e470950537ef1861114b3e7dce2258d77d542a90
                                                                                                    • Instruction Fuzzy Hash: 1E233C75A01128CFDB24EF34D864BA9B7B6FB48308F4081E9D509A73A4DB399E85CF51
                                                                                                    Function 04874291 Relevance: 14.2, Strings: 10, Instructions: 1742COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 555 4874291-48742c9 557 4874352-487435a 555->557 558 48742cf-4874350 555->558 559 4874366-487437a 557->559 558->557 585 487435c 558->585 560 4874380-48743bc 559->560 561 487452f-487467d 559->561 572 48743be-48743e6 560->572 573 48743ed-48744ea 560->573 598 4874683-48747d2 561->598 599 487480d-4874821 561->599 572->573 693 48744ef 573->693 585->559 598->599 601 4874827-4874934 599->601 602 487496f-4874983 599->602 601->602 605 48749d6-48749ea 602->605 606 4874985-487499b call 4874210 602->606 607 4874a32-4874a46 605->607 608 48749ec-48749f7 605->608 606->605 611 4874b94-4874ba8 607->611 612 4874a4c-4874b59 607->612 608->607 617 4874cd4-4874ce8 611->617 618 4874bae-4874bc2 611->618 612->611 624 4874f74-4874f88 617->624 625 4874cee-4874f2d 617->625 620 4874bc4-4874bcb 618->620 621 4874bd0-4874be4 618->621 631 4874c48-4874c5c 620->631 628 4874be6-4874bed 621->628 629 4874bef-4874c03 621->629 632 4874fe2-4874ff6 624->632 633 4874f8a-4874f9b 624->633 625->624 628->631 637 4874c05-4874c0c 629->637 638 4874c0e-4874c22 629->638 639 4874c76-4874c82 631->639 640 4874c5e-4874c74 631->640 635 4875045-4875059 632->635 636 4874ff8-4874ffe 632->636 633->632 645 48750a2-48750b6 635->645 646 487505b 635->646 636->635 637->631 647 4874c24-4874c2b 638->647 648 4874c2d-4874c41 638->648 649 4874c8d 639->649 640->649 656 487512d-4875141 645->656 657 48750b8-48750e1 645->657 646->645 647->631 648->631 651 4874c43-4874c45 648->651 649->617 651->631 661 4875147-4875363 656->661 662 48753b4-48753c8 656->662 657->656 1041 4875367 661->1041 1042 4875365 661->1042 664 487549e-48754b2 662->664 665 48753ce-4875457 662->665 672 487566f-4875683 664->672 673 48754b8-4875628 664->673 665->664 676 48757e6-48757fa 672->676 677 4875689-487579f 672->677 673->672 687 4875800-4875916 676->687 688 487595d-4875971 676->688 677->676 687->688 694 4875977-4875a8d 688->694 695 4875ad4-4875ae8 688->695 693->561 694->695 697 4875aee-4875c04 695->697 698 4875c4b-4875c5f 695->698 697->698 708 4875c65-4875d7b 698->708 709 4875dc2-4875dd6 698->709 708->709 715 4875ddc-4875ef2 709->715 716 4875f39-4875f4d 709->716 715->716 722 4875f53-4876069 716->722 723 48760b0-48760c4 716->723 722->723 733 4876227-487623b 723->733 734 48760ca-48761e0 723->734 740 4876241-4876357 733->740 741 487639e-48763b2 733->741 734->733 740->741 751 4876536-487654a 741->751 752 48763b8-48763fd call 4874278 741->752 762 4876550-487656f 751->762 763 487668d-48766a1 751->763 883 48764bd-48764df 752->883 797 4876614-4876636 762->797 775 48766a7-48767a7 763->775 776 48767ee-4876802 763->776 775->776 782 487694f-4876963 776->782 783 4876808-4876908 776->783 791 4876ab0-4876ada 782->791 792 4876969-4876a69 782->792 783->782 823 4876ae0-4876b53 791->823 824 4876b9a-4876bae 791->824 792->791 808 4876574-4876583 797->808 809 487663c 797->809 817 487663e 808->817 818 4876589-48765bc 808->818 809->763 836 4876643-487668b 817->836 908 4876603-487660c 818->908 909 48765be-48765f8 818->909 823->824 828 4876bb4-4876c44 824->828 829 4876c8b-4876c9f 824->829 828->829 847 4876de5-4876df9 829->847 848 4876ca5-4876d9e 829->848 836->763 856 4876dff-4876e4f 847->856 857 487705c-4877070 847->857 848->847 968 4876e51-4876e77 856->968 969 4876ebd-4876ee8 856->969 870 4877076-4877111 call 4874278 * 2 857->870 871 4877158-487715f 857->871 870->871 897 48764e5 883->897 898 4876402-4876411 883->898 897->751 906 48764e7 898->906 907 4876417-48764b5 898->907 934 48764ec-4876534 906->934 907->934 1043 48764b7 907->1043 908->836 926 487660e 908->926 909->908 926->797 934->751 1046 4876e79-4876e99 968->1046 1047 4876eb8 968->1047 1044 4876fc6-4877057 969->1044 1045 4876eee-4876fc1 969->1045 1052 487536d 1041->1052 1042->1052 1043->883 1044->857 1045->857 1046->1047 1047->857 1052->662
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3400554175
                                                                                                    • Opcode ID: 67c5c4b077c30dcdae0d8ad05c9e7811913b674be7b0db5c8d3fd5c9665919a7
                                                                                                    • Instruction ID: 817770b61b1539b7208008b35f0084c1128efd2003467b8aa1574f5f3f62096d
                                                                                                    • Opcode Fuzzy Hash: 67c5c4b077c30dcdae0d8ad05c9e7811913b674be7b0db5c8d3fd5c9665919a7
                                                                                                    • Instruction Fuzzy Hash: DC134E75A01128CFDB24EF34D864BA9B7B6FB49304F0081E9D909A73A5DB399E85CF41
                                                                                                    Function 048700B8 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1110 48700b8-48700cd 1133 48700d0 call 79a23a 1110->1133 1134 48700d0 call b20606 1110->1134 1135 48700d0 call 79a20c 1110->1135 1136 48700d0 call b205df 1110->1136 1112 48700d5-48700f7 1115 487010b-48701d5 1112->1115 1116 48700f9-487010a 1112->1116 1137 48701d5 call b20606 1115->1137 1138 48701d5 call 4873802 1115->1138 1139 48701d5 call 48739bf 1115->1139 1140 48701d5 call b205df 1115->1140 1141 48701d5 call 4873b18 1115->1141 1132 48701db-48701de 1133->1112 1134->1112 1135->1112 1136->1112 1137->1132 1138->1132 1139->1132 1140->1132 1141->1132
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l$5]!l^$E]!l^
                                                                                                    • API String ID: 0-871554589
                                                                                                    • Opcode ID: d3c2512c0e400a7b26d4bbc31d3aa5bd919a47f2f6e0de827b7b6fadb5f60314
                                                                                                    • Instruction ID: 48a701218096d201a72fbd2f3103031511911a2260a3426853cf680c4b7dabd9
                                                                                                    • Opcode Fuzzy Hash: d3c2512c0e400a7b26d4bbc31d3aa5bd919a47f2f6e0de827b7b6fadb5f60314
                                                                                                    • Instruction Fuzzy Hash: C43105327043549FD705EB75A8127AE3BA79BC3308B1499AAD105CF792CF7A9C0587E2
                                                                                                    Function 04870118 Relevance: 5.1, Strings: 4, Instructions: 61COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1142 4870118-4870169 1148 4870174-487017a 1142->1148 1149 4870181-48701bd 1148->1149 1154 48701c8-48701d5 1149->1154 1157 48701d5 call b20606 1154->1157 1158 48701d5 call 4873802 1154->1158 1159 48701d5 call 48739bf 1154->1159 1160 48701d5 call b205df 1154->1160 1161 48701d5 call 4873b18 1154->1161 1156 48701db-48701de 1157->1156 1158->1156 1159->1156 1160->1156 1161->1156
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l$5]!l^$E]!l^
                                                                                                    • API String ID: 0-871554589
                                                                                                    • Opcode ID: b57b4428be48ca887161f9d7c7cc42976bb6f28fceb3a89f91498bc507e5c042
                                                                                                    • Instruction ID: 640d1512ae41d509737f2fdd75c037cc8ed1e27db99b2289c1650547f43afdfe
                                                                                                    • Opcode Fuzzy Hash: b57b4428be48ca887161f9d7c7cc42976bb6f28fceb3a89f91498bc507e5c042
                                                                                                    • Instruction Fuzzy Hash: FF1102363042509FC305BB39A4123EA27CA9BD7308354A9AAD009CF752CF6ADC0987E3
                                                                                                    Function 048701E1 Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1162 48701e1-4870200 1176 4870202 call b20606 1162->1176 1177 4870202 call b205df 1162->1177 1165 4870208-4870288 1176->1165 1177->1165
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: HQz$XRz$Pz
                                                                                                    • API String ID: 0-936100509
                                                                                                    • Opcode ID: e23103a1fbcf5fa89d456583567000cc46aebe50479744fad7f48729a4ce4876
                                                                                                    • Instruction ID: 171ee58c8cd939ffd8bdeb7db40d5a5f653ad1d8a7cb8909585378df3da86702
                                                                                                    • Opcode Fuzzy Hash: e23103a1fbcf5fa89d456583567000cc46aebe50479744fad7f48729a4ce4876
                                                                                                    • Instruction Fuzzy Hash: 19018C30606646DFCB04FB78D58864D7BE1AFC6309B94C82CE5558B316EB7AA8098B43
                                                                                                    Function 04873802 Relevance: 3.0, Strings: 2, Instructions: 496COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1178 4873802-4873911 1195 4873917-4873919 1178->1195 1196 4873913 1178->1196 1197 4873920-4873927 1195->1197 1198 4873915 1196->1198 1199 487391b 1196->1199 1200 48739bd-4873adf 1197->1200 1201 487392d-48739b2 1197->1201 1198->1195 1199->1197 1225 4873ae1-4873b51 1200->1225 1226 4873b5b-4873bae 1200->1226 1201->1200 1225->1226 1234 4873bb5 1226->1234 1235 4873bb0 1226->1235 1314 4873bb5 call b20606 1234->1314 1315 4873bb5 call 4874291 1234->1315 1316 4873bb5 call b205df 1234->1316 1317 4873bb5 call 4874298 1234->1317 1235->1234 1236 4873bbb-4873bcf 1237 4873c06-4873cbb 1236->1237 1238 4873bd1-4873bfb 1236->1238 1249 4873d43 1237->1249 1250 4873cc1-4873cff 1237->1250 1238->1237 1251 48741dd-48741e8 1249->1251 1250->1249 1252 48741ee-48741f5 1251->1252 1253 4873d48-4873d66 1251->1253 1257 4873d71-4873d7c 1253->1257 1258 4873d68-4873d6e 1253->1258 1261 4874193-48741db 1257->1261 1262 4873d82-4873d96 1257->1262 1258->1257 1261->1251 1264 4873e0e-4873e1f 1262->1264 1265 4873d98-4873dca 1262->1265 1266 4873e21-4873e4b 1264->1266 1267 4873e6f-4873e7d 1264->1267 1265->1264 1266->1267 1278 4873e4d-4873e67 1266->1278 1270 4873e83-4873f36 1267->1270 1271 4874191 1267->1271 1291 4873fc6-48740bd 1270->1291 1292 4873f3c-4873fbf 1270->1292 1271->1251 1278->1267 1307 48740c3-4874146 1291->1307 1308 487414d 1291->1308 1292->1291 1307->1308 1308->1271 1314->1236 1315->1236 1316->1236 1317->1236
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \Ol$2l
                                                                                                    • API String ID: 0-1312013075
                                                                                                    • Opcode ID: 4737f299ac8d389b0886d03051d0c8174f27042405caf3d0e4b4cfd92e782224
                                                                                                    • Instruction ID: aecc7666684cf96739dbe72b71a9ca533ba21fe86474c52463461300292f70d6
                                                                                                    • Opcode Fuzzy Hash: 4737f299ac8d389b0886d03051d0c8174f27042405caf3d0e4b4cfd92e782224
                                                                                                    • Instruction Fuzzy Hash: B3326E31A01218CFDB14EF74D855BEDB7B2BB89308F1085A9D509AB3A5DB399E81CF41
                                                                                                    Function 0079AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1318 79aa75-79aafe 1322 79ab00 1318->1322 1323 79ab03-79ab0f 1318->1323 1322->1323 1324 79ab11 1323->1324 1325 79ab14-79ab1d 1323->1325 1324->1325 1326 79ab1f-79ab43 CreateFileW 1325->1326 1327 79ab6e-79ab73 1325->1327 1330 79ab75-79ab7a 1326->1330 1331 79ab45-79ab6b 1326->1331 1327->1326 1330->1331
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0079AB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 9dc33f1d8d3a19f085f449046317446682debfd522ec303f7a82fb6011b90b04
                                                                                                    • Instruction ID: 5a9c45203cbf3272fc1921cd56719179a5590a2446a1f69de00663a5c90cf666
                                                                                                    • Opcode Fuzzy Hash: 9dc33f1d8d3a19f085f449046317446682debfd522ec303f7a82fb6011b90b04
                                                                                                    • Instruction Fuzzy Hash: 853162B1505340AFE721CF65DC85F56BBF8EF06314F08849EE9858B652D365E848CB62
                                                                                                    Function 0079B036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1334 79b036-79b0b9 1338 79b0bb 1334->1338 1339 79b0be-79b0c7 1334->1339 1338->1339 1340 79b0c9 1339->1340 1341 79b0cc-79b0d5 1339->1341 1340->1341 1342 79b0d7-79b0fb CreateMutexW 1341->1342 1343 79b126-79b12b 1341->1343 1346 79b12d-79b132 1342->1346 1347 79b0fd-79b123 1342->1347 1343->1342 1346->1347
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 0079B0DD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: 818b57acb2f1d7e07898157ab697f8253e33dff6b88ce416d0de6a1a2d60f4fd
                                                                                                    • Instruction ID: b83abe0a1af586758cbe7e005f804cda0389ac80fb0247ed3c473b4a67abff1c
                                                                                                    • Opcode Fuzzy Hash: 818b57acb2f1d7e07898157ab697f8253e33dff6b88ce416d0de6a1a2d60f4fd
                                                                                                    • Instruction Fuzzy Hash: DA31B3715093806FE711CB65DD95B96BFF8EF06310F08849AE984CF292D375E808C762
                                                                                                    Function 0079A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1350 79a6ce-79a72b 1351 79a72e-79a786 OleGetClipboard 1350->1351 1353 79a78c-79a7a2 1351->1353
                                                                                                    APIs
                                                                                                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0079A77E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: 6b5d603fb8bda5958bb2c6bf9dd0d8b8825bfda5210d1fe993459ac2b635e7a4
                                                                                                    • Instruction ID: f931276b9d3da19e9c4349fa7266bcc43226cca08cb1667c85c4f58c336e01bc
                                                                                                    • Opcode Fuzzy Hash: 6b5d603fb8bda5958bb2c6bf9dd0d8b8825bfda5210d1fe993459ac2b635e7a4
                                                                                                    • Instruction Fuzzy Hash: B531717514D3C06FD3138B259C61B61BFB4EF47610F0A40CBE884CB6A3D2256919D772
                                                                                                    Function 0079AE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1354 79ae77-79af05 1358 79af49-79af4e 1354->1358 1359 79af07-79af27 WriteFile 1354->1359 1358->1359 1362 79af29-79af46 1359->1362 1363 79af50-79af55 1359->1363 1363->1362
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E24,790211DE,00000000,00000000,00000000,00000000), ref: 0079AF0D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: d36be807d72e950294ccebac6260f3091a56e59a5ce7b0ad5cb08621159d775c
                                                                                                    • Instruction ID: dd318b8cd1a3e1f0f254edd7c31bf7123318efc10a6e52c4df110487b9c911cc
                                                                                                    • Opcode Fuzzy Hash: d36be807d72e950294ccebac6260f3091a56e59a5ce7b0ad5cb08621159d775c
                                                                                                    • Instruction Fuzzy Hash: 4F21A6B2509380AFDB22CB51DD44F96BFB8EF46314F0884DAE9849F152D375A509CBB2
                                                                                                    Function 0079AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1366 79aaa6-79aafe 1369 79ab00 1366->1369 1370 79ab03-79ab0f 1366->1370 1369->1370 1371 79ab11 1370->1371 1372 79ab14-79ab1d 1370->1372 1371->1372 1373 79ab1f-79ab27 CreateFileW 1372->1373 1374 79ab6e-79ab73 1372->1374 1376 79ab2d-79ab43 1373->1376 1374->1373 1377 79ab75-79ab7a 1376->1377 1378 79ab45-79ab6b 1376->1378 1377->1378
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0079AB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: e190835e877b32bc3e849a8bb017af8ef5c3f3d816018145ad14c1aa4f5981a1
                                                                                                    • Instruction ID: 8cc2da2ac1006669c7ca4f0c82248b2e38d820e84a0866717fc5a4a79480a47e
                                                                                                    • Opcode Fuzzy Hash: e190835e877b32bc3e849a8bb017af8ef5c3f3d816018145ad14c1aa4f5981a1
                                                                                                    • Instruction Fuzzy Hash: 5D21AEB1601200AFEB20CF65DD45F66FBE8EF08724F048869E9498B651D375E808CBB2
                                                                                                    Function 0079A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1381 79a9bf-79aa3c 1386 79aa3e-79aa51 SetErrorMode 1381->1386 1387 79aa67-79aa6c 1381->1387 1388 79aa6e-79aa73 1386->1388 1389 79aa53-79aa66 1386->1389 1387->1386 1388->1389
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 0079AA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: aa23533010b9580700828be3955b84028b0a3a84c5230627fe5d3a1b2326559a
                                                                                                    • Instruction ID: 45db8df2cc0866a52cfbc175084f75290c4d56aee383efd438efbe760a00ea48
                                                                                                    • Opcode Fuzzy Hash: aa23533010b9580700828be3955b84028b0a3a84c5230627fe5d3a1b2326559a
                                                                                                    • Instruction Fuzzy Hash: 14214A6550E7C0AFDB138B259C64651BFB4EF53624F0E80DBD9848F5A3C2685808CB73
                                                                                                    Function 0079AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1392 79ac37-79acb5 1396 79acea-79acef 1392->1396 1397 79acb7-79acca GetFileType 1392->1397 1396->1397 1398 79accc-79ace9 1397->1398 1399 79acf1-79acf6 1397->1399 1399->1398
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E24,790211DE,00000000,00000000,00000000,00000000), ref: 0079ACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: 25ed73dbd264a2ebd73e13ac24bc3f4aecd54b62aec31de27b0dfaf0814eba8a
                                                                                                    • Instruction ID: c5a03e2de4e1e54807d02947aa7023edc08b257e10fb9a15328acf99bcfe17e2
                                                                                                    • Opcode Fuzzy Hash: 25ed73dbd264a2ebd73e13ac24bc3f4aecd54b62aec31de27b0dfaf0814eba8a
                                                                                                    • Instruction Fuzzy Hash: FB21C6B55093806FE7128B15DC51BE2BFB8DF47714F1880D6E9848F253D264A909D772
                                                                                                    Function 0079B06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1403 79b06a-79b0b9 1406 79b0bb 1403->1406 1407 79b0be-79b0c7 1403->1407 1406->1407 1408 79b0c9 1407->1408 1409 79b0cc-79b0d5 1407->1409 1408->1409 1410 79b0d7-79b0df CreateMutexW 1409->1410 1411 79b126-79b12b 1409->1411 1413 79b0e5-79b0fb 1410->1413 1411->1410 1414 79b12d-79b132 1413->1414 1415 79b0fd-79b123 1413->1415 1414->1415
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 0079B0DD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: 9a6ca54b456662f33c4258a016075e275d5617cf0823e74157f8b8cc0237a24d
                                                                                                    • Instruction ID: 84022821fea4622c19575777c584190b96aa4908477b4577343871a6f688be00
                                                                                                    • Opcode Fuzzy Hash: 9a6ca54b456662f33c4258a016075e275d5617cf0823e74157f8b8cc0237a24d
                                                                                                    • Instruction Fuzzy Hash: DD21B071600204AFEB20CB69EE85BA6FBE8EF04314F048469ED48CB641D375E808CB72
                                                                                                    Function 0079A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1418 79a61e-79a688 1420 79a68a-79a692 OleInitialize 1418->1420 1421 79a6c0-79a6c5 1418->1421 1423 79a698-79a6aa 1420->1423 1421->1420 1424 79a6ac-79a6bf 1423->1424 1425 79a6c7-79a6cc 1423->1425 1425->1424
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: c7f614515a247e792da42380c66281ecf94ec61c0b172909c8c17be2a323d7d9
                                                                                                    • Instruction ID: e9387558d52a7850de32b0f9657e05f315a5939afcf50baebeba681be09c7f50
                                                                                                    • Opcode Fuzzy Hash: c7f614515a247e792da42380c66281ecf94ec61c0b172909c8c17be2a323d7d9
                                                                                                    • Instruction Fuzzy Hash: 8B21477150E3C45FDB128B259C94692BFB49F07220F0984DBDD848F1A3D2699908CBA2
                                                                                                    Function 0079A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0079A5DE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 79e0416eb07fa40f5447eed25b4d7b1bf0f6dd718099574a4ee0e6d987d517a8
                                                                                                    • Instruction ID: 17dfcbed02a4d54dcbd88a7635f94099ceb9bd9a1ea35e359d56d45969fe9e6d
                                                                                                    • Opcode Fuzzy Hash: 79e0416eb07fa40f5447eed25b4d7b1bf0f6dd718099574a4ee0e6d987d517a8
                                                                                                    • Instruction Fuzzy Hash: A9117271509780AFDB228F51DC44A62FFF4EF4A310F0888DAED858B562C275A818DB62
                                                                                                    Function 0079AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E24,790211DE,00000000,00000000,00000000,00000000), ref: 0079AF0D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: e5495f2886a8bdc9bccd16654288018e62f3c70b8b78429728ef340f819c5634
                                                                                                    • Instruction ID: 1eeffd599e7be23d31d8d458ce69ac35506533a4d2a17849b41c3435dee98d4b
                                                                                                    • Opcode Fuzzy Hash: e5495f2886a8bdc9bccd16654288018e62f3c70b8b78429728ef340f819c5634
                                                                                                    • Instruction Fuzzy Hash: 3A112772600200AFEB21CF55DC44FA6FBE8EF05714F14845AED498B641C335E508CBB2
                                                                                                    Function 0079B424 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0079B480
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShell
                                                                                                    • String ID:
                                                                                                    • API String ID: 587946157-0
                                                                                                    • Opcode ID: 29019e8284fd4ed9919f753e12a684aeeacb3f935da78dffa29173ee87c2108a
                                                                                                    • Instruction ID: bffa632d5c75135cd1146522f069fa7b584cb9c7af8c2dd2cbc094368de7131f
                                                                                                    • Opcode Fuzzy Hash: 29019e8284fd4ed9919f753e12a684aeeacb3f935da78dffa29173ee87c2108a
                                                                                                    • Instruction Fuzzy Hash: B91181716093849FDB11CB25ED84B52BFA89F06210F0884EAED45CB252D264E808DB62
                                                                                                    Function 0079AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E24,790211DE,00000000,00000000,00000000,00000000), ref: 0079ACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: 1bc437f8bea80d31a0c77516997e35b947bbba13f65f6f1b92578b08671cbc99
                                                                                                    • Instruction ID: d05b36c0d383520aa10fa7f6768961305a32270d10205bc2f87d6df1d2e5e7b3
                                                                                                    • Opcode Fuzzy Hash: 1bc437f8bea80d31a0c77516997e35b947bbba13f65f6f1b92578b08671cbc99
                                                                                                    • Instruction Fuzzy Hash: E801D671601204AFEB10CB05DD85BA6F7ACDF15724F18C096ED058F741D378E948CAB6
                                                                                                    Function 0079B446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0079B480
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShell
                                                                                                    • String ID:
                                                                                                    • API String ID: 587946157-0
                                                                                                    • Opcode ID: 560786b235b1b22f979e8c70fc347f4da5eee3f3604823039b360d799175ed10
                                                                                                    • Instruction ID: 59b6bba40b05d43b8480e81a8f6628415624d522e004d7477043ad3b0c1932eb
                                                                                                    • Opcode Fuzzy Hash: 560786b235b1b22f979e8c70fc347f4da5eee3f3604823039b360d799175ed10
                                                                                                    • Instruction Fuzzy Hash: B60180716042448FDB50CF25E985766BBE8DF05720F08C4AADD49CB752D379E804DB62
                                                                                                    Function 0079A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0079A5DE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: dd825d9be66c08bec2058e20a51b8f8041d07557f230a3c1bbaa0b89e2ac8660
                                                                                                    • Instruction ID: 87a55fc3df5c04cf7804186d4d1fb0ebe1a301ab3ba7b0d4fe5a68d8129eef79
                                                                                                    • Opcode Fuzzy Hash: dd825d9be66c08bec2058e20a51b8f8041d07557f230a3c1bbaa0b89e2ac8660
                                                                                                    • Instruction Fuzzy Hash: 3C01AD32601600AFDF20CF55E844B62FFE4EF08720F08889ADE494A611C336E428DFA3
                                                                                                    Function 0079A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0079A77E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: de4f129b628ad56fe24c89821cccb021996819b07a4439e1f2e0310f33b42cde
                                                                                                    • Instruction ID: 8485385d1660f474ecf8ab36229856a578da5546085cc0a857c7c85623251445
                                                                                                    • Opcode Fuzzy Hash: de4f129b628ad56fe24c89821cccb021996819b07a4439e1f2e0310f33b42cde
                                                                                                    • Instruction Fuzzy Hash: D601D671600200ABD310DF16DD46B76FBE8FB88A20F148159EC089BB41D731F955CBE5
                                                                                                    Function 0079A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: 090a6a657e852c4def7ce79cabb440f14cb08724236b44a9a1e508eab63d6e43
                                                                                                    • Instruction ID: 3ee9106188602dba41b40c0b67e7fd13ecfed9ef19bbc83bea5832420f1a9e57
                                                                                                    • Opcode Fuzzy Hash: 090a6a657e852c4def7ce79cabb440f14cb08724236b44a9a1e508eab63d6e43
                                                                                                    • Instruction Fuzzy Hash: 6301AD71A05244AFDB10CF15E884766FBE8EF15720F18C4AADD498F652D379E408CEA3
                                                                                                    Function 0079AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 0079AA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 4bb86e5afd407e5ecc343dd290db7ec31dd54e069abe7aee1dff2248854c2725
                                                                                                    • Instruction ID: ac7db4d73898daae6acf3a054ab552d5ec51c75f318525023900bf91f5c89d56
                                                                                                    • Opcode Fuzzy Hash: 4bb86e5afd407e5ecc343dd290db7ec31dd54e069abe7aee1dff2248854c2725
                                                                                                    • Instruction Fuzzy Hash: 07F0F931A01640AFDB20CF06EA84B61FBE4EF15724F08C09ADD480B752C379E908CEA3
                                                                                                    Function 048739BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l
                                                                                                    • API String ID: 0-2574689970
                                                                                                    • Opcode ID: d3eb9e48f75138d6aafa66048e8fc6971d899853211c13a9626134e3f2011b24
                                                                                                    • Instruction ID: 1e88f8a1bca353f870e8f129533600c749c4cedbbe0d27f5b31b0f395636dad5
                                                                                                    • Opcode Fuzzy Hash: d3eb9e48f75138d6aafa66048e8fc6971d899853211c13a9626134e3f2011b24
                                                                                                    • Instruction Fuzzy Hash: 1681AE31A01218CFDB14EFB4C855BEDB7B2AF89308F0085A9D509AB3A4DB799D45CF52
                                                                                                    Function 04873B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l
                                                                                                    • API String ID: 0-2574689970
                                                                                                    • Opcode ID: 41eb1a76ec5c2c1216906ef752915a9880414664690f50b8fb2b847dcb2dca68
                                                                                                    • Instruction ID: 51b7436c370478a5d253f6946e6c3cdeb39a4c338461bfa4b466c86af813e901
                                                                                                    • Opcode Fuzzy Hash: 41eb1a76ec5c2c1216906ef752915a9880414664690f50b8fb2b847dcb2dca68
                                                                                                    • Instruction Fuzzy Hash: 0E416F30A01218CFDB14EFB4C855BECB7B1AF89309F4085A9D409AB265DB799E44CF62
                                                                                                    Function 048702C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: 0c393e3fbb10014c8331e75bc8cca09b21b96277daf93e6b7a7b2378a30efb0b
                                                                                                    • Instruction ID: 3f7624bde7bf29882384ee4cb60b9d81a16df0c7406065949f97220c23f3db6c
                                                                                                    • Opcode Fuzzy Hash: 0c393e3fbb10014c8331e75bc8cca09b21b96277daf93e6b7a7b2378a30efb0b
                                                                                                    • Instruction Fuzzy Hash: 2931BE31B002159FDB04BB78D8117BE33AA9B9820CF508929D505D77A9DF7DDD0ACBA2
                                                                                                    Function 0079AB7C Relevance: 1.3, APIs: 1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0079ABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: a0d34df8ad5938c3a9d3537c8431bc4bf3eac043532f7d3471e58b658967a9a6
                                                                                                    • Instruction ID: 10f887857a73a8af59252eff5f9214b60e48f824611cdfe4352fb0b22b9311d1
                                                                                                    • Opcode Fuzzy Hash: a0d34df8ad5938c3a9d3537c8431bc4bf3eac043532f7d3471e58b658967a9a6
                                                                                                    • Instruction Fuzzy Hash: D121C27550A7C05FDB128B25DC95652BFB8AF07320F0984DBDD858F6A3D2659808C762
                                                                                                    Function 0079ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0079ABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029305902.000000000079A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_79a000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: a3aba3c66333c558ff26e105368abf317d98985cd1792e868ad6cd37cf6c9c70
                                                                                                    • Instruction ID: f0dab7a97caa0e5133bb95cb4dd983dbbc60d970d52ac125254bb3889c3dbbcb
                                                                                                    • Opcode Fuzzy Hash: a3aba3c66333c558ff26e105368abf317d98985cd1792e868ad6cd37cf6c9c70
                                                                                                    • Instruction Fuzzy Hash: D701DF71A052049FDB10CF16E885766FBE8DF12321F18C4AADD098F642D379E808CAA3
                                                                                                    Function 04870007 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dd283dec8554f2cc88628ed86ca4392e29f3ae36be13bfb601ab31a7822e33bd
                                                                                                    • Instruction ID: 3d8a8ce2da216d66f2567a27d9e5489e1af6af1ca89f6dde0657db798015627f
                                                                                                    • Opcode Fuzzy Hash: dd283dec8554f2cc88628ed86ca4392e29f3ae36be13bfb601ab31a7822e33bd
                                                                                                    • Instruction Fuzzy Hash: 3E11BC6544F7C69FD3039774AC65681BF706A63208B4E81CBD090CA1A7D25C5A1ACBA3
                                                                                                    Function 00B205DF Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030331239.0000000000B20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_b20000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9ab67a12a24b27203193927cb2302f7d584ad03f0bbcae9debb8ad91d309838e
                                                                                                    • Instruction ID: 1932d96e4016b69d95a70328f4685a7f4c846f9dc088a3436d0a8b9dae622a7f
                                                                                                    • Opcode Fuzzy Hash: 9ab67a12a24b27203193927cb2302f7d584ad03f0bbcae9debb8ad91d309838e
                                                                                                    • Instruction Fuzzy Hash: 4701F9B55497806FC3118B16EC41893FFECDF8663070984ABEC898B722D135B908CBB2
                                                                                                    Function 048700A8 Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e95d6722a7b4e4ef9298cf830f9fcec4fdf3f649f1bc4258ee20c2d0292e0e32
                                                                                                    • Instruction ID: 90be5988399ed0ec3372f611973bf2dbe194f50272d2ddc11cf6f18c017f383f
                                                                                                    • Opcode Fuzzy Hash: e95d6722a7b4e4ef9298cf830f9fcec4fdf3f649f1bc4258ee20c2d0292e0e32
                                                                                                    • Instruction Fuzzy Hash: BDF0C832A00304AFE704DA708C1279FBB76EB82714F14866AE1459B1C1DA355940C790
                                                                                                    Function 00B20606 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030331239.0000000000B20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_b20000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 93d03e99083e441f1714d347c0551ce809b89bb56d7f05b794d42f74aa483d07
                                                                                                    • Instruction ID: bef61fc4680570602a865b77af859e27dfa8aa9886ef79fcfd9879a0a378e39a
                                                                                                    • Opcode Fuzzy Hash: 93d03e99083e441f1714d347c0551ce809b89bb56d7f05b794d42f74aa483d07
                                                                                                    • Instruction Fuzzy Hash: BFE092B66006044B9750CF0BFC41462F7D8EB84631718C47FDC0D8BB01D236F508CAA5
                                                                                                    Function 048736A8 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dcab018f82c3222d1dc88a9f67b77344ba7ab382a49273861902dced296efdf7
                                                                                                    • Instruction ID: 355843562091e5c56c5b4f70d0bbce77f661310db86295da9474e6fe951500fc
                                                                                                    • Opcode Fuzzy Hash: dcab018f82c3222d1dc88a9f67b77344ba7ab382a49273861902dced296efdf7
                                                                                                    • Instruction Fuzzy Hash: 5BE0C2311063548FC71A2B3460260883B75AB8330D39148EEC6418F36BDB3AA846C750
                                                                                                    Function 007923F4 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029286220.0000000000792000.00000040.00000800.00020000.00000000.sdmp, Offset: 00792000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_792000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ff95c5f9c6fc36238700698eb9b01726c32dbe9d5523951b0a8d082863542586
                                                                                                    • Instruction ID: a639faae19b752f8774ae067cc8886c7b483a35ddb2192f257ac3accf1fb68a1
                                                                                                    • Opcode Fuzzy Hash: ff95c5f9c6fc36238700698eb9b01726c32dbe9d5523951b0a8d082863542586
                                                                                                    • Instruction Fuzzy Hash: BCD05E793056C15FD716EA1CD1A4B9537D8AB61718F5A44F9A8008B773C76CDD82D600
                                                                                                    Function 007923BC Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2029286220.0000000000792000.00000040.00000800.00020000.00000000.sdmp, Offset: 00792000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_792000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aaaae0fa311ad4c86f859423541cf0c72a3bc5d13c222dab4552ca4420fbc387
                                                                                                    • Instruction ID: f66ea2a6e9a4f68b87593494adb0bca5972657c28482b094908c7b0ba04088ea
                                                                                                    • Opcode Fuzzy Hash: aaaae0fa311ad4c86f859423541cf0c72a3bc5d13c222dab4552ca4420fbc387
                                                                                                    • Instruction Fuzzy Hash: 85D05E342002815BCB15EA0CD6D4F5937D8AB50B14F1A44E8AC108B762C7ACD8C2CA00

                                                                                                    Non-executed Functions

                                                                                                    Function 048744F1 Relevance: 14.1, Strings: 10, Instructions: 1624COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3400554175
                                                                                                    • Opcode ID: b2a624ebb6501b124071b74e66bae60ec750126dc5384fda240f78d8ab623226
                                                                                                    • Instruction ID: 343838e0aea39e7df2eae4b7dc64ed3a24ebc39c5f5e472896280cf599d07cb1
                                                                                                    • Opcode Fuzzy Hash: b2a624ebb6501b124071b74e66bae60ec750126dc5384fda240f78d8ab623226
                                                                                                    • Instruction Fuzzy Hash: F9035F75A01128CFDB24EF34D854BA9B7B2FB48308F4081E9D909A73A4DB399E85CF41
                                                                                                    Function 04874544 Relevance: 14.1, Strings: 10, Instructions: 1618COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3400554175
                                                                                                    • Opcode ID: 4bc98b16f0aa17599131863707fb11c5624a861deda434ed21d426bba97f554d
                                                                                                    • Instruction ID: bdad24e7921e9f2d85782962d223fb005d9bdb2ca486306e9c892803adcfc935
                                                                                                    • Opcode Fuzzy Hash: 4bc98b16f0aa17599131863707fb11c5624a861deda434ed21d426bba97f554d
                                                                                                    • Instruction Fuzzy Hash: 4E035F75A01128CFDB25EF34D864BA9B7B6FB48304F4081E9D909A73A4DB399E85CF41
                                                                                                    Function 04874630 Relevance: 12.8, Strings: 9, Instructions: 1579COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-1172436868
                                                                                                    • Opcode ID: 8876488c5d42cb39376bb405898ff0a9d55d1595dfd1ef5602d0ae167660968d
                                                                                                    • Instruction ID: 5113d2dd70381a5a37f7f347019933925db09fb61946ddce99c707b3b227e793
                                                                                                    • Opcode Fuzzy Hash: 8876488c5d42cb39376bb405898ff0a9d55d1595dfd1ef5602d0ae167660968d
                                                                                                    • Instruction Fuzzy Hash: BA034E75A01128CFDB25EF34D864BA9B7B6FB49304F4081E9D909A73A4DB399E84CF50
                                                                                                    Function 0487470F Relevance: 12.8, Strings: 9, Instructions: 1544COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-1172436868
                                                                                                    • Opcode ID: 844b33efb5221c36416e2c92006cf6cd9c6c8c2f488059c7ab9c0c8e0105f220
                                                                                                    • Instruction ID: 61127a853f045c387459801da1cdd619276ad74fdbc8928f3e338285abe7b493
                                                                                                    • Opcode Fuzzy Hash: 844b33efb5221c36416e2c92006cf6cd9c6c8c2f488059c7ab9c0c8e0105f220
                                                                                                    • Instruction Fuzzy Hash: 1EF24D75A01128CFDB25EF34D864BA9B7B6FB49304F4081E9D909A73A4DB399E84CF40
                                                                                                    Function 048747D4 Relevance: 12.8, Strings: 9, Instructions: 1513COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-1172436868
                                                                                                    • Opcode ID: 95064ad1e90e3ad519ea8de7d2e1769fca057b3e55cc3af73d10eaaeafc303fa
                                                                                                    • Instruction ID: 58c9fb50542145f79a61f984acf48e89f7d38e311cdfea3b89f51acfa3e535b2
                                                                                                    • Opcode Fuzzy Hash: 95064ad1e90e3ad519ea8de7d2e1769fca057b3e55cc3af73d10eaaeafc303fa
                                                                                                    • Instruction Fuzzy Hash: B3F24D75A01128CFDB25EF24DC64BA9B7B2FB49304F0081E9D909A73A4DB399E84CF51
                                                                                                    Function 04874936 Relevance: 12.7, Strings: 9, Instructions: 1456COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-1172436868
                                                                                                    • Opcode ID: 7126d12f4c38aec99d59840f7dc5278f754ecbb6deaee75552e0a9fbd917221e
                                                                                                    • Instruction ID: 459582f396a4310bd8bd443e1be497d591c68c8b5bf3e363ce50cf883627cebd
                                                                                                    • Opcode Fuzzy Hash: 7126d12f4c38aec99d59840f7dc5278f754ecbb6deaee75552e0a9fbd917221e
                                                                                                    • Instruction Fuzzy Hash: 42F25D75A01128CFDB25EF34D864BA9B7B6FB49304F0081E9D909A73A4DB399E84CF51
                                                                                                    Function 0487499D Relevance: 12.7, Strings: 9, Instructions: 1447COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-1172436868
                                                                                                    • Opcode ID: 9ee610e9b0ed54017ca0bc1fc7e4cf332846765dbe0c025823d12aaab75cc2ee
                                                                                                    • Instruction ID: f92c2e3cd12a344d27f91f2d2cbb349983bcda76d31d85a1a227876d8b5570b5
                                                                                                    • Opcode Fuzzy Hash: 9ee610e9b0ed54017ca0bc1fc7e4cf332846765dbe0c025823d12aaab75cc2ee
                                                                                                    • Instruction Fuzzy Hash: F9F24C75A01128CFDB25EF34D864BA9B7B6FB49304F0081E9D909A73A4DB399E84CF51
                                                                                                    Function 048749F9 Relevance: 12.7, Strings: 9, Instructions: 1440COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-1172436868
                                                                                                    • Opcode ID: de108733236ead4184e2c6507bebdcde26be04209c8c1ebf1e132119d10ce92e
                                                                                                    • Instruction ID: 893f60c008d702afea8927a851a892646a78a9f00ac934786861ec2aab915e47
                                                                                                    • Opcode Fuzzy Hash: de108733236ead4184e2c6507bebdcde26be04209c8c1ebf1e132119d10ce92e
                                                                                                    • Instruction Fuzzy Hash: 61F24D75A01128CFDB25EF34D864BA9B7B6FB49304F0081E9D909A73A4DB399E84CF51
                                                                                                    Function 04874B5B Relevance: 12.6, Strings: 9, Instructions: 1383COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-1172436868
                                                                                                    • Opcode ID: b2c85969b68077b41c6c3f2c6d75793af5280235146aa2e58a5ca6eeb8d1a035
                                                                                                    • Instruction ID: a3e16630db3e35eae7ce69da8517545dd001cf5cdf86f99df4632a50ed4f8418
                                                                                                    • Opcode Fuzzy Hash: b2c85969b68077b41c6c3f2c6d75793af5280235146aa2e58a5ca6eeb8d1a035
                                                                                                    • Instruction Fuzzy Hash: 35E25D75A01128CFDB25EF34D864BA9B7B6FB49304F0081E9D909A73A4DB399E84CF51
                                                                                                    Function 04874C8F Relevance: 11.4, Strings: 8, Instructions: 1362COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$:@k$:@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-2001336888
                                                                                                    • Opcode ID: ec25062ddff5706e190b831a5a3be4692890a2e6c501597d15d00d4301f53534
                                                                                                    • Instruction ID: 5eb660ee45cc6796e8b45cc1868d59dcbb93e3753ee1e18f46449bc47c911e77
                                                                                                    • Opcode Fuzzy Hash: ec25062ddff5706e190b831a5a3be4692890a2e6c501597d15d00d4301f53534
                                                                                                    • Instruction Fuzzy Hash: E5E25D75A01128CFDB25EF34D864BA9B7B6FB49304F4081E9D909A73A4DB399E85CF40
                                                                                                    Function 04874F2F Relevance: 7.5, Strings: 5, Instructions: 1245COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3238312060
                                                                                                    • Opcode ID: 0c3a6a092464bfe03ffc4a5b4b34eadfd3bb1d64b6707b26f113b6418a02dcff
                                                                                                    • Instruction ID: f82c411cdcc5197936a9228a0c2c5c7b5a298a43df8c99ce49aa127b6218718d
                                                                                                    • Opcode Fuzzy Hash: 0c3a6a092464bfe03ffc4a5b4b34eadfd3bb1d64b6707b26f113b6418a02dcff
                                                                                                    • Instruction Fuzzy Hash: C4D24D75A01228CFDB25EF34D864BA9B7B5FB49304F4081E9D909A73A4DB399E84CF50
                                                                                                    Function 04874F9D Relevance: 7.5, Strings: 5, Instructions: 1236COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3238312060
                                                                                                    • Opcode ID: cff2134772280a086d2edd6812b8f32d389e4d09c400f8fd2e1881d0b9c6f48f
                                                                                                    • Instruction ID: 55f523ef853b5d0df325612caac2545eb284f2824bb1a8792af2a9e2ebd64d11
                                                                                                    • Opcode Fuzzy Hash: cff2134772280a086d2edd6812b8f32d389e4d09c400f8fd2e1881d0b9c6f48f
                                                                                                    • Instruction Fuzzy Hash: F1D24D75A01228CFDB25EF34D864BA9B7B5FB49304F4081E9D909A73A4DB399E84CF50
                                                                                                    Function 04875000 Relevance: 7.5, Strings: 5, Instructions: 1230COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3238312060
                                                                                                    • Opcode ID: 742053e87bc1c927158aae1f27ed122a00f2e283e6537481d4c677a9ea8f0880
                                                                                                    • Instruction ID: a0aeeced026e0ccb297cdbf6bbd00adb9d30af1e576a1a8a2cf2459dd29ab0ba
                                                                                                    • Opcode Fuzzy Hash: 742053e87bc1c927158aae1f27ed122a00f2e283e6537481d4c677a9ea8f0880
                                                                                                    • Instruction Fuzzy Hash: 3FD24D75A01228CFDB25EF34D864BA9B7B5FB49304F4081E9D909A73A4DB399E84CF50
                                                                                                    Function 0487505D Relevance: 7.5, Strings: 5, Instructions: 1225COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3238312060
                                                                                                    • Opcode ID: ce262ea927b5daad6014f77c88fc7b68176dab6e1828d7e14f26963f5549c960
                                                                                                    • Instruction ID: 68f66e5ed8c64d12971ba50fd9c682b6a3ec24a91af9b554df844dfb7abebdd9
                                                                                                    • Opcode Fuzzy Hash: ce262ea927b5daad6014f77c88fc7b68176dab6e1828d7e14f26963f5549c960
                                                                                                    • Instruction Fuzzy Hash: 98D24D75A01228CFDB25EF34D864BA9B7B5FB49304F4081E9D909A73A4DB399E84CF50
                                                                                                    Function 048750E3 Relevance: 7.5, Strings: 5, Instructions: 1210COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3238312060
                                                                                                    • Opcode ID: 8ca8dfb899c6bb988134051ebb74d929063262fae416898c94a5298dc9c59c71
                                                                                                    • Instruction ID: 9616ce86f552ba4fa269c4c1fb5916dc1400fb77b0de8e16fb7f692d7ad57ebe
                                                                                                    • Opcode Fuzzy Hash: 8ca8dfb899c6bb988134051ebb74d929063262fae416898c94a5298dc9c59c71
                                                                                                    • Instruction Fuzzy Hash: 8AD24E75A01128CFDB25EF34D864BA9B7B6FB49304F4081E9D909A73A4DB399E84CF40
                                                                                                    Function 0487536F Relevance: 7.3, Strings: 5, Instructions: 1071COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$\Ol$|tz$2l
                                                                                                    • API String ID: 0-3238312060
                                                                                                    • Opcode ID: 42ed678c66eee5e4a07a2bb513c0d6e6796d180957ff50fd8dd5333e07a5076f
                                                                                                    • Instruction ID: 3f2386e5261ae92ccabf9fb16189a5e6cec58967c98ed20ed1d7c37baf5d9414
                                                                                                    • Opcode Fuzzy Hash: 42ed678c66eee5e4a07a2bb513c0d6e6796d180957ff50fd8dd5333e07a5076f
                                                                                                    • Instruction Fuzzy Hash: 3FC24F75A01129CFDB25EF24DC64BA9B7B6FB49304F4081E9D509AB3A4DB399E81CF40
                                                                                                    Function 04875459 Relevance: 4.8, Strings: 3, Instructions: 1040COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$\Ol
                                                                                                    • API String ID: 0-3451677246
                                                                                                    • Opcode ID: baa979799e03f567a671485e741aed2168dad0757131e3bcaf375a60463bda5f
                                                                                                    • Instruction ID: cbb5fcd4128fabf1061db5c2d22c39b2aca798f4ab8809263191bc9e29e06821
                                                                                                    • Opcode Fuzzy Hash: baa979799e03f567a671485e741aed2168dad0757131e3bcaf375a60463bda5f
                                                                                                    • Instruction Fuzzy Hash: C5C24F75A01129CFDB15EF24DC64BA9B7B6FB49304F4081E9D909AB3A4DB399E81CF40
                                                                                                    Function 048736EA Relevance: 5.1, Strings: 4, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Nz$Nz$Nz$Nz
                                                                                                    • API String ID: 0-2786818377
                                                                                                    • Opcode ID: 47ea5d8d12e6bf3b951ef189d10e53f1b2dd8068ccabd1a7d185e01e23b1d9cf
                                                                                                    • Instruction ID: 284c28d8cafe0d0ffbfea87a361140e92aa2edd8049473432381644c3b3f7876
                                                                                                    • Opcode Fuzzy Hash: 47ea5d8d12e6bf3b951ef189d10e53f1b2dd8068ccabd1a7d185e01e23b1d9cf
                                                                                                    • Instruction Fuzzy Hash: 9D21CC7470025A9FEB10DB68C891BAA73E6FFC9344F100929E901EB784EB70FC048B91
                                                                                                    Function 048736F0 Relevance: 5.1, Strings: 4, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2030622609.0000000004870000.00000040.00000800.00020000.00000000.sdmp, Offset: 04870000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_4870000_nKHN8rvjmN.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Nz$Nz$Nz$Nz
                                                                                                    • API String ID: 0-2786818377
                                                                                                    • Opcode ID: bee55ed48c88cdde46f3e3d369284e8be1f3140ea61b41f0d84e46ea105b923c
                                                                                                    • Instruction ID: 82e835ba8affa65e5bbab1b38ceb32f6f3d68973fc0385b1f9cee7f6050a372a
                                                                                                    • Opcode Fuzzy Hash: bee55ed48c88cdde46f3e3d369284e8be1f3140ea61b41f0d84e46ea105b923c
                                                                                                    • Instruction Fuzzy Hash: 9E219E747002599FEB10DB69C891BAA73E6FFC9344F100929E505EB754EB74FC448B91

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:23.6%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:8.8%
                                                                                                    Total number of Nodes:114
                                                                                                    Total number of Limit Nodes:6
                                                                                                    execution_graph 9249 5562796 9250 55627d1 LoadLibraryA 9249->9250 9252 556280e 9250->9252 9253 5563312 9255 5563347 GetProcessWorkingSetSize 9253->9255 9256 5563373 9255->9256 9257 155aa12 9258 155aa67 9257->9258 9259 155aa3e SetErrorMode 9257->9259 9258->9259 9260 155aa53 9259->9260 9261 556221e 9264 5562253 GetProcessTimes 9261->9264 9263 5562285 9264->9263 9165 155a65e 9166 155a6c0 9165->9166 9167 155a68a CloseHandle 9165->9167 9166->9167 9168 155a698 9167->9168 9265 155b69e 9266 155b703 9265->9266 9267 155b6cd WaitForInputIdle 9265->9267 9266->9267 9268 155b6db 9267->9268 9173 155b45a 9175 155b495 SendMessageTimeoutA 9173->9175 9176 155b4dd 9175->9176 9269 155a59a 9270 155a610 9269->9270 9271 155a5d8 DuplicateHandle 9269->9271 9270->9271 9272 155a5e6 9271->9272 9177 155b746 9178 155b76f CopyFileW 9177->9178 9180 155b796 9178->9180 9273 155a186 9274 155a1bb send 9273->9274 9276 155a1f3 9273->9276 9275 155a1c9 9274->9275 9276->9274 9277 155b982 9278 155b9ab SetFileAttributesW 9277->9278 9280 155b9c7 9278->9280 9181 55617ce 9183 5561806 WSASocketW 9181->9183 9184 5561842 9183->9184 9185 556204e 9188 5562083 shutdown 9185->9188 9187 55620ac 9188->9187 9189 155bace 9190 155baf7 LookupPrivilegeValueW 9189->9190 9192 155bb1e 9190->9192 9193 155b8ce 9196 155b8f4 DeleteFileW 9193->9196 9195 155b910 9196->9195 9197 155bc4e 9198 155bc7d AdjustTokenPrivileges 9197->9198 9200 155bc9f 9198->9200 9285 556230a 9286 5562345 getaddrinfo 9285->9286 9288 55623b7 9286->9288 9201 155bdca 9202 155bdff NtQuerySystemInformation 9201->9202 9203 155be2a 9201->9203 9204 155be14 9202->9204 9203->9202 9205 55633f6 9206 556342b SetProcessWorkingSetSize 9205->9206 9208 5563457 9206->9208 9209 155b176 9210 155b1ae RegOpenKeyExW 9209->9210 9212 155b204 9210->9212 9292 5560032 9293 556006a RegCreateKeyExW 9292->9293 9295 55600dc 9293->9295 9213 155b372 9214 155b3a7 RegSetValueExW 9213->9214 9216 155b3f3 9214->9216 9296 556323e 9297 5563267 select 9296->9297 9299 556329c 9297->9299 9217 155b27e 9218 155b2b3 RegQueryValueExW 9217->9218 9220 155b307 9218->9220 9300 155bf3e 9301 155bf6a K32EnumProcesses 9300->9301 9303 155bf86 9301->9303 9221 5561bfa 9223 5561c32 ConvertStringSecurityDescriptorToSecurityDescriptorW 9221->9223 9224 5561c73 9223->9224 9308 155aaa6 9309 155aade CreateFileW 9308->9309 9311 155ab2d 9309->9311 9225 5563162 9227 5563197 ioctlsocket 9225->9227 9228 55631c3 9227->9228 9229 5560462 9230 5560497 SetFilePointer 9229->9230 9232 55604c6 9230->9232 9233 155adee 9234 155ae23 WriteFile 9233->9234 9236 155ae55 9234->9236 9312 155a72e 9313 155a77e GetUserNameW 9312->9313 9314 155a78c 9313->9314 9237 55624ea 9238 556251f WSAConnect 9237->9238 9240 556253e 9238->9240 9241 55609ea 9243 5560a1f GetExitCodeProcess 9241->9243 9244 5560a48 9243->9244 9315 5561daa 9316 5561de2 MapViewOfFile 9315->9316 9318 5561e31 9316->9318 9245 155ac6a 9247 155ac9f GetFileType 9245->9247 9248 155accc 9247->9248 9319 155afaa 9320 155afe2 CreateMutexW 9319->9320 9322 155b025 9320->9322

                                                                                                    Executed Functions

                                                                                                    Function 05724290 Relevance: 13.2, Strings: 9, Instructions: 1950COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k$:@k$:@k$:@k$:@k$@$\Ol$2l
                                                                                                    • API String ID: 0-1979635511
                                                                                                    • Opcode ID: ca534bb9aee99c88d3b0b2c6f9813a65c5c388ef37d6a6c0ed661c169a788717
                                                                                                    • Instruction ID: ccc33df625aad27c55c76926e00566ffbd4683ae3fd17c76ecca0ec6928e441a
                                                                                                    • Opcode Fuzzy Hash: ca534bb9aee99c88d3b0b2c6f9813a65c5c388ef37d6a6c0ed661c169a788717
                                                                                                    • Instruction Fuzzy Hash: AC233A74A01228CFDB24DF34D954BA9B7B2FB49304F0041EAD519AB3A0DB3A5E89DF51
                                                                                                    Function 0572427F Relevance: 13.0, Strings: 9, Instructions: 1762COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $:@k$:@k$:@k$:@k$:@k$:@k$\Ol$2l
                                                                                                    • API String ID: 0-38314663
                                                                                                    • Opcode ID: 79e4a2f0355a23f5dd7e9b7d131c81db4f7ede98a74735d1653a78bb110b5e90
                                                                                                    • Instruction ID: 0746f2cfe1a2ea626b7254ba137d1514497b773a18b30d16da42ea90a5200f9a
                                                                                                    • Opcode Fuzzy Hash: 79e4a2f0355a23f5dd7e9b7d131c81db4f7ede98a74735d1653a78bb110b5e90
                                                                                                    • Instruction Fuzzy Hash: F6134B74A01228CFDB25DF30D954BA9B7B2FB49304F0041EAD5196B3A4CB3A5E89EF51
                                                                                                    Function 05727900 Relevance: 3.3, Strings: 2, Instructions: 762COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$}XDk^
                                                                                                    • API String ID: 0-3730735892
                                                                                                    • Opcode ID: 1759baaa0bb1801c17c7bf26682509b0f2659a2a4dbefe2d88699d50131a42e6
                                                                                                    • Instruction ID: 144134049b0076e99aedaccdb8baad50022a37c954d7a65a5589902d2878f7c7
                                                                                                    • Opcode Fuzzy Hash: 1759baaa0bb1801c17c7bf26682509b0f2659a2a4dbefe2d88699d50131a42e6
                                                                                                    • Instruction Fuzzy Hash: D0420832A042329BDB3CDB31D65197D73A2FB423547054176E451AB2D0EF3AEC46EBA1
                                                                                                    Function 057274C7 Relevance: 1.9, Strings: 1, Instructions: 671COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L.l
                                                                                                    • API String ID: 0-1469302089
                                                                                                    • Opcode ID: 9c7a62c40915722bc35f87b62cfaf94619e338b2df1f205f9e14c7356585b2dd
                                                                                                    • Instruction ID: bd7e35f5d5129d6fa5d3a118cd2d52448fdb53e2b584f9925c513fa86d00ba1e
                                                                                                    • Opcode Fuzzy Hash: 9c7a62c40915722bc35f87b62cfaf94619e338b2df1f205f9e14c7356585b2dd
                                                                                                    • Instruction Fuzzy Hash: 9B32F4316012228FDB28DB31E6516BE73E2FB85255B05803AE451DB2C5EF3DDD89E7A0
                                                                                                    Function 0155BC17 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0155BC97
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AdjustPrivilegesToken
                                                                                                    • String ID:
                                                                                                    • API String ID: 2874748243-0
                                                                                                    • Opcode ID: 5f3cacee45a25af986cbf55d9e162eef27635edb8e580e880ea8c39c5a0df7ad
                                                                                                    • Instruction ID: 834036687b59bdca2cb7aa21ffe20dd5cc366c8e87fde6aa3824877f4e3ca029
                                                                                                    • Opcode Fuzzy Hash: 5f3cacee45a25af986cbf55d9e162eef27635edb8e580e880ea8c39c5a0df7ad
                                                                                                    • Instruction Fuzzy Hash: 6421AB755097849FDB238F25DC44B56BFF8EF06210F08849AE9858F163D271A818DB62
                                                                                                    Function 0155BD99 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0155BE05
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InformationQuerySystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 3562636166-0
                                                                                                    • Opcode ID: 74e8f14146fb57213a60247aa67f09e00556ed1fa39780960e9e91883a0567a0
                                                                                                    • Instruction ID: 6a7750dc0b4c4f7f38b714b85c3d884087f88f40bf8a6e4fb149f72f2dddf833
                                                                                                    • Opcode Fuzzy Hash: 74e8f14146fb57213a60247aa67f09e00556ed1fa39780960e9e91883a0567a0
                                                                                                    • Instruction Fuzzy Hash: C2118E714097C09FDB238B24DC45A52FFB4EF46324F0984DBE9844F563D275A918DB62
                                                                                                    Function 0155BC4E Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0155BC97
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AdjustPrivilegesToken
                                                                                                    • String ID:
                                                                                                    • API String ID: 2874748243-0
                                                                                                    • Opcode ID: 467db7214b136d7177e0da85d1a0118a51c69cbfeefab1d2e534bd70d63b3687
                                                                                                    • Instruction ID: 8413faf31d3c1266203fb37cb76558887c3987bd109ba97ad3fec261415dd65a
                                                                                                    • Opcode Fuzzy Hash: 467db7214b136d7177e0da85d1a0118a51c69cbfeefab1d2e534bd70d63b3687
                                                                                                    • Instruction Fuzzy Hash: 1911A0356006459FDB61CF55D885B66FBE4FF08220F08C4AAED468F652D731E418DF62
                                                                                                    Function 0155A72E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(?,00000E24,?,?), ref: 0155A77E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NameUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2645101109-0
                                                                                                    • Opcode ID: c003d3247e2fbcc5b68e8e90aff7ae6576c95483edbdbf0b8380a3c6f56fa683
                                                                                                    • Instruction ID: 3bbf37dfff3d01700aca982e754268ae722159bd403d2469870b851f0664e4f8
                                                                                                    • Opcode Fuzzy Hash: c003d3247e2fbcc5b68e8e90aff7ae6576c95483edbdbf0b8380a3c6f56fa683
                                                                                                    • Instruction Fuzzy Hash: 4901D671500200AFD310DF16CD46B66FBE8FB88A20F14815AEC089BB41D731F955CBE5
                                                                                                    Function 0155BDCA Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0155BE05
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InformationQuerySystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 3562636166-0
                                                                                                    • Opcode ID: ba60a80ce1cf9fd5f028d9c9b98089832a20cd357c892fdae0d2be0177c30632
                                                                                                    • Instruction ID: 70837cbac644aa7e96d4fa1489edc010ba917c7dd7a8803e6c150a5dcc6d0e5a
                                                                                                    • Opcode Fuzzy Hash: ba60a80ce1cf9fd5f028d9c9b98089832a20cd357c892fdae0d2be0177c30632
                                                                                                    • Instruction Fuzzy Hash: 5801DB31500640DFDB618F45D888B25FBE0FF08220F08C49ADE490E612C371E418DF62
                                                                                                    Function 057200B8 Relevance: 5.1, Strings: 4, Instructions: 103COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1127 57200b8-57200cd 1151 57200d0 call 15205e0 1127->1151 1152 57200d0 call 1520606 1127->1152 1153 57200d0 call 155a20c 1127->1153 1154 57200d0 call 155a23a 1127->1154 1129 57200d5-57200f7 1132 572010b-57201d5 1129->1132 1133 57200f9-572010a 1129->1133 1155 57201d5 call 5723b10 1132->1155 1156 57201d5 call 15205e0 1132->1156 1157 57201d5 call 1520606 1132->1157 1158 57201d5 call 57237f9 1132->1158 1150 57201db-57201de 1151->1129 1152->1129 1153->1129 1154->1129 1155->1150 1156->1150 1157->1150 1158->1150
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l$5]Dk^$E]Dk^
                                                                                                    • API String ID: 0-2875543434
                                                                                                    • Opcode ID: 40b3d55f5a29ca7e7d02a401634142ff0a4f2ec1309458aa05873691add7da2b
                                                                                                    • Instruction ID: 332ad4ca294ff8d64fa4923536bab3309956cd79583a991a9cce29e152fe6023
                                                                                                    • Opcode Fuzzy Hash: 40b3d55f5a29ca7e7d02a401634142ff0a4f2ec1309458aa05873691add7da2b
                                                                                                    • Instruction Fuzzy Hash: 1E3106317043559FC7159B75A821BAE3BA7BBC3218F0485ABD004CF791CB369C0997A2
                                                                                                    Function 05720118 Relevance: 5.1, Strings: 4, Instructions: 61COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1159 5720118-5720169 1166 5720174-572017a 1159->1166 1167 5720181-57201bd 1166->1167 1172 57201c8-57201d5 1167->1172 1175 57201d5 call 5723b10 1172->1175 1176 57201d5 call 15205e0 1172->1176 1177 57201d5 call 1520606 1172->1177 1178 57201d5 call 57237f9 1172->1178 1174 57201db-57201de 1175->1174 1176->1174 1177->1174 1178->1174
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l$5]Dk^$E]Dk^
                                                                                                    • API String ID: 0-2875543434
                                                                                                    • Opcode ID: f3901109feb56df30eba0163a0d4aa5d49ef9749bba51a8bb7a30b868b15d845
                                                                                                    • Instruction ID: f39c1480a6c5cb50e91b155f0fb1dc652e65d6574d9f722f7aa68d674ada2f23
                                                                                                    • Opcode Fuzzy Hash: f3901109feb56df30eba0163a0d4aa5d49ef9749bba51a8bb7a30b868b15d845
                                                                                                    • Instruction Fuzzy Hash: E511C1317042514FC765973574167EE27D6BBD721870458AFD005CF741CF668C09A7A3
                                                                                                    Function 05728390 Relevance: 3.7, Strings: 2, Instructions: 1247COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k
                                                                                                    • API String ID: 0-4032727010
                                                                                                    • Opcode ID: d93f2b3e1e364c8a79a1891cd24a277223266ea3d12263b6d8a15083e7011309
                                                                                                    • Instruction ID: 6e337a762121f7f61f577b242b6fc5057002b15b9584dfbbf404898a26dcb9fe
                                                                                                    • Opcode Fuzzy Hash: d93f2b3e1e364c8a79a1891cd24a277223266ea3d12263b6d8a15083e7011309
                                                                                                    • Instruction Fuzzy Hash: C0C26F34B002A5CBEB218B24E9117BA77B6FB59348F104067D85597784DB3ACD89FF22
                                                                                                    Function 0572840C Relevance: 3.6, Strings: 2, Instructions: 1079COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k
                                                                                                    • API String ID: 0-4032727010
                                                                                                    • Opcode ID: 833b7be86891c63e2cda15ede5adae77a3f7ff105dfb46ff32c93c2dc2a8bc5f
                                                                                                    • Instruction ID: 2d2226008910e90784257093de447dc887f024d1bcf4b0408f398c2fdb28c4c5
                                                                                                    • Opcode Fuzzy Hash: 833b7be86891c63e2cda15ede5adae77a3f7ff105dfb46ff32c93c2dc2a8bc5f
                                                                                                    • Instruction Fuzzy Hash: DA92B1347042A49BDF218B24E9117BA37B7FBA9348F144067944697784CB3ACD89FF22
                                                                                                    Function 05728446 Relevance: 3.6, Strings: 2, Instructions: 1076COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k
                                                                                                    • API String ID: 0-4032727010
                                                                                                    • Opcode ID: d32b25c743d94e9789471e87753851570698f5d21e70ce2cfd531631c52f2c8a
                                                                                                    • Instruction ID: 0ba7244cacb94b219e6d8fe1eee2a0229eca8450971bbbc1b76e1ea24cceade4
                                                                                                    • Opcode Fuzzy Hash: d32b25c743d94e9789471e87753851570698f5d21e70ce2cfd531631c52f2c8a
                                                                                                    • Instruction Fuzzy Hash: D892A1347042A49BDF218B24E9117BA77B7FBA9348F144067944697784CB3ACD89FF22
                                                                                                    Function 05728475 Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k$:@k
                                                                                                    • API String ID: 0-4032727010
                                                                                                    • Opcode ID: bbe22b6ec840d17752c4cdd6aa0f46bb41f11c4793d294a7e2a49448e9d1b475
                                                                                                    • Instruction ID: 29a89b129a14262528f2c4b46445641e4dbd1b21a97a3da248aa365e778be5b9
                                                                                                    • Opcode Fuzzy Hash: bbe22b6ec840d17752c4cdd6aa0f46bb41f11c4793d294a7e2a49448e9d1b475
                                                                                                    • Instruction Fuzzy Hash: 8192A1347042A49BDF218B24E9117BA77B7FBA9348F144067944697784CB3ACD89FF22
                                                                                                    Function 057237F9 Relevance: 3.0, Strings: 2, Instructions: 500COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2988 57237f9-57237fe 2989 5723800 2988->2989 2990 5723801-5723909 2988->2990 2989->2990 3007 572390b 2990->3007 3008 572390f-5723911 2990->3008 3009 5723913 3007->3009 3010 572390d 3007->3010 3011 5723918-572391f 3008->3011 3009->3011 3010->3008 3012 57239b5-5723ad7 3011->3012 3013 5723925-57239aa 3011->3013 3037 5723b53-5723ba6 3012->3037 3038 5723ad9-5723b49 3012->3038 3013->3012 3046 5723ba8 3037->3046 3047 5723bad 3037->3047 3038->3037 3046->3047 3127 5723bad call 5724290 3047->3127 3128 5723bad call 15205e0 3047->3128 3129 5723bad call 1520606 3047->3129 3130 5723bad call 572427f 3047->3130 3048 5723bb3-5723bc7 3049 5723bc9-5723bf3 3048->3049 3050 5723bfe-5723cb3 3048->3050 3049->3050 3061 5723d3b 3050->3061 3062 5723cb9-5723cec 3050->3062 3063 57241d5-57241e0 3061->3063 3131 5723cf1 call 57299a7 3062->3131 3132 5723cf1 call 57299b8 3062->3132 3065 5723d40-5723d5e 3063->3065 3066 57241e6-57241ed 3063->3066 3069 5723d60-5723d66 3065->3069 3070 5723d69-5723d74 3065->3070 3069->3070 3073 5723d7a-5723d8e 3070->3073 3074 572418b-57241d3 3070->3074 3076 5723d90-5723dc2 3073->3076 3077 5723e06-5723e17 3073->3077 3074->3063 3075 5723cf7 3075->3061 3076->3077 3079 5723e67-5723e75 3077->3079 3080 5723e19-5723e43 3077->3080 3082 5723e7b-5723f2e 3079->3082 3083 5724189 3079->3083 3080->3079 3090 5723e45-5723e61 call 572a2df 3080->3090 3103 5723f34-5723fb7 3082->3103 3104 5723fbe-57240b5 3082->3104 3083->3063 3090->3079 3103->3104 3119 5724145 3104->3119 3120 57240bb-572413e 3104->3120 3119->3083 3120->3119 3127->3048 3128->3048 3129->3048 3130->3048 3131->3075 3132->3075
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \Ol$2l
                                                                                                    • API String ID: 0-1312013075
                                                                                                    • Opcode ID: e09fc2d8119569aa0729295499d1c4dde88eaeb8ebee0482a1bb9281f6654be2
                                                                                                    • Instruction ID: 47d35883b6417c58e94115a5fc7d551d6207bfaab03d0ae7dddac462eeb7e75a
                                                                                                    • Opcode Fuzzy Hash: e09fc2d8119569aa0729295499d1c4dde88eaeb8ebee0482a1bb9281f6654be2
                                                                                                    • Instruction Fuzzy Hash: 22323634A00228CFDB24DF74D955BEDB7B2FB49304F0045AAD509AB2A4DB399D85DF50
                                                                                                    Function 0155B126 Relevance: 1.6, APIs: 1, Instructions: 108registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3489 155b126-155b128 3490 155b132-155b1d1 3489->3490 3491 155b12a-155b130 3489->3491 3496 155b1d6-155b1ed 3490->3496 3497 155b1d3 3490->3497 3491->3490 3499 155b22f-155b234 3496->3499 3500 155b1ef-155b202 RegOpenKeyExW 3496->3500 3497->3496 3499->3500 3501 155b204-155b22c 3500->3501 3502 155b236-155b23b 3500->3502 3502->3501
                                                                                                    APIs
                                                                                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0155B1F5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID:
                                                                                                    • API String ID: 71445658-0
                                                                                                    • Opcode ID: 2c6a87540b58403e56d6ce7bc7c002a9d1d4ea7f8bc083e173e7eef6838474c5
                                                                                                    • Instruction ID: e2368fafe4a03908ff82638dca83e0abc3cad4c85f84f6feedad59fd54bc0c60
                                                                                                    • Opcode Fuzzy Hash: 2c6a87540b58403e56d6ce7bc7c002a9d1d4ea7f8bc083e173e7eef6838474c5
                                                                                                    • Instruction Fuzzy Hash: 723192715097806FE7238B658C54BA6BFB8EF07210F0885DBE984CB5A3D224A94DC771
                                                                                                    Function 05560006 Relevance: 1.6, APIs: 1, Instructions: 104registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3507 5560006-556008a 3511 556008f-556009b 3507->3511 3512 556008c 3507->3512 3513 55600a0-55600a9 3511->3513 3514 556009d 3511->3514 3512->3511 3515 55600ae-55600c5 3513->3515 3516 55600ab 3513->3516 3514->3513 3518 5560107-556010c 3515->3518 3519 55600c7-55600da RegCreateKeyExW 3515->3519 3516->3515 3518->3519 3520 556010e-5560113 3519->3520 3521 55600dc-5560104 3519->3521 3520->3521
                                                                                                    APIs
                                                                                                    • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 055600CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create
                                                                                                    • String ID:
                                                                                                    • API String ID: 2289755597-0
                                                                                                    • Opcode ID: f14120c2fa366843c92f9aeaeb3d6fd3b606f178678ab00a35167046d562aebe
                                                                                                    • Instruction ID: 8e9d02b6b644c1228a929179a8e53281a2e5061e282afd8afde9d23dad070ae4
                                                                                                    • Opcode Fuzzy Hash: f14120c2fa366843c92f9aeaeb3d6fd3b606f178678ab00a35167046d562aebe
                                                                                                    • Instruction Fuzzy Hash: E731B271505344AFE7228B65CC44FA7BBECEF05224F08849AF985C7652E324E549CB71
                                                                                                    Function 055616BB Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3526 55616bb-55616db 3527 55616fd-556172f 3526->3527 3528 55616dd-55616fc 3526->3528 3532 5561732-556178a RegQueryValueExW 3527->3532 3528->3527 3534 5561790-55617a6 3532->3534
                                                                                                    APIs
                                                                                                    • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05561782
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: 54bd6b35626eaed56d5c8dd5d6527c9cfdf76bbaa025da87c616b80bb1c88cbf
                                                                                                    • Instruction ID: 0bdc670a6a4c5a6ce7f1cf72d0b8c0f29fa76c199bf9d1f1ac27269692c86ddf
                                                                                                    • Opcode Fuzzy Hash: 54bd6b35626eaed56d5c8dd5d6527c9cfdf76bbaa025da87c616b80bb1c88cbf
                                                                                                    • Instruction Fuzzy Hash: 8E319E6510E7C06FD3138B218C61A61BFB4EF47610B0E45CBE8C48F6A3D2296809D7B2
                                                                                                    Function 055622E8 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3535 55622e8-55623a7 3541 55623f9-55623fe 3535->3541 3542 55623a9-55623b1 getaddrinfo 3535->3542 3541->3542 3544 55623b7-55623c9 3542->3544 3545 5562400-5562405 3544->3545 3546 55623cb-55623f6 3544->3546 3545->3546
                                                                                                    APIs
                                                                                                    • getaddrinfo.WS2_32(?,00000E24), ref: 055623AF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: getaddrinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 300660673-0
                                                                                                    • Opcode ID: abbc363c99885be58b07583e372689e44c20e84639fb2fc332b5709d875a7060
                                                                                                    • Instruction ID: fc4d4650316f09caac9f308d43a8602402b9cae2bdd8da60a151dffb5ff101df
                                                                                                    • Opcode Fuzzy Hash: abbc363c99885be58b07583e372689e44c20e84639fb2fc332b5709d875a7060
                                                                                                    • Instruction Fuzzy Hash: 4B31BFB1504344AFE721CF61DC84FAAFBACEB05314F04889AFA499B281D374A94DCB71
                                                                                                    Function 0155AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3550 155aa75-155aafe 3554 155ab00 3550->3554 3555 155ab03-155ab0f 3550->3555 3554->3555 3556 155ab14-155ab1d 3555->3556 3557 155ab11 3555->3557 3558 155ab1f-155ab43 CreateFileW 3556->3558 3559 155ab6e-155ab73 3556->3559 3557->3556 3562 155ab75-155ab7a 3558->3562 3563 155ab45-155ab6b 3558->3563 3559->3558 3562->3563
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0155AB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: c35d457f79d8cf7a7ee4cfbb55e121eca53389c0897b4740ea1867b7d50c3ac3
                                                                                                    • Instruction ID: 014b40f7f0ca00c27542d308088ce585b8a82f55f4bb1569502540269386f291
                                                                                                    • Opcode Fuzzy Hash: c35d457f79d8cf7a7ee4cfbb55e121eca53389c0897b4740ea1867b7d50c3ac3
                                                                                                    • Instruction Fuzzy Hash: A2316271505340AFE722CF65CC85F56BFF8FF05224F08899EE9858B652D365E848CB61
                                                                                                    Function 055621E0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3566 55621e0-5562275 3571 5562277-556227f GetProcessTimes 3566->3571 3572 55622c2-55622c7 3566->3572 3573 5562285-5562297 3571->3573 3572->3571 3575 55622c9-55622ce 3573->3575 3576 5562299-55622bf 3573->3576 3575->3576
                                                                                                    APIs
                                                                                                    • GetProcessTimes.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0556227D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessTimes
                                                                                                    • String ID:
                                                                                                    • API String ID: 1995159646-0
                                                                                                    • Opcode ID: 3f7aa19bb1167fa5784ba50e4909497785ce69fd5d297247b35c510245d62a12
                                                                                                    • Instruction ID: 0ea25b3eb5900e89f380db1d51e748c27555e65e6e53773d8aedcfcce922e4fe
                                                                                                    • Opcode Fuzzy Hash: 3f7aa19bb1167fa5784ba50e4909497785ce69fd5d297247b35c510245d62a12
                                                                                                    • Instruction Fuzzy Hash: CF31F7755093806FD7128F61DC45FA6BFB8EF06324F08849BE984CB153D325A949C7B1
                                                                                                    Function 05561BD4 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3612 5561bd4-5561c55 3616 5561c57 3612->3616 3617 5561c5a-5561c63 3612->3617 3616->3617 3618 5561c65-5561c6d ConvertStringSecurityDescriptorToSecurityDescriptorW 3617->3618 3619 5561cbb-5561cc0 3617->3619 3621 5561c73-5561c85 3618->3621 3619->3618 3622 5561c87-5561cb8 3621->3622 3623 5561cc2-5561cc7 3621->3623 3623->3622
                                                                                                    APIs
                                                                                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05561C6B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DescriptorSecurity$ConvertString
                                                                                                    • String ID:
                                                                                                    • API String ID: 3907675253-0
                                                                                                    • Opcode ID: 1b1b317a37f4bbd7431de6bb87defc7896bbd7602236f993b170ec7d57c7d3bf
                                                                                                    • Instruction ID: 626de85d6f7c4f6979070a2abbc62ec6051d3bd831a273501ba5cbdec855bebd
                                                                                                    • Opcode Fuzzy Hash: 1b1b317a37f4bbd7431de6bb87defc7896bbd7602236f993b170ec7d57c7d3bf
                                                                                                    • Instruction Fuzzy Hash: 4831BF71504384AFE722CB65DC45FAABBF8EF05210F0884AAE945CB652D324E848CB61
                                                                                                    Function 0155AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3579 155af76-155aff9 3583 155affe-155b007 3579->3583 3584 155affb 3579->3584 3585 155b00c-155b015 3583->3585 3586 155b009 3583->3586 3584->3583 3587 155b017-155b03b CreateMutexW 3585->3587 3588 155b066-155b06b 3585->3588 3586->3585 3591 155b06d-155b072 3587->3591 3592 155b03d-155b063 3587->3592 3588->3587 3591->3592
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 0155B01D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: 38fc891e21ff39a7e2fdf184510d5c52f0db9408830b9539f09a403d332ff8e1
                                                                                                    • Instruction ID: 780abf6827889cafe90b7d00aa1751b7bbacc667c5780fb69f2573b3f8426690
                                                                                                    • Opcode Fuzzy Hash: 38fc891e21ff39a7e2fdf184510d5c52f0db9408830b9539f09a403d332ff8e1
                                                                                                    • Instruction Fuzzy Hash: 4C31A1715093805FE712CB65CC95B96BFF8EF06210F08849AE944CF292D365E908C762
                                                                                                    Function 0155B23D Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3595 155b23d-155b2bb 3598 155b2c0-155b2c9 3595->3598 3599 155b2bd 3595->3599 3600 155b2ce-155b2d4 3598->3600 3601 155b2cb 3598->3601 3599->3598 3602 155b2d6 3600->3602 3603 155b2d9-155b2f0 3600->3603 3601->3600 3602->3603 3605 155b327-155b32c 3603->3605 3606 155b2f2-155b305 RegQueryValueExW 3603->3606 3605->3606 3607 155b307-155b324 3606->3607 3608 155b32e-155b333 3606->3608 3608->3607
                                                                                                    APIs
                                                                                                    • RegQueryValueExW.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0155B2F8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: 9f858f658ceb476a6a39728d7397ad7f8599448957422b0e83dcf6a91299d8d4
                                                                                                    • Instruction ID: 3042fa263b4e2131723b61e3b4ed054e9e5c309218ad74f9d8bc1f817ce89c4b
                                                                                                    • Opcode Fuzzy Hash: 9f858f658ceb476a6a39728d7397ad7f8599448957422b0e83dcf6a91299d8d4
                                                                                                    • Instruction Fuzzy Hash: 9731CF711053846FE722CB65CC55FA6BFB8EF06214F08849BE985CB253D260E548CB71
                                                                                                    Function 05560032 Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3627 5560032-556008a 3630 556008f-556009b 3627->3630 3631 556008c 3627->3631 3632 55600a0-55600a9 3630->3632 3633 556009d 3630->3633 3631->3630 3634 55600ae-55600c5 3632->3634 3635 55600ab 3632->3635 3633->3632 3637 5560107-556010c 3634->3637 3638 55600c7-55600da RegCreateKeyExW 3634->3638 3635->3634 3637->3638 3639 556010e-5560113 3638->3639 3640 55600dc-5560104 3638->3640 3639->3640
                                                                                                    APIs
                                                                                                    • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 055600CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create
                                                                                                    • String ID:
                                                                                                    • API String ID: 2289755597-0
                                                                                                    • Opcode ID: a13b469d2bab9964d31a8a8a0296351ca8b4cf6fa37be532e016e0835bbbcfa2
                                                                                                    • Instruction ID: 8db06a21309b48c599222041aa9cceff60dff06da31dff0c6f0f2d9a64f5123e
                                                                                                    • Opcode Fuzzy Hash: a13b469d2bab9964d31a8a8a0296351ca8b4cf6fa37be532e016e0835bbbcfa2
                                                                                                    • Instruction Fuzzy Hash: C7217E72600644AFEB21DE65CD44FA7BBECFF08624F04855AE949C7692E720E5488A61
                                                                                                    Function 055632D4 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3649 55632d4-55632e9 3650 55632f3-5563363 3649->3650 3651 55632eb-55632f2 3649->3651 3655 5563365-556336d GetProcessWorkingSetSize 3650->3655 3656 55633b0-55633b5 3650->3656 3651->3650 3657 5563373-5563385 3655->3657 3656->3655 3659 55633b7-55633bc 3657->3659 3660 5563387-55633ad 3657->3660 3659->3660
                                                                                                    APIs
                                                                                                    • GetProcessWorkingSetSize.KERNEL32(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0556336B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessSizeWorking
                                                                                                    • String ID:
                                                                                                    • API String ID: 3584180929-0
                                                                                                    • Opcode ID: 91239a1b1bf81c98c9b51e64e9568ebe7c1169fd6a1bf508c083f797d3f42f2e
                                                                                                    • Instruction ID: 47d2079f7106101821027c0f9332d7d7d6aa5b9bd3367c14ee37d0d836b9b895
                                                                                                    • Opcode Fuzzy Hash: 91239a1b1bf81c98c9b51e64e9568ebe7c1169fd6a1bf508c083f797d3f42f2e
                                                                                                    • Instruction Fuzzy Hash: 4D21D5715093C45FD713CB64CC55B96BFB8AF46214F0884DBE9498F293D325A948CB72
                                                                                                    Function 0155A6CE Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 3645 155a6ce-155a72b 3646 155a72e-155a786 GetUserNameW 3645->3646 3648 155a78c-155a7a2 3646->3648
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(?,00000E24,?,?), ref: 0155A77E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NameUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2645101109-0
                                                                                                    • Opcode ID: f370af4b3f642cc8b7e792040425e859105891edc57f430f81bb0a1d18d13355
                                                                                                    • Instruction ID: 3540b36b2e623a3b4ea026829c86f3f8ba285007b868349988f96b7fcd9f1424
                                                                                                    • Opcode Fuzzy Hash: f370af4b3f642cc8b7e792040425e859105891edc57f430f81bb0a1d18d13355
                                                                                                    • Instruction Fuzzy Hash: 9531807544D3C06FD3138B659C61BA1BFB4EF87610F0A80CBE884CB6A3D2296819D772
                                                                                                    Function 05729A20 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: cf5c2d2e3d9352256242e970136823f6e7fc10cd8d3a295bffb408e023d31197
                                                                                                    • Instruction ID: 7aa4aa7ea4c7c08dd95dd4abe8128a1cf43837ece3068f31cbc367a2a60d1060
                                                                                                    • Opcode Fuzzy Hash: cf5c2d2e3d9352256242e970136823f6e7fc10cd8d3a295bffb408e023d31197
                                                                                                    • Instruction Fuzzy Hash: 48D17D35A00215DFCB18DFB4E9519AE77B2FF8A344B14812AE412973A4DF3A9C49EF50
                                                                                                    Function 05560115 Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegSetValueExW.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 055601C4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID:
                                                                                                    • API String ID: 3702945584-0
                                                                                                    • Opcode ID: 0f31b852f5ab924588ec01370a03908a9229458065b24204326c8ee99fb98512
                                                                                                    • Instruction ID: 0b5b62e197eea0d7b12eb78929465443aec69a05d717f2c009cbda722caf5d5b
                                                                                                    • Opcode Fuzzy Hash: 0f31b852f5ab924588ec01370a03908a9229458065b24204326c8ee99fb98512
                                                                                                    • Instruction Fuzzy Hash: 4F31D7715097C05FD7228B658C55B93FFB8EF06310F0885CFE9858B5A3D365A449C761
                                                                                                    Function 0556230A Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • getaddrinfo.WS2_32(?,00000E24), ref: 055623AF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: getaddrinfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 300660673-0
                                                                                                    • Opcode ID: dca7aaa31ebc0cd1c0bcdafb3fe0aacf1ff394716eef3eaf75ffae8396f57744
                                                                                                    • Instruction ID: f4d76b7aa07fd65f787f5f256f7ce1b2995f3619d335ace9219890dc6097242f
                                                                                                    • Opcode Fuzzy Hash: dca7aaa31ebc0cd1c0bcdafb3fe0aacf1ff394716eef3eaf75ffae8396f57744
                                                                                                    • Instruction Fuzzy Hash: 2B21F171200204AEEB20DF60CD84FAAF7ACEF04314F04885AFA48DB280D775E54D8BB2
                                                                                                    Function 055609AC Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetExitCodeProcess.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 05560A40
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CodeExitProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 3861947596-0
                                                                                                    • Opcode ID: db3b08ae74e21d87e988fc60c35c5448fb06c9889ec65416377c82d16a2f0709
                                                                                                    • Instruction ID: 685a166131adcfe9da237c5374f7cd0f1bd23f329cf4d029e9a0e65d450d72f2
                                                                                                    • Opcode Fuzzy Hash: db3b08ae74e21d87e988fc60c35c5448fb06c9889ec65416377c82d16a2f0709
                                                                                                    • Instruction Fuzzy Hash: 2E2107715093845FE712CB65DC95BA6BFB8EF06324F0884DBE984CF193D364A948C7A1
                                                                                                    Function 0155B42C Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageTimeoutA.USER32(?,00000E24), ref: 0155B4D5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendTimeout
                                                                                                    • String ID:
                                                                                                    • API String ID: 1599653421-0
                                                                                                    • Opcode ID: 036ed80b3de9480b839417124e0dd455d6d950b37a6140a5e0230141101dca36
                                                                                                    • Instruction ID: 3b0d96e95d0bb4577009e741aa1491e55985da23c3859a5a3fb080aad797d9f1
                                                                                                    • Opcode Fuzzy Hash: 036ed80b3de9480b839417124e0dd455d6d950b37a6140a5e0230141101dca36
                                                                                                    • Instruction Fuzzy Hash: CC21F671504340AFE7228F61DC44FA6FFB8EF46310F08849AFA858F562D375A408CB61
                                                                                                    Function 05563205 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: select
                                                                                                    • String ID:
                                                                                                    • API String ID: 1274211008-0
                                                                                                    • Opcode ID: cd59a14d2772460669dc41c3b35f213b9beda999b6a31c291a5bf3bc9f0349b4
                                                                                                    • Instruction ID: bd2c2accf1eefd6cc0c53fca9f7aa5e4d74f970ac0f5daea191cd87ef1f0dc56
                                                                                                    • Opcode Fuzzy Hash: cd59a14d2772460669dc41c3b35f213b9beda999b6a31c291a5bf3bc9f0349b4
                                                                                                    • Instruction Fuzzy Hash: 9A216D715093849FDB12CF65CC84B62BFF8FF06214F0988DAE984CB162D234E848DB61
                                                                                                    Function 05561D8A Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileView
                                                                                                    • String ID:
                                                                                                    • API String ID: 3314676101-0
                                                                                                    • Opcode ID: 3fcfdf4931072a7bfb4ea80cc3037874e2a88c9391a18dd06722fa7ed30d3726
                                                                                                    • Instruction ID: 14524f5ddcde242b570a34fd2563318070c33c84bed73a9bb98939138769e9c4
                                                                                                    • Opcode Fuzzy Hash: 3fcfdf4931072a7bfb4ea80cc3037874e2a88c9391a18dd06722fa7ed30d3726
                                                                                                    • Instruction Fuzzy Hash: 8A219171505380AFE722CB55CC45FA6FFF8EF09224F04849EE9898B652D365E548CB61
                                                                                                    Function 055617AE Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 0556183A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Socket
                                                                                                    • String ID:
                                                                                                    • API String ID: 38366605-0
                                                                                                    • Opcode ID: 12db16a0a242ca04da0b20022197b58d5b749e028ed53c55463722eb64bd7d40
                                                                                                    • Instruction ID: 19d94b8b2508c2e20664cc4325ca6f9565e8983a8b2ff37aa1c5a749c7f60835
                                                                                                    • Opcode Fuzzy Hash: 12db16a0a242ca04da0b20022197b58d5b749e028ed53c55463722eb64bd7d40
                                                                                                    • Instruction Fuzzy Hash: A521B171509780AFD722CF55CC45FA6FFF8EF05220F08889EE9858B692C375A408CB62
                                                                                                    Function 0155B34E Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegSetValueExW.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0155B3E4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID:
                                                                                                    • API String ID: 3702945584-0
                                                                                                    • Opcode ID: 9885569f50af035ad241b15e02f8ac1c5dd034a9af8d8d4038601fe466f3e11a
                                                                                                    • Instruction ID: d7b118947c94cf8d6c7fd118a203f76ebc8d22de0d9f6e6594d6b728aa0d5bc5
                                                                                                    • Opcode Fuzzy Hash: 9885569f50af035ad241b15e02f8ac1c5dd034a9af8d8d4038601fe466f3e11a
                                                                                                    • Instruction Fuzzy Hash: 0C219072504380AFE7228B55DC55FA7BFB8EF46210F08849BE985DB252D364E848CBB1
                                                                                                    Function 05561BFA Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05561C6B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DescriptorSecurity$ConvertString
                                                                                                    • String ID:
                                                                                                    • API String ID: 3907675253-0
                                                                                                    • Opcode ID: df5fa37bb7782718912927e942d3906e8639b98b7815dacc3004bb437ae53eeb
                                                                                                    • Instruction ID: 1c8c49cf8622dca193f8954f8f5a0051d97380718ae7e4474d3858079fd54812
                                                                                                    • Opcode Fuzzy Hash: df5fa37bb7782718912927e942d3906e8639b98b7815dacc3004bb437ae53eeb
                                                                                                    • Instruction Fuzzy Hash: 5521C271600644AFE720DB65DD85FBABBECFF04214F04886AE945CB641D774E448CAB2
                                                                                                    Function 05561AE2 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExW.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 05561B80
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: 806dbc1a7bc5b0bb431bd264ea442edd0cec4449543f033ad68925e1ae4b1cb1
                                                                                                    • Instruction ID: de7f434bc726f6856c1af40ed101271f726a6847e9e63a1247f34fdba57a4508
                                                                                                    • Opcode Fuzzy Hash: 806dbc1a7bc5b0bb431bd264ea442edd0cec4449543f033ad68925e1ae4b1cb1
                                                                                                    • Instruction Fuzzy Hash: B021A171504780AFD722CF55CC44FA7BBF8EF45310F08849AE9858B6A2D324E948CB71
                                                                                                    Function 0155BEF8 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • K32EnumProcesses.KERNEL32(?,?,?,A0E9077E,00000000,?,?,?,?,?,?,?,?,6C9C3C58), ref: 0155BF7E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumProcesses
                                                                                                    • String ID:
                                                                                                    • API String ID: 84517404-0
                                                                                                    • Opcode ID: 96882cf186ad1d26c55a610bb5852ca9e84e1689d1acb01214fe4d1374754c15
                                                                                                    • Instruction ID: d9eb886e164011fb9032860ceeb5e083cd93d2f0376d8abf3eae952a6d4fcc53
                                                                                                    • Opcode Fuzzy Hash: 96882cf186ad1d26c55a610bb5852ca9e84e1689d1acb01214fe4d1374754c15
                                                                                                    • Instruction Fuzzy Hash: B7218B715093C09FD7138B75DC95A96BFB4AF07220F0D84DBE984CF1A3D224A818CB62
                                                                                                    Function 0155AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0155AB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 084d64af86c16d79b6c78a666952236129a00a3eabb84ff557262da246127ee9
                                                                                                    • Instruction ID: f89e2e4a97425b8c07010633797bb50d8dd5af1bf1f65817041a9e709f8741f2
                                                                                                    • Opcode Fuzzy Hash: 084d64af86c16d79b6c78a666952236129a00a3eabb84ff557262da246127ee9
                                                                                                    • Instruction Fuzzy Hash: 70218171600200AFE761CF65CD45F66FBE8FF08624F04896AEE498B651D371E508CBB2
                                                                                                    Function 0155B176 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0155B1F5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID:
                                                                                                    • API String ID: 71445658-0
                                                                                                    • Opcode ID: 21b4d004787f6c21c99db78dda36eb6aceb8159285ae0aa1b8c5ed9bbdf071a7
                                                                                                    • Instruction ID: f1ea356c50d5335c43ff415709d34e92b229ad2f28e6ed76d811a9aacffabce7
                                                                                                    • Opcode Fuzzy Hash: 21b4d004787f6c21c99db78dda36eb6aceb8159285ae0aa1b8c5ed9bbdf071a7
                                                                                                    • Instruction Fuzzy Hash: DF21DE72500604AEEB219F55DC84FABFBECEF08224F04845BEE45CB642D330E54C8AB2
                                                                                                    Function 055633D3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetProcessWorkingSetSize.KERNEL32(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0556344F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessSizeWorking
                                                                                                    • String ID:
                                                                                                    • API String ID: 3584180929-0
                                                                                                    • Opcode ID: 3ad8ae352a7923cecd66ba9ec4ed6382cd37381a332c244da989dbe9fe9b3d85
                                                                                                    • Instruction ID: e88bb702cf3ad96a23cf8f78c172053b5ca896cd5e492e62bbca40f93ed8f165
                                                                                                    • Opcode Fuzzy Hash: 3ad8ae352a7923cecd66ba9ec4ed6382cd37381a332c244da989dbe9fe9b3d85
                                                                                                    • Instruction Fuzzy Hash: CD21C2715093846FD712CB65CC48FA6FFB8EF46224F08849BE944CB292D374A548CB62
                                                                                                    Function 0155ADCE Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0155AE4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: 95ac41b93144981b70f6a9089430933b496d53f85899d03cdc69b9c689357da2
                                                                                                    • Instruction ID: 66279105330ac0964950943d8922303af7642fe11ff875a974e9a2d0d0ed0cb5
                                                                                                    • Opcode Fuzzy Hash: 95ac41b93144981b70f6a9089430933b496d53f85899d03cdc69b9c689357da2
                                                                                                    • Instruction Fuzzy Hash: 6921CF72504340AFEB228F55DC44FA7BBA8EF45324F08849AF9448B252C325A908CBB1
                                                                                                    Function 0155AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0155ACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: 42700945db1ad50b253ef255f616dc481c4fa13b8e1f435a2689fb29dde249fa
                                                                                                    • Instruction ID: 99be2bc0f2df9234ab1bc0fb12925157f5e286ebf84d284e6f33a1b6500584b9
                                                                                                    • Opcode Fuzzy Hash: 42700945db1ad50b253ef255f616dc481c4fa13b8e1f435a2689fb29dde249fa
                                                                                                    • Instruction Fuzzy Hash: C021C6B55093806FE7128B55DC50BE6BFB8EF47314F0880D7E9848B253D264A949D771
                                                                                                    Function 0155A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 0155AA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 983b048a8efadfbbdd76c8f3414d5c53deaf3eb22d826200d2a2fedef4a0790f
                                                                                                    • Instruction ID: 81d1d48fcd1a27e8d89aaa41f36d539a935a7b374eaed74c20e36bf3e213cc01
                                                                                                    • Opcode Fuzzy Hash: 983b048a8efadfbbdd76c8f3414d5c53deaf3eb22d826200d2a2fedef4a0790f
                                                                                                    • Instruction Fuzzy Hash: 6621576540E3C0AFD7138B258C64A51BFB4EF57624F0E81DBD9848F6A3C2689848CB72
                                                                                                    Function 05562021 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • shutdown.WS2_32(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 055620A4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: shutdown
                                                                                                    • String ID:
                                                                                                    • API String ID: 2510479042-0
                                                                                                    • Opcode ID: 428a78958f4d838dee8ca17fe0bb3da913183a80f09cf72a3e211e45059d6840
                                                                                                    • Instruction ID: 1ef064d5a0f6d6b280fc2e3a81751383ff0c1f3cf30a100e0cb2a5ebefdb1102
                                                                                                    • Opcode Fuzzy Hash: 428a78958f4d838dee8ca17fe0bb3da913183a80f09cf72a3e211e45059d6840
                                                                                                    • Instruction Fuzzy Hash: 5021C571509384AFD712CB54CC44B96FFB8EF46224F0884DBE984DB152C364A548CB62
                                                                                                    Function 0155A140 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: send
                                                                                                    • String ID:
                                                                                                    • API String ID: 2809346765-0
                                                                                                    • Opcode ID: 3cfe6f358d04b8c70eaf158457ae3832d8693845be189836d362b5611d81a54b
                                                                                                    • Instruction ID: dedd4240e8cc50c8f9fb1cd2febbe8f05e0a8aa2c3610d8f3f7acaa7ead18f48
                                                                                                    • Opcode Fuzzy Hash: 3cfe6f358d04b8c70eaf158457ae3832d8693845be189836d362b5611d81a54b
                                                                                                    • Instruction Fuzzy Hash: 7F21AC7150D3C09FDB138B609C94A56BFB0EF47220F0985DBDD858F5A3C269A819DB72
                                                                                                    Function 0155AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 0155B01D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: 86eea783f1b36a26cc076cfe427ae6efb832a966aa63aae579dca252e51866cb
                                                                                                    • Instruction ID: 85b6dcf629222e9462ff3c979f1b6323856da43b9f0e33b34b96c475c0934a6e
                                                                                                    • Opcode Fuzzy Hash: 86eea783f1b36a26cc076cfe427ae6efb832a966aa63aae579dca252e51866cb
                                                                                                    • Instruction Fuzzy Hash: 9421B0716002409FE720CF69CD55BA6FBE8EF04224F04846AED48CF651D371E408CB72
                                                                                                    Function 05560442 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 055604BE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 973152223-0
                                                                                                    • Opcode ID: c01a2f33efc91f462628db26dc108d9e570a01a08f9e08699eaf28820fb8461f
                                                                                                    • Instruction ID: 0e7a10cd271f99ebc11b42552761f1f39282e3e785c8ebd2bee61d16e086a0bf
                                                                                                    • Opcode Fuzzy Hash: c01a2f33efc91f462628db26dc108d9e570a01a08f9e08699eaf28820fb8461f
                                                                                                    • Instruction Fuzzy Hash: FE21A171505384AFD722CF55DC84FA7FFB8EF46324F08849AE9458B252C365A548CB72
                                                                                                    Function 0556313F Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ioctlsocket.WS2_32(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 055631BB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ioctlsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 3577187118-0
                                                                                                    • Opcode ID: ff51cf42426e21ea7d5fe35b7bfdd62712ce74a18b621240d3c6ed8365a48212
                                                                                                    • Instruction ID: 4ec5a7e281f20e4fe94b0fc9602aaed6e4f280f95e931633ac95950533b22555
                                                                                                    • Opcode Fuzzy Hash: ff51cf42426e21ea7d5fe35b7bfdd62712ce74a18b621240d3c6ed8365a48212
                                                                                                    • Instruction Fuzzy Hash: 9021A1715093846FD722CB55CC85FA6BFB8EF46214F08849BE9489B252C374A548CBB2
                                                                                                    Function 0155B27E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExW.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0155B2F8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: eab1ff84c2d6f7e35757f22b0b9936553d64f68adb166028fdbb0179df7780e2
                                                                                                    • Instruction ID: c35fb11d1bcfb23c259069829fd674d627307680689a8009955637fd918359a4
                                                                                                    • Opcode Fuzzy Hash: eab1ff84c2d6f7e35757f22b0b9936553d64f68adb166028fdbb0179df7780e2
                                                                                                    • Instruction Fuzzy Hash: EB21C075600204AFEB61CF59CC89FAAFBECEF04610F08845AED45CB652D360E548CA72
                                                                                                    Function 0155B719 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CopyFileW.KERNELBASE(?,?,?), ref: 0155B78E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CopyFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 1304948518-0
                                                                                                    • Opcode ID: 4f13401cc7b3b46a6645ad13e36ab46572eb1400d3bac961533bc9e4ac18f92d
                                                                                                    • Instruction ID: d24c55141ee6e49e0862848afc39e2b6c5cf78eb871c6aa03b7d37b70751df11
                                                                                                    • Opcode Fuzzy Hash: 4f13401cc7b3b46a6645ad13e36ab46572eb1400d3bac961533bc9e4ac18f92d
                                                                                                    • Instruction Fuzzy Hash: 86216D716093809FEB628F29DC54B66BFE8EF46210F08849BED85CB252D225E804DB61
                                                                                                    Function 0155B897 Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNELBASE(?), ref: 0155B908
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: 4f166a73ef6e01e09cf2ef89b537cad672bc1c460d1ff057b243935cffdb1ab6
                                                                                                    • Instruction ID: c45742dfce58e96f0318be0ddea8e6b6c9aaa823f4c2e0d074ce695f0c4d9f25
                                                                                                    • Opcode Fuzzy Hash: 4f166a73ef6e01e09cf2ef89b537cad672bc1c460d1ff057b243935cffdb1ab6
                                                                                                    • Instruction Fuzzy Hash: 0F21C3B65093809FD752CB25DC55B52BFB8EF06324F0984DBED85CF193D264A908CB62
                                                                                                    Function 055617CE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 0556183A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Socket
                                                                                                    • String ID:
                                                                                                    • API String ID: 38366605-0
                                                                                                    • Opcode ID: 6d5bb9f960cac1a16a15cddf59377d1acba10c7df7e82bb062f13680259d9d28
                                                                                                    • Instruction ID: 2435085977eb969d00d0a474bbbb11985ef2971c2ffeb5256b2b1a3f52ae73f0
                                                                                                    • Opcode Fuzzy Hash: 6d5bb9f960cac1a16a15cddf59377d1acba10c7df7e82bb062f13680259d9d28
                                                                                                    • Instruction Fuzzy Hash: 1C21BE71504640AFEB21CF95CD45BA6FBE8EF09324F04885AE9458B691C376E408CBA2
                                                                                                    Function 055624BA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05562536
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Connect
                                                                                                    • String ID:
                                                                                                    • API String ID: 3144859779-0
                                                                                                    • Opcode ID: 4753088886044e944fc24e632766deca34c29f900e24f2a8b531eaf2a33edffd
                                                                                                    • Instruction ID: 8bdb24e592ab90303fcb2f6a2f63e90f5819e6c93a7c9a7174762f858432045e
                                                                                                    • Opcode Fuzzy Hash: 4753088886044e944fc24e632766deca34c29f900e24f2a8b531eaf2a33edffd
                                                                                                    • Instruction Fuzzy Hash: 5C218E75509384AFDB22CF61DC44B62BFF4FF06210F08849AED858B562D335A818DB62
                                                                                                    Function 05561DAA Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileView
                                                                                                    • String ID:
                                                                                                    • API String ID: 3314676101-0
                                                                                                    • Opcode ID: ef310610f0772a3195c1890538c2f2f91b894426b4b8f5902c4a1b3cf349c763
                                                                                                    • Instruction ID: 8c973d0e2056d3ec4afece5b5bbe8b34d52890060b8f1adaa36e1fb825a5bbde
                                                                                                    • Opcode Fuzzy Hash: ef310610f0772a3195c1890538c2f2f91b894426b4b8f5902c4a1b3cf349c763
                                                                                                    • Instruction Fuzzy Hash: E721C371500640AFEB21CF55CD85FA6FBE8EF09324F04885EE9498B651D375E548CBB2
                                                                                                    Function 05562776 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNELBASE(?,00000E24), ref: 055627FF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: 4c6332348e731cd415c21b645bc493cd076d74b6abb1f2a10f4ed5b7e2aa5d51
                                                                                                    • Instruction ID: 2e61abb42a9b53a4cd7522eeead31c8eb213d852e99e3b062b7797a3113907cd
                                                                                                    • Opcode Fuzzy Hash: 4c6332348e731cd415c21b645bc493cd076d74b6abb1f2a10f4ed5b7e2aa5d51
                                                                                                    • Instruction Fuzzy Hash: 6F11D6715053806FE721CB55DC85FA6FFB8EF45720F08809AF9489B292D364A948CBA6
                                                                                                    Function 0155B45A Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageTimeoutA.USER32(?,00000E24), ref: 0155B4D5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendTimeout
                                                                                                    • String ID:
                                                                                                    • API String ID: 1599653421-0
                                                                                                    • Opcode ID: 2610b199eab232d009f49c4973b15cc29714a62a26ca30971e2bae89295d2905
                                                                                                    • Instruction ID: 89406d10eb9b93998d7fc1828a2b24b9425013054dd2279a505940f904132cc8
                                                                                                    • Opcode Fuzzy Hash: 2610b199eab232d009f49c4973b15cc29714a62a26ca30971e2bae89295d2905
                                                                                                    • Instruction Fuzzy Hash: 6721DF71500600AFEB318F55CC44FA6FBE8EF04714F14885AEE898A691D375E548CBB2
                                                                                                    Function 05561B0E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExW.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 05561B80
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: acec49b9d0af7ab8a08b0b7a590cd278dc92756b6aa7e7748120d7d9252ed70c
                                                                                                    • Instruction ID: 81519a538251b1aa7b3de5699073e6d99904698280e5c75f75c64b70e8e163d3
                                                                                                    • Opcode Fuzzy Hash: acec49b9d0af7ab8a08b0b7a590cd278dc92756b6aa7e7748120d7d9252ed70c
                                                                                                    • Instruction Fuzzy Hash: 9711AC72600640AFEB21CF55CC81FA6F7E8FF44620F08845AE9458B661E760E548CBB6
                                                                                                    Function 0155B94F Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFileAttributesW.KERNELBASE(?,?), ref: 0155B9BF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: da3101f35267b1fda46fea0001b3cf252ce2ab67e85e7456f473857cfc6983fd
                                                                                                    • Instruction ID: dc1d1fade57775e52301489ab44e9f4f6e9bc291c693c8e35bf7cae3f0714c4e
                                                                                                    • Opcode Fuzzy Hash: da3101f35267b1fda46fea0001b3cf252ce2ab67e85e7456f473857cfc6983fd
                                                                                                    • Instruction Fuzzy Hash: BD21A1715093809FD7128B25CC95B56BFF8EF06220F0984DBDD45CF263D224A844CB62
                                                                                                    Function 0155B372 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegSetValueExW.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0155B3E4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID:
                                                                                                    • API String ID: 3702945584-0
                                                                                                    • Opcode ID: 133804574a8004c520f67fb7879e4c6e871138cf38bf750bcd21ff74c423df05
                                                                                                    • Instruction ID: e234ca34944ba440186af719ecb49f00ea1168b5ea31d77cb535ab4d8be4afc8
                                                                                                    • Opcode Fuzzy Hash: 133804574a8004c520f67fb7879e4c6e871138cf38bf750bcd21ff74c423df05
                                                                                                    • Instruction Fuzzy Hash: B311BE72A00200AFEB618E55CC45BA6FBECEF04610F08845AED459A642D370E4488AB6
                                                                                                    Function 0556221E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcessTimes.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0556227D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessTimes
                                                                                                    • String ID:
                                                                                                    • API String ID: 1995159646-0
                                                                                                    • Opcode ID: 393b7e624118c42ab7b97523f0da2bc1a3cbcc1e928ac052ea8ded6e2caa70b0
                                                                                                    • Instruction ID: 72837a162d679e2f0b4880dce416f0786522ed09776428ffac022fd11d5bfc84
                                                                                                    • Opcode Fuzzy Hash: 393b7e624118c42ab7b97523f0da2bc1a3cbcc1e928ac052ea8ded6e2caa70b0
                                                                                                    • Instruction Fuzzy Hash: 5A11E675600200AFEB21CF95DC44FA6FBE8EF05324F04845AED49CB651D370E4588BB2
                                                                                                    Function 0155BAAE Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0155BB16
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3899507212-0
                                                                                                    • Opcode ID: 1dd275723eaaf86fa33e9f930c776efab590aa42f713d0bf90161b8acd98dabe
                                                                                                    • Instruction ID: e8eb721872bf604c7c16f43053d2986ec43997d869cdd838d25628a94feadf02
                                                                                                    • Opcode Fuzzy Hash: 1dd275723eaaf86fa33e9f930c776efab590aa42f713d0bf90161b8acd98dabe
                                                                                                    • Instruction Fuzzy Hash: 5D1193B16043849FDB61CF69DC84B66FFE8EF45220F0884AAED45CB652D274E804CB61
                                                                                                    Function 05563312 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcessWorkingSetSize.KERNEL32(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0556336B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessSizeWorking
                                                                                                    • String ID:
                                                                                                    • API String ID: 3584180929-0
                                                                                                    • Opcode ID: bfceaeb9362c38af11e5045004b6ea2e7832973d45387d0f7ca04e35fa77fe44
                                                                                                    • Instruction ID: 7553bbb302c8e3aaaf1ed2766350e4230126e20e72aefacdc0e7b0f5c7f62c11
                                                                                                    • Opcode Fuzzy Hash: bfceaeb9362c38af11e5045004b6ea2e7832973d45387d0f7ca04e35fa77fe44
                                                                                                    • Instruction Fuzzy Hash: B4110471600240AFE711CF59CC44BA6F7E8EF05324F08886AED05CB641D770E448CBB2
                                                                                                    Function 055633F6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetProcessWorkingSetSize.KERNEL32(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0556344F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ProcessSizeWorking
                                                                                                    • String ID:
                                                                                                    • API String ID: 3584180929-0
                                                                                                    • Opcode ID: bfceaeb9362c38af11e5045004b6ea2e7832973d45387d0f7ca04e35fa77fe44
                                                                                                    • Instruction ID: f9bf5eb8884cf468a03315760f43721c91aca2730dd859e1e6f8f2db702a9a7d
                                                                                                    • Opcode Fuzzy Hash: bfceaeb9362c38af11e5045004b6ea2e7832973d45387d0f7ca04e35fa77fe44
                                                                                                    • Instruction Fuzzy Hash: 70110471600240AFEB11CF55CC49BAAF7E8EF05324F08886AED05CB641D370E4488AB2
                                                                                                    Function 0556015A Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegSetValueExW.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 055601C4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value
                                                                                                    • String ID:
                                                                                                    • API String ID: 3702945584-0
                                                                                                    • Opcode ID: 7e1249eab9f259747ec0bb20350a7c0f39726d708e82e61267531e80d3797ace
                                                                                                    • Instruction ID: 1f0f3f3570bfa061d353d5e7f5442aaebadc14bf5d6a74b241b5e050e89eae45
                                                                                                    • Opcode Fuzzy Hash: 7e1249eab9f259747ec0bb20350a7c0f39726d708e82e61267531e80d3797ace
                                                                                                    • Instruction Fuzzy Hash: 4111BF72600740AFEB21CF55CC44FA6FBE8FF15724F08845AE9468B6A1D774E548CAB2
                                                                                                    Function 055609EA Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetExitCodeProcess.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 05560A40
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CodeExitProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 3861947596-0
                                                                                                    • Opcode ID: c532b8e36f5bbc1438d6480e4bf1097e6c8b8d95d60d0916626f9679178d0c12
                                                                                                    • Instruction ID: c0eb0dcb9e263ef30f571f84c3d6eb28469b5dff4f8907be4f4f5127522dcd6f
                                                                                                    • Opcode Fuzzy Hash: c532b8e36f5bbc1438d6480e4bf1097e6c8b8d95d60d0916626f9679178d0c12
                                                                                                    • Instruction Fuzzy Hash: 6D113675600200AFEB11CF15CC84BA6F7ECEF05324F08846AED04CB691D374E448CAB2
                                                                                                    Function 0155A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0155A5DE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 1bd6278a038494b2802b6e36ee549425f009bc12530e66983eb1778659aa0386
                                                                                                    • Instruction ID: d6275d575e91ef6bc7c4cc0033e922ef637649dbc302a392e2364c8a71a6cb42
                                                                                                    • Opcode Fuzzy Hash: 1bd6278a038494b2802b6e36ee549425f009bc12530e66983eb1778659aa0386
                                                                                                    • Instruction Fuzzy Hash: 89117271409780AFDB228F55DC44A62FFF4EF4A310F08899AED858B562C275A418DB62
                                                                                                    Function 0155ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0155AE4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: d468555bebabba69f2c589a2e056693bbf969d865ac1f503c32df973022dbd4f
                                                                                                    • Instruction ID: 4b6d3c40639543d251c0ab607ea1763b49d8b33daf5a7a5b8538f308aa5c3bc0
                                                                                                    • Opcode Fuzzy Hash: d468555bebabba69f2c589a2e056693bbf969d865ac1f503c32df973022dbd4f
                                                                                                    • Instruction Fuzzy Hash: B211E271500200AFEB22CF55DC44BA6FBE8EF04324F04885BED498F641C330A4488BB2
                                                                                                    Function 05560462 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 055604BE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 973152223-0
                                                                                                    • Opcode ID: 8ae95af7d99787386717c15457f3cc525606d736de5b1c6c8ceeffafdb672375
                                                                                                    • Instruction ID: 593d92c873f64eb54ec3af2dc6452e4b32cf35fca4e096a70d6a01f3c6839e39
                                                                                                    • Opcode Fuzzy Hash: 8ae95af7d99787386717c15457f3cc525606d736de5b1c6c8ceeffafdb672375
                                                                                                    • Instruction Fuzzy Hash: 11112371500240AFEB21CF54DC84FA6FBE8EF44324F08845AED498B691C375E508CBB2
                                                                                                    Function 05563162 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ioctlsocket.WS2_32(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 055631BB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ioctlsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 3577187118-0
                                                                                                    • Opcode ID: 7c9f835d29d8a0dfd8579c4f3c9f9733fde162531a387e751fc65c56e71219ad
                                                                                                    • Instruction ID: 7cdd41e8cc1263c7bd0a5f7d153a3cd8634ae0ea71cc906655ae29551202ef67
                                                                                                    • Opcode Fuzzy Hash: 7c9f835d29d8a0dfd8579c4f3c9f9733fde162531a387e751fc65c56e71219ad
                                                                                                    • Instruction Fuzzy Hash: 4811E371600244AFE721CF55DD45FA6FBE8EF45324F08885AEE098B641C374A5488BB6
                                                                                                    Function 0556204E Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • shutdown.WS2_32(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 055620A4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: shutdown
                                                                                                    • String ID:
                                                                                                    • API String ID: 2510479042-0
                                                                                                    • Opcode ID: 754487c0035753b0654a7f2ff91e95cd4429d6412a46e6afea1c0f0bc9a9cda3
                                                                                                    • Instruction ID: 2e8a8d9b4bbc095f314e373bc4df7df573aa353df9b8c01be74d279aa6afbc7d
                                                                                                    • Opcode Fuzzy Hash: 754487c0035753b0654a7f2ff91e95cd4429d6412a46e6afea1c0f0bc9a9cda3
                                                                                                    • Instruction Fuzzy Hash: FD110275600244AFEB21CF55CC84BA6FBE8EF05324F08885AED099B241D374A548CAB2
                                                                                                    Function 05562796 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNELBASE(?,00000E24), ref: 055627FF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 1029625771-0
                                                                                                    • Opcode ID: b2339a5039f50e57e2a09ede230edf997a79b99ac610d54f5e58507507bfc7d5
                                                                                                    • Instruction ID: d31df16318ab189b4b1db0f03690866b7fdb9dd71beace1b4fce3536d207da62
                                                                                                    • Opcode Fuzzy Hash: b2339a5039f50e57e2a09ede230edf997a79b99ac610d54f5e58507507bfc7d5
                                                                                                    • Instruction Fuzzy Hash: 0F11E575600340AEE721DB55DD41FB6F7A8EF04724F14845AED089B781D3B4E548CAB6
                                                                                                    Function 0556323E Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: select
                                                                                                    • String ID:
                                                                                                    • API String ID: 1274211008-0
                                                                                                    • Opcode ID: b56de084b512d6ed656d957a35ee9dba034ac46b6df9ff91c3b431d466bc6d41
                                                                                                    • Instruction ID: 7da756750cda300366704229cb054875e125d3907c234f05f32d7f0d5aee617a
                                                                                                    • Opcode Fuzzy Hash: b56de084b512d6ed656d957a35ee9dba034ac46b6df9ff91c3b431d466bc6d41
                                                                                                    • Instruction Fuzzy Hash: B1114F756042449FDB60CF95D984F66FBE8FF09710F0988AADD49CB651D331E448CB62
                                                                                                    Function 0155B746 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CopyFileW.KERNELBASE(?,?,?), ref: 0155B78E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CopyFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 1304948518-0
                                                                                                    • Opcode ID: f4db15af20b0e42d8478e18cb9237eff404aed10cfa29ad02d0baaa9405263b3
                                                                                                    • Instruction ID: 1a674d9bc23aaa1bacf335a43da97ebf5d6f981ab3336363d346b4d1b901d219
                                                                                                    • Opcode Fuzzy Hash: f4db15af20b0e42d8478e18cb9237eff404aed10cfa29ad02d0baaa9405263b3
                                                                                                    • Instruction Fuzzy Hash: 7C1182716002009FEB90CF69D895756FBE8EF15620F0C846BDD05CF642D234E404CB62
                                                                                                    Function 0155BACE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0155BB16
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LookupPrivilegeValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3899507212-0
                                                                                                    • Opcode ID: f4db15af20b0e42d8478e18cb9237eff404aed10cfa29ad02d0baaa9405263b3
                                                                                                    • Instruction ID: 622331674507c6fa592195976b014251ebb28052c2abfc6a08479176b396a7c0
                                                                                                    • Opcode Fuzzy Hash: f4db15af20b0e42d8478e18cb9237eff404aed10cfa29ad02d0baaa9405263b3
                                                                                                    • Instruction Fuzzy Hash: 561182716002448FDB60CF69D899766FBE8EF15220F08846BDD09CF646D270E504CA62
                                                                                                    Function 0155AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E24,A0E9077E,00000000,00000000,00000000,00000000), ref: 0155ACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: d2e760c9f9a56d4795f39ad46c0aedd82206d250ed8bc8b20417290f008938a7
                                                                                                    • Instruction ID: 60a13a411cb56a5bcbe54f409eb9fff46b4337badd04452855b7789638c914f6
                                                                                                    • Opcode Fuzzy Hash: d2e760c9f9a56d4795f39ad46c0aedd82206d250ed8bc8b20417290f008938a7
                                                                                                    • Instruction Fuzzy Hash: AA01D271600204AFE761CB15DD95BA6F7E8EF45624F08C197FE088F742D374E5488AB6
                                                                                                    Function 0155B67C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WaitForInputIdle.USER32(?,?), ref: 0155B6D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IdleInputWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 2200289081-0
                                                                                                    • Opcode ID: 3e0ee49bbe0a776a81f70373f6ee9185bbfc7a9890b1c74f8cedbd2d9e0d1b9a
                                                                                                    • Instruction ID: 47a8299781044ea3bde51d82cdf18e49a6f6e418f603deb25810909c2a16d3df
                                                                                                    • Opcode Fuzzy Hash: 3e0ee49bbe0a776a81f70373f6ee9185bbfc7a9890b1c74f8cedbd2d9e0d1b9a
                                                                                                    • Instruction Fuzzy Hash: F0119E715093849FDB12CF65DC89B56FFE4EF46320F09849BED458F262D275A808CB62
                                                                                                    Function 055624EA Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05562536
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Connect
                                                                                                    • String ID:
                                                                                                    • API String ID: 3144859779-0
                                                                                                    • Opcode ID: 122b162a2a32842f9683f482f221ecadb72e6bdc5a7bc0db9cd6f6864d0dbb7d
                                                                                                    • Instruction ID: 7733a458372ed923d1cc48f9a747050014762425fcf3015ca524b6787a9d337f
                                                                                                    • Opcode Fuzzy Hash: 122b162a2a32842f9683f482f221ecadb72e6bdc5a7bc0db9cd6f6864d0dbb7d
                                                                                                    • Instruction Fuzzy Hash: 39119A355002449FDB21CF55D884B62FBE5FF19220F0888AAED468B622D331E458CF62
                                                                                                    Function 0155BF3E Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • K32EnumProcesses.KERNEL32(?,?,?,A0E9077E,00000000,?,?,?,?,?,?,?,?,6C9C3C58), ref: 0155BF7E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumProcesses
                                                                                                    • String ID:
                                                                                                    • API String ID: 84517404-0
                                                                                                    • Opcode ID: 4152ef896cf8e120e1c463353827e80ffd36a195c932b171b334ef1a8a87ad44
                                                                                                    • Instruction ID: d580ec46f78d7837fc396e46262268de95d87dc360e34998711519957d173cf1
                                                                                                    • Opcode Fuzzy Hash: 4152ef896cf8e120e1c463353827e80ffd36a195c932b171b334ef1a8a87ad44
                                                                                                    • Instruction Fuzzy Hash: 1E118B716002048FDB50CF69D889B66FBE8EF05220F0884ABED498F652D332E448CF62
                                                                                                    Function 0155B982 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFileAttributesW.KERNELBASE(?,?), ref: 0155B9BF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: c19a32a4104f1ac5a71595c71426afd68bd4b37efe77d6f29ad5a44b9d6dc483
                                                                                                    • Instruction ID: 07c9590e8013290c437f4810ff71f8180f3d8cfe4ec3470b0351e01a5a39e808
                                                                                                    • Opcode Fuzzy Hash: c19a32a4104f1ac5a71595c71426afd68bd4b37efe77d6f29ad5a44b9d6dc483
                                                                                                    • Instruction Fuzzy Hash: 710180716052449FEB51CF2AD889766FBF8EF05220F0884ABDD45CF752D375E444CA62
                                                                                                    Function 0155B8CE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNELBASE(?), ref: 0155B908
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DeleteFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 4033686569-0
                                                                                                    • Opcode ID: 79de35693b45580d8b5a181003263e11a4f267f0fe700ab6b52b4e99b20775a9
                                                                                                    • Instruction ID: 0613964b0d3c0ac18bf5c4dd81c99bd19ed483e1e49961869c47d30773202b3c
                                                                                                    • Opcode Fuzzy Hash: 79de35693b45580d8b5a181003263e11a4f267f0fe700ab6b52b4e99b20775a9
                                                                                                    • Instruction Fuzzy Hash: C9019E71A042448FEB50CF69D889766FBE8EF05220F0884ABDD09CF742D375E404CA62
                                                                                                    Function 0155A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0155A5DE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: abb707aabe9c257756223f0e542ac8d84e6c2c06c696a2827b373113b57550e6
                                                                                                    • Instruction ID: 0f2b7531e162a63b24fdeeb4a444384cf319953a8bc41f179f436c0fe665e503
                                                                                                    • Opcode Fuzzy Hash: abb707aabe9c257756223f0e542ac8d84e6c2c06c696a2827b373113b57550e6
                                                                                                    • Instruction Fuzzy Hash: 02018B729006009FDB618F95D844B56FFE0EF48324F08899ADE494B612C332E418DF62
                                                                                                    Function 05561732 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05561782
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453294967.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5560000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: 16b1f030ac9d7e6b363b0eac3ce23674a22eccfb6c030e864aad21ea987b4f14
                                                                                                    • Instruction ID: 0a42e215b8718798bc2c34c541e7d05a43ca72d18f7bb4dcb8c59799823d5417
                                                                                                    • Opcode Fuzzy Hash: 16b1f030ac9d7e6b363b0eac3ce23674a22eccfb6c030e864aad21ea987b4f14
                                                                                                    • Instruction Fuzzy Hash: 0C01A271500200ABD210DF16CD46B66FBE8FB88A20F14811AEC089BB41D771F955CBE5
                                                                                                    Function 0155A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: send
                                                                                                    • String ID:
                                                                                                    • API String ID: 2809346765-0
                                                                                                    • Opcode ID: 05628bdc7e030351154623ae91914d592854d16677c5fd433731fda9f95b946b
                                                                                                    • Instruction ID: a4903d2d8800346c858619e0b2e2c68ac070ff857e7127bcf1102ba57336ca5a
                                                                                                    • Opcode Fuzzy Hash: 05628bdc7e030351154623ae91914d592854d16677c5fd433731fda9f95b946b
                                                                                                    • Instruction Fuzzy Hash: 1401C8329042409FDB61CF58D884B66FBE0FF09360F0888AADD498F612C375E008CBA2
                                                                                                    Function 0155B69E Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WaitForInputIdle.USER32(?,?), ref: 0155B6D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IdleInputWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 2200289081-0
                                                                                                    • Opcode ID: fd724bdc432a11f82d1ac14a1aae32b5c3a45b590de3740d8be5d62643ed440c
                                                                                                    • Instruction ID: 21e88c569e45d07ca26f8f3d564baaad9fc514c50a6df786ebfbf1e1fa4c3c88
                                                                                                    • Opcode Fuzzy Hash: fd724bdc432a11f82d1ac14a1aae32b5c3a45b590de3740d8be5d62643ed440c
                                                                                                    • Instruction Fuzzy Hash: 3501B8319042049FEB50CF55D889B6AFBE4EF09220F0888ABDD088F252D375E408CEA2
                                                                                                    Function 0155AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 0155AA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: d326d71b55badf5e9c939122151c9bd095b39c365e9dd31dba19e7ac5b8a9c1a
                                                                                                    • Instruction ID: 9dc41d61e0c2f9b3700e9efa1d8e56fafa43ccb21c1df4d4dbadb37b8c3eabe5
                                                                                                    • Opcode Fuzzy Hash: d326d71b55badf5e9c939122151c9bd095b39c365e9dd31dba19e7ac5b8a9c1a
                                                                                                    • Instruction Fuzzy Hash: A4F0F9319002409FDB618F09DA84B65FBE0EF49624F08C09BDD080F752C2B9E508CEA2
                                                                                                    Function 05729A11 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: 23e337377dc8f561a69f9e0b17b536c78b6a5a715d0522e0daedccaf4bee0309
                                                                                                    • Instruction ID: c5bc8aafddaa86f0dc7fa9e4860395e73467193db5a074c3d8e80eff0d477e98
                                                                                                    • Opcode Fuzzy Hash: 23e337377dc8f561a69f9e0b17b536c78b6a5a715d0522e0daedccaf4bee0309
                                                                                                    • Instruction Fuzzy Hash: EAB17C35B00215DFCB18DF74E950AAE77B2FB8A348F14812AE415973A4DB3A9C45EF50
                                                                                                    Function 05729B25 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: a58f5bf0f831987c193b018e0a9e177d1d4cae915b896b7d68c38140f7853530
                                                                                                    • Instruction ID: cb4389d1e9604aba48731ef2ac517b18df4250af3893a32ae6baf9452b35564e
                                                                                                    • Opcode Fuzzy Hash: a58f5bf0f831987c193b018e0a9e177d1d4cae915b896b7d68c38140f7853530
                                                                                                    • Instruction Fuzzy Hash: 90916B34B00215EFCB19DF74E551AAE73B2FF8A348B14852AE412973A4DF3A9C45EB50
                                                                                                    Function 05729B83 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: 1354fe6e38005007f36de3884c60ed5c9ac297b49602f4f9e481979100c58328
                                                                                                    • Instruction ID: c21658db0df7962023cf1b16ac77faff9fc25123f2a97760a84f93a531c29dfc
                                                                                                    • Opcode Fuzzy Hash: 1354fe6e38005007f36de3884c60ed5c9ac297b49602f4f9e481979100c58328
                                                                                                    • Instruction Fuzzy Hash: 90916C34B00215EFCB29DF74E551AAE73A2FF8A348B10852AE411973A4DF3A9C45EF50
                                                                                                    Function 05729BD3 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: 31dc2a6526f7aa80a7cb067307aceffcf58e52fe19a3693cc4b6193b62ee3669
                                                                                                    • Instruction ID: ab643d96f2e369bc3b6048aa905e4ef981c958e6df4c2ae846e735bfb8fded9f
                                                                                                    • Opcode Fuzzy Hash: 31dc2a6526f7aa80a7cb067307aceffcf58e52fe19a3693cc4b6193b62ee3669
                                                                                                    • Instruction Fuzzy Hash: 1B815C34B00215DFCB29DF74E551AAE73A2FF8A348B10852AE411973A4DF3A9C49EF50
                                                                                                    Function 05729C55 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: ebe20499838710d78baad63487e32d0c9de4200d5936d00e5baf3b61f689abd6
                                                                                                    • Instruction ID: 6e0df985da557fefaaf170890c9cf0f26288aac1f1641038b602d14675169c1c
                                                                                                    • Opcode Fuzzy Hash: ebe20499838710d78baad63487e32d0c9de4200d5936d00e5baf3b61f689abd6
                                                                                                    • Instruction Fuzzy Hash: 9A717D34B00210DFCB299F74E551A6E73A2FF8A348F24852AE411977A4DF3A9C45EF91
                                                                                                    Function 05729D45 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: fb673e8af5a3d31c1229feee2e01c9697b4793e6460b470a03a8e0a98d351302
                                                                                                    • Instruction ID: c6fa45822313abdaa92ece4f420b922fafe26e48c799480b50a51b4990222239
                                                                                                    • Opcode Fuzzy Hash: fb673e8af5a3d31c1229feee2e01c9697b4793e6460b470a03a8e0a98d351302
                                                                                                    • Instruction Fuzzy Hash: E351D235B00215DFCB28DF74E851A6E73A2FF89348F24802AE512977A4DF3A9C45DB91
                                                                                                    Function 05723B10 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l
                                                                                                    • API String ID: 0-2574689970
                                                                                                    • Opcode ID: dcdc21cb18a57ef7630c7c9a31df67d46b5b9ff11bb56ec75ec88843be6b7d66
                                                                                                    • Instruction ID: b0f564a1570e3a9993a7cdec01081c1b01cd0b257ee5bc5b477da143db930a8c
                                                                                                    • Opcode Fuzzy Hash: dcdc21cb18a57ef7630c7c9a31df67d46b5b9ff11bb56ec75ec88843be6b7d66
                                                                                                    • Instruction Fuzzy Hash: EC416E30A00229CFDB24DFB5D955BEDB7B2BF49305F0045AAD009AB294DB798D48DF61
                                                                                                    Function 057202C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: 9d7c7b308c2d001d18c4a1a8ce6e43f62b62d6baeb09df00f1e7bd7f974329f9
                                                                                                    • Instruction ID: 7e26a32ee3c2a51eb0a25f00ac7baad73bcd67037b0f9f0e2fe0b874d5f83bea
                                                                                                    • Opcode Fuzzy Hash: 9d7c7b308c2d001d18c4a1a8ce6e43f62b62d6baeb09df00f1e7bd7f974329f9
                                                                                                    • Instruction Fuzzy Hash: 1F31CF30B002119FDB14AB74D9157BE36A7EB99208F10806AD415D77A4EF3E9D0AE7A2
                                                                                                    Function 0155AB7C Relevance: 1.3, APIs: 1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(00000080), ref: 0155ABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 1ffad7f7088900a6b7674fc8f35625861d20724f8defcbdbf36a9efb7fd0ee0d
                                                                                                    • Instruction ID: 573dbd0652afb2a8e90d30725b8c7a66e6bb0e59aa70d17d185149e02b692c1d
                                                                                                    • Opcode Fuzzy Hash: 1ffad7f7088900a6b7674fc8f35625861d20724f8defcbdbf36a9efb7fd0ee0d
                                                                                                    • Instruction Fuzzy Hash: 1D21F3755097C09FDB138B25DC95752BFB8EF07220F0984DBED858F6A3D2649808CB62
                                                                                                    Function 0155A61E Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0155A690
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 9dc22dc788721986311d5dd17f8f9970a5ca2a7756042a027bdb646f250958fc
                                                                                                    • Instruction ID: 165ada19ea9ed5e0214dac52ae5dac80023576c05b531fb8e0283afd97d57be3
                                                                                                    • Opcode Fuzzy Hash: 9dc22dc788721986311d5dd17f8f9970a5ca2a7756042a027bdb646f250958fc
                                                                                                    • Instruction Fuzzy Hash: 67218B7180D3C09FDB138B258CA4652BFB4EF47220F0984DBDC848F1A3D2659908CB72
                                                                                                    Function 0155ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(00000080), ref: 0155ABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: f701c934df888674406911d7e47983535a73ac13f6c59926d9eeecc77631e0b0
                                                                                                    • Instruction ID: e0363e4988e0a4bc58775b6e8e599be2669e3147182b6f148e4ad42d60b4f654
                                                                                                    • Opcode Fuzzy Hash: f701c934df888674406911d7e47983535a73ac13f6c59926d9eeecc77631e0b0
                                                                                                    • Instruction Fuzzy Hash: 1E01F271A042048FDB50CF69E885766FBE4EF05220F08C8ABED098F742D375E408CEA2
                                                                                                    Function 0155A65E Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0155A690
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451290610.000000000155A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_155a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: beb33cd4e5c1b597526fd8f56b67087b075d2765fcec1dba7d2e896be849426e
                                                                                                    • Instruction ID: b9a3407d26cbd87dfa75107fcc44a666f9b16a6478c94ed453ede2098ffb7129
                                                                                                    • Opcode Fuzzy Hash: beb33cd4e5c1b597526fd8f56b67087b075d2765fcec1dba7d2e896be849426e
                                                                                                    • Instruction Fuzzy Hash: D3018671A042449FEB50CF59D894766FBE4EF85224F08C8ABDD098F652D279E408CEA2
                                                                                                    Function 05728336 Relevance: .1, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4b97676891b8d6e0e3545db90580048c22a6c489e450fc2ebc1decf4c53d7620
                                                                                                    • Instruction ID: ca22eae4abb38778f9716f5d78a2d084c8fa1308840edf41f89ac54651fac610
                                                                                                    • Opcode Fuzzy Hash: 4b97676891b8d6e0e3545db90580048c22a6c489e450fc2ebc1decf4c53d7620
                                                                                                    • Instruction Fuzzy Hash: 5241C230604711CBEB35CB3699157AD36E2BB45354F188266D422DB2D0DF3ADD4AFB22
                                                                                                    Function 0572A320 Relevance: .1, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9c488a451380dec40bcd0dc99bf0650cd375cfe6b18bdaefd9336c9452ed34dd
                                                                                                    • Instruction ID: 4ef7371e1d1f3f4874043867ce0afc3dea00fdbc86bb79f7b1f83bae5b840665
                                                                                                    • Opcode Fuzzy Hash: 9c488a451380dec40bcd0dc99bf0650cd375cfe6b18bdaefd9336c9452ed34dd
                                                                                                    • Instruction Fuzzy Hash: C131C234B002159FDB14CF79D958BAEBBF2BF88214F148069E505EB3A0DBB4DD099B91
                                                                                                    Function 05720007 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad1ff318c84a5604ab0b59b86fc3589ac9b744b0f5d185ffde4785801df6798e
                                                                                                    • Instruction ID: 50da214815641803f5b94d944221b07e21aa42590384e4c9634b3c3f9b318fe5
                                                                                                    • Opcode Fuzzy Hash: ad1ff318c84a5604ab0b59b86fc3589ac9b744b0f5d185ffde4785801df6798e
                                                                                                    • Instruction Fuzzy Hash: 6D11166540E7D15FD3138730AC29691BFB1BB63214B0E81DBD094CA1A3E2AD8809E763
                                                                                                    Function 05727340 Relevance: .1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad6bdc1a972006edb0afbff42dd2c58ffc979bb1af75d48a4421197eb3eefae1
                                                                                                    • Instruction ID: f9ad74e43256e3cf7dbefaa22683058f2cb667369326a924b0233913affd2f50
                                                                                                    • Opcode Fuzzy Hash: ad6bdc1a972006edb0afbff42dd2c58ffc979bb1af75d48a4421197eb3eefae1
                                                                                                    • Instruction Fuzzy Hash: 22110231A197D04FCB2A26349D285BA3BB1EB93115B0544FBD9818B3A3DB2D4C0A9362
                                                                                                    Function 05727309 Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a41341ef3c3418a179a64ed410c7ef72902bdceac27a80d933f2db0644516b2c
                                                                                                    • Instruction ID: aa06ef8da6eddeef2f48b58b0c6595c1c6b215264aef34b4a71bd85f05416f69
                                                                                                    • Opcode Fuzzy Hash: a41341ef3c3418a179a64ed410c7ef72902bdceac27a80d933f2db0644516b2c
                                                                                                    • Instruction Fuzzy Hash: A91127317056958FC7296B38A92946D3BE6FFC211670149BFE4418B396CF398C089392
                                                                                                    Function 0572A041 Relevance: .1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 43627c2ee5ddb77535ee4d813e8e1e711e57061bb9a41ba811e60ae1f18a3cc5
                                                                                                    • Instruction ID: 392d925b9927e2dda777f16982efbe6264d70f557506ab763a07c73807006cf2
                                                                                                    • Opcode Fuzzy Hash: 43627c2ee5ddb77535ee4d813e8e1e711e57061bb9a41ba811e60ae1f18a3cc5
                                                                                                    • Instruction Fuzzy Hash: 75119071A00615DF8BA5DB789A049BE77FAFB8A254720407AC405E7350EB354D16CB90
                                                                                                    Function 06712500 Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4454157779.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_6710000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5b3e13c9b957942f4b31f791462a20a6a646a7813958351e3f1a3ae95c249a48
                                                                                                    • Instruction ID: 3f0154ad02dca4035f11084b67c3633ea8c66a1a595391a62d00b2cc64a68f04
                                                                                                    • Opcode Fuzzy Hash: 5b3e13c9b957942f4b31f791462a20a6a646a7813958351e3f1a3ae95c249a48
                                                                                                    • Instruction Fuzzy Hash: 4911BAB5A08341AFD340CF19D880A5BFBE4FBD8664F04895EF998D7311D231E9148FA2
                                                                                                    Function 01520904 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451204484.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_1520000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c263f34e614ba327697617f5beed2a3d6377902070388b38259d06dfa57bd43f
                                                                                                    • Instruction ID: 185e30f924643a21d957be2d16b6ba990f7408ac8fbb5a6d933aa941568ecbdd
                                                                                                    • Opcode Fuzzy Hash: c263f34e614ba327697617f5beed2a3d6377902070388b38259d06dfa57bd43f
                                                                                                    • Instruction Fuzzy Hash: 4011A2323052849FE715CB14D540B25FBE5BB8A718F24C99CE54A5BBD2C77BD812CA41
                                                                                                    Function 067123A4 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4454157779.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_6710000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6e78972b1d75446bce13e90b323e1b5023958f35051958aa0b1a6d6c1140c028
                                                                                                    • Instruction ID: 802f9a9c62717d2de4eecfd5b7d8fcee29c7819100bfbbbb07d10bb7a159a8b8
                                                                                                    • Opcode Fuzzy Hash: 6e78972b1d75446bce13e90b323e1b5023958f35051958aa0b1a6d6c1140c028
                                                                                                    • Instruction Fuzzy Hash: 8A11FAB5A08301AFD350CF49DC80E5BFBE8EB88660F04885EF95897311D231E9088FA2
                                                                                                    Function 0157B698 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451522363.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_157a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: afb3c81e8fdae60451689bbe94014a9ee8b9c3f5cf271fc43c01f07e96e3bd65
                                                                                                    • Instruction ID: 3b7a9891b3f301a3c7e7cc30ac1649a4ef892472cae449ed0d511fe80cbc0786
                                                                                                    • Opcode Fuzzy Hash: afb3c81e8fdae60451689bbe94014a9ee8b9c3f5cf271fc43c01f07e96e3bd65
                                                                                                    • Instruction Fuzzy Hash: EC11FAB5A08301AFD350CF49DC80E5BFBE8EB98660F04895EF95897311D231E9088FA2
                                                                                                    Function 057201E1 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d4f82a314b21481ca3ad60dff9472230ddc696bc60d0a53d6a550189965929ed
                                                                                                    • Instruction ID: c272376b7f7a7a8da10cd95a7d7354b1f0159e5036e7823359c551323430de7d
                                                                                                    • Opcode Fuzzy Hash: d4f82a314b21481ca3ad60dff9472230ddc696bc60d0a53d6a550189965929ed
                                                                                                    • Instruction Fuzzy Hash: B2118230206646DFCB40EB35E95D45E7BE1FFD6208B01885EE4558F718EE358808EB53
                                                                                                    Function 015205E0 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451204484.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_1520000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 09bdd168a64f8e841fb9deccfb2c74672dbdc8111472ee4a3b20a2b4ff502d23
                                                                                                    • Instruction ID: 7463413636ab688eaaf101a647979915d968687842fdc7e519ae0beab042d86f
                                                                                                    • Opcode Fuzzy Hash: 09bdd168a64f8e841fb9deccfb2c74672dbdc8111472ee4a3b20a2b4ff502d23
                                                                                                    • Instruction Fuzzy Hash: 490186B65097845FD7128B15EC40862FFF8EB86670709C49BEC498B612D275B909CB72
                                                                                                    Function 015208F7 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451204484.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_1520000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bbfc75e0c5fb57dea3cd443df782cc9e266890e5bcf8baf2eeab243c62b96544
                                                                                                    • Instruction ID: 83d0f8eb9123d0770ef72e0d3396ac7cca6ac5319c76147f77efa1d98afad312
                                                                                                    • Opcode Fuzzy Hash: bbfc75e0c5fb57dea3cd443df782cc9e266890e5bcf8baf2eeab243c62b96544
                                                                                                    • Instruction Fuzzy Hash: 5D115235209384CFD716CB14D580B15FBB1FB46718F28C6DEE4894B6A3C33A9816CB41
                                                                                                    Function 057200A8 Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ce5834419e061b97f502fa53b91dcf8151d04b312c6be9fe9e627817a5529f32
                                                                                                    • Instruction ID: bd3def39a5b79d07aadbb9475ada4808e0f19e770f11a9aecb8b089a3819ef3a
                                                                                                    • Opcode Fuzzy Hash: ce5834419e061b97f502fa53b91dcf8151d04b312c6be9fe9e627817a5529f32
                                                                                                    • Instruction Fuzzy Hash: 90F0C232A04315ABEB08DA709802BAEBBB6EF82614F0081AAD5459B2D0EA365C418790
                                                                                                    Function 057299A7 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a504b92db649abfa2894986591c01c2c5cf992e86c937905925c79c582f643de
                                                                                                    • Instruction ID: cd533b10ea3ffef5815dc5eaeff15391eda3e46eb2807fce9c5d94b459e6841f
                                                                                                    • Opcode Fuzzy Hash: a504b92db649abfa2894986591c01c2c5cf992e86c937905925c79c582f643de
                                                                                                    • Instruction Fuzzy Hash: 8AF0B4B1E103289F8F90DFB898498EF7BF0FA85264F54053AD188D2101E2354146CB91
                                                                                                    Function 015209C0 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451204484.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_1520000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
                                                                                                    • Instruction ID: eb967297bf3ec8807208b8453ac2c799bbcbe7e138541c4f4d9b23fc3b983a7e
                                                                                                    • Opcode Fuzzy Hash: e6850d79e688ef7387407e307c00caab001beb49244c143f541758b1d055de9a
                                                                                                    • Instruction Fuzzy Hash: 5BF01D35204644DFC706CF04D580B15FBA2FB89718F24CAADE9490B792C737E813DA81
                                                                                                    Function 01520606 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451204484.0000000001520000.00000040.00000020.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_1520000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8f01b7b6c3eeda9b45a596d867fc83f44e0210f64126f8b94b2fe366f8e2ffa3
                                                                                                    • Instruction ID: 85f32c58ec2c0b052a6a70bea84e78e3164bd72200aa3c96903cf40373308ce7
                                                                                                    • Opcode Fuzzy Hash: 8f01b7b6c3eeda9b45a596d867fc83f44e0210f64126f8b94b2fe366f8e2ffa3
                                                                                                    • Instruction Fuzzy Hash: FEE092B66006048B9750DF0AEC81452F7D8EB88630708C07FDC0D8B701D235F508CEA5
                                                                                                    Function 0671256B Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4454157779.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_6710000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6d96d8e37fa905c3e451d1495e19f9e7ddf0246455b992b57848127883aa1ca9
                                                                                                    • Instruction ID: e17058d610ae2462020b7e70a4958976c0f958636922cd4b7536e7d287a3b27d
                                                                                                    • Opcode Fuzzy Hash: 6d96d8e37fa905c3e451d1495e19f9e7ddf0246455b992b57848127883aa1ca9
                                                                                                    • Instruction Fuzzy Hash: A9E0D8B254030467D3109F069C45F52FBDCDB94A71F44C467ED081B741D172B51489E6
                                                                                                    Function 06711E17 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4454157779.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_6710000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 88b63c501e889955b058a9be8de1127a8187a91957463d8768699c1c70d35f68
                                                                                                    • Instruction ID: 38ac1df9036f207968ca5df8d131ce37d41eaaeec3b70aa8389bb602a9cf274d
                                                                                                    • Opcode Fuzzy Hash: 88b63c501e889955b058a9be8de1127a8187a91957463d8768699c1c70d35f68
                                                                                                    • Instruction Fuzzy Hash: 5BE0D8B25002046BD2109F069C45F53FBD8DB94A70F48C457ED081B701D172B514CDE6
                                                                                                    Function 067123F3 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4454157779.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_6710000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8faf31d5affb87bbc7a668a6c83b797c73c127e531134552acd5aba2cdb3dac7
                                                                                                    • Instruction ID: 0db210715bddc761ffef5409f90332ec275e781298b74df5c106eec9be717023
                                                                                                    • Opcode Fuzzy Hash: 8faf31d5affb87bbc7a668a6c83b797c73c127e531134552acd5aba2cdb3dac7
                                                                                                    • Instruction Fuzzy Hash: CEE0D8B250030467D2509F069C85F53FBD8DB54A70F44C457ED081B702D172B50489F6
                                                                                                    Function 0157B6E7 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451522363.000000000157A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_157a000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 917b31877643db40a0722e51e77b44bcbe0771812795f99c6c7ab52c57d36756
                                                                                                    • Instruction ID: 53750586d5b8daae3eae8bd828a545b8930427f10dd38dca2f2a6aa59e4cf6a8
                                                                                                    • Opcode Fuzzy Hash: 917b31877643db40a0722e51e77b44bcbe0771812795f99c6c7ab52c57d36756
                                                                                                    • Instruction Fuzzy Hash: DAE0D8B254020467D2109F069C45F52F7D8DB54A71F44C557ED085B701D172B50489F6
                                                                                                    Function 057241F8 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f988da1574256873a8c0764ced1a1f2944a9cba307a0e4271cbb5db3ddb7c205
                                                                                                    • Instruction ID: 97e65fbcad66ad6199ff457f8bf4ef5a68b157c7cc29dcd95620fe2f09a10130
                                                                                                    • Opcode Fuzzy Hash: f988da1574256873a8c0764ced1a1f2944a9cba307a0e4271cbb5db3ddb7c205
                                                                                                    • Instruction Fuzzy Hash: 01E09271A1E3849FCB06CF789D158AD7FF49B5321870501EBD889CB2A2E5210E09DB52
                                                                                                    Function 057299B8 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 940ac82b44506b18935dddef06b9343edc58543a0a5a5fd82641cd31d947950b
                                                                                                    • Instruction ID: ee723ac381ff569cfae3f5427c4ffad3f9458cf67ae3bca2cd32e00fc17eafc4
                                                                                                    • Opcode Fuzzy Hash: 940ac82b44506b18935dddef06b9343edc58543a0a5a5fd82641cd31d947950b
                                                                                                    • Instruction Fuzzy Hash: 1CE01A71D002199E8B40EFB9990559FBBF8EA48254B10043AD608E3200F3394205CBD1
                                                                                                    Function 0572A2DF Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a0bd8e35533ac5dc11d665fcd4a68a4d0c9dd059129e4a52660cdc6fe3986783
                                                                                                    • Instruction ID: f5df66118f0198e06f4b88810c1f0ca35fb4faadb239d1611f935d3a0f74520e
                                                                                                    • Opcode Fuzzy Hash: a0bd8e35533ac5dc11d665fcd4a68a4d0c9dd059129e4a52660cdc6fe3986783
                                                                                                    • Instruction Fuzzy Hash: 5AE08670A0E3C46FCB068B60BE6D9FC7FF89F5311031500DBC486CA6A3C9660D899752
                                                                                                    Function 05723010 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: da884d2a23fce3ef21956ba04471b94306b9e6af05dd873c34bae9f28ca5a64a
                                                                                                    • Instruction ID: 358576e0a78b14c0c59d8c93062d71809d68bcba1acc997fb1e54888fcb21f68
                                                                                                    • Opcode Fuzzy Hash: da884d2a23fce3ef21956ba04471b94306b9e6af05dd873c34bae9f28ca5a64a
                                                                                                    • Instruction Fuzzy Hash: 05E0C230109384CFC7261B3864284683F776F8610839408FEC5A94B36ACE3BD841CB50
                                                                                                    Function 015523F4 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451262145.0000000001552000.00000040.00000800.00020000.00000000.sdmp, Offset: 01552000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_1552000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 760123a35d0c376783c1528617d216a7ac02a71ced239e1df4c22f45aeeab6eb
                                                                                                    • Instruction ID: 62d22eca034a509d3d8797bdbeca4310bedde0ca9fe931b0cf61d30def456823
                                                                                                    • Opcode Fuzzy Hash: 760123a35d0c376783c1528617d216a7ac02a71ced239e1df4c22f45aeeab6eb
                                                                                                    • Instruction Fuzzy Hash: 14D05E792057C1CFE3169A1CC1A4B993FE8BB61714F4A44FAAC008F763C768D581D700
                                                                                                    Function 05724208 Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4453456330.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_5720000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9e178ddfe1a07f580fda1c172c90e9586116d09048332c9eeb2b7b99aad7d900
                                                                                                    • Instruction ID: d89a958d3e2093f633d18136050122159829a679a152e8b909f10350750e6d77
                                                                                                    • Opcode Fuzzy Hash: 9e178ddfe1a07f580fda1c172c90e9586116d09048332c9eeb2b7b99aad7d900
                                                                                                    • Instruction Fuzzy Hash: 3ED0A970A01208EF8700DFA8E90189DB7F8EB09304B0000AAA809C7700EE311E04EB80
                                                                                                    Function 015523BC Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.4451262145.0000000001552000.00000040.00000800.00020000.00000000.sdmp, Offset: 01552000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_1552000_server.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8149f91a3fa5f03bdb15ae57d47f1d5c253f2c7595f2f78d967ba14737a27099
                                                                                                    • Instruction ID: b9f99c16dcc70215d2f7aa8caf17b1552bd56fb79189bb68bb98a8f87a146764
                                                                                                    • Opcode Fuzzy Hash: 8149f91a3fa5f03bdb15ae57d47f1d5c253f2c7595f2f78d967ba14737a27099
                                                                                                    • Instruction Fuzzy Hash: BCD05E342002818BD715DA0CC6E4F5D3BD8BB50B14F1A44E9AC108F762C7A4D8C1CB00

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:12.5%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:52
                                                                                                    Total number of Limit Nodes:4
                                                                                                    execution_graph 1733 10dadee 1734 10dae23 WriteFile 1733->1734 1736 10dae55 1734->1736 1777 10da6ce 1778 10da72e OleGetClipboard 1777->1778 1780 10da78c 1778->1780 1781 10dadce 1782 10dadee WriteFile 1781->1782 1784 10dae55 1782->1784 1737 10dafaa 1738 10dafe2 CreateMutexW 1737->1738 1740 10db025 1738->1740 1745 10daaa6 1748 10daade CreateFileW 1745->1748 1747 10dab2d 1748->1747 1785 10dab7c 1787 10dabbe CloseHandle 1785->1787 1788 10dabf8 1787->1788 1769 10da9bf 1770 10da9c9 SetErrorMode 1769->1770 1772 10daa53 1770->1772 1749 10dabbe 1750 10dac29 1749->1750 1751 10dabea CloseHandle 1749->1751 1750->1751 1752 10dabf8 1751->1752 1753 10da65e 1754 10da68a OleInitialize 1753->1754 1755 10da6c0 1753->1755 1756 10da698 1754->1756 1755->1754 1765 10da61e 1768 10da65e OleInitialize 1765->1768 1767 10da698 1768->1767 1757 10da59a 1758 10da5d8 DuplicateHandle 1757->1758 1759 10da610 1757->1759 1760 10da5e6 1758->1760 1759->1758 1789 10daa75 1790 10daaa6 CreateFileW 1789->1790 1792 10dab2d 1790->1792 1773 10dac37 1774 10dac6a GetFileType 1773->1774 1776 10daccc 1774->1776 1793 10daf76 1795 10dafaa CreateMutexW 1793->1795 1796 10db025 1795->1796 1797 10da573 1798 10da59a DuplicateHandle 1797->1798 1800 10da5e6 1798->1800 1761 10daa12 1762 10daa3e SetErrorMode 1761->1762 1763 10daa67 1761->1763 1764 10daa53 1762->1764 1763->1762

                                                                                                    Callgraph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    • Opacity -> Relevance
                                                                                                    • Disassembly available
                                                                                                    callgraph 0 Function_010DA20C 1 Function_02BF00B8 1->0 3 Function_02BF39B7 1->3 5 Function_010C0606 1->5 20 Function_010DA23A 1->20 25 Function_02BF37FA 1->25 68 Function_02BF3B10 1->68 94 Function_010C05E0 1->94 2 Function_010DA50A 4 Function_010DA005 6 Function_010D2006 7 Function_010C0001 8 Function_02BF02B1 8->1 9 Function_010DA61E 10 Function_02BF00A8 10->0 10->3 10->5 10->20 10->25 10->68 10->94 11 Function_010C0710 12 Function_010D2310 13 Function_010DAA12 14 Function_010DA02E 15 Function_010DA72E 16 Function_02BF0290 17 Function_010D213C 18 Function_010C003E 19 Function_010C0739 21 Function_010DAC37 22 Function_010DA836 23 Function_010D2430 24 Function_010C0648 36 Function_010C066A 24->36 26 Function_02BF3CF9 27 Function_02BF41F8 28 Function_010DA44A 29 Function_010D2044 30 Function_010DA140 31 Function_010DA65E 32 Function_010D2458 33 Function_02BF01E1 33->5 33->94 34 Function_010DAD52 35 Function_010C026D 37 Function_010DAC6A 38 Function_010DA865 39 Function_010D2264 40 Function_010D2364 41 Function_010DAB7C 42 Function_010D247C 43 Function_010C067F 44 Function_010DA078 45 Function_010DAA75 46 Function_010C0074 47 Function_010DB074 48 Function_02BF3DC4 49 Function_010DAF76 50 Function_010DA573 51 Function_02BF02C0 51->1 52 Function_010DA472 53 Function_02BF3FC0 54 Function_010D268D 55 Function_010DA384 56 Function_010DA186 57 Function_02BF4230 58 Function_010D2098 59 Function_010DA59A 60 Function_010C009B 61 Function_010D2194 62 Function_010DAE97 63 Function_010DA3A8 64 Function_010DAFAA 65 Function_02BF0118 65->3 65->5 65->25 65->68 65->94 66 Function_010DAAA6 67 Function_02BF3010 67->5 67->94 69 Function_010D23BC 70 Function_010DA9BF 71 Function_010DABBE 72 Function_010DA0BE 73 Function_02BF4208 74 Function_02BF0006 75 Function_010D22B4 76 Function_010DA2B0 77 Function_010DA7B0 78 Function_010DB0B2 79 Function_010DA6CE 80 Function_010DADCE 81 Function_010DA3CA 82 Function_02BF4278 93 Function_02BF3058 82->93 83 Function_010C05C0 84 Function_010DA4D8 85 Function_010DA7D1 86 Function_010C05D0 87 Function_010D20D0 88 Function_010DAED2 89 Function_010DA2D2 90 Function_02BF3C5E 91 Function_02BF265D 92 Function_010DADEE 95 Function_010DA2FE 96 Function_010DACF8 97 Function_02BF0449 98 Function_010D25FB 99 Function_02BF3047 100 Function_02BF4147 101 Function_010D23F4 102 Function_010D21F0 103 Function_02BF3140

                                                                                                    Executed Functions

                                                                                                    Function 02BF37FA Relevance: 3.0, Strings: 2, Instructions: 495COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 2bf37fa-2bf3909 17 2bf390f-2bf3911 0->17 18 2bf390b 0->18 21 2bf3918-2bf391f 17->21 19 2bf390d 18->19 20 2bf3913 18->20 19->17 20->21 22 2bf39b5-2bf3ad7 21->22 23 2bf3925-2bf39aa 21->23 47 2bf3ad9-2bf3b49 22->47 48 2bf3b53-2bf3ba6 22->48 23->22 47->48 55 2bf3bad-2bf3bc7 48->55 56 2bf3ba8 48->56 59 2bf3bfe-2bf3cb3 55->59 60 2bf3bc9-2bf3bf3 55->60 56->55 71 2bf3d3b 59->71 72 2bf3cb9-2bf3cf7 59->72 60->59 73 2bf41d5-2bf41e0 71->73 72->71 75 2bf41e6-2bf41ed 73->75 76 2bf3d40-2bf3d5e 73->76 79 2bf3d69-2bf3d74 76->79 80 2bf3d60-2bf3d66 76->80 83 2bf418b-2bf41d3 79->83 84 2bf3d7a-2bf3d8e 79->84 80->79 83->73 86 2bf3e06-2bf3e17 84->86 87 2bf3d90-2bf3dc2 84->87 88 2bf3e19-2bf3e43 86->88 89 2bf3e67-2bf3e75 86->89 87->86 88->89 100 2bf3e45-2bf3e5f 88->100 91 2bf3e7b-2bf3f2e 89->91 92 2bf4189 89->92 113 2bf3fbe-2bf40b5 91->113 114 2bf3f34-2bf3fb7 91->114 92->73 100->89 129 2bf40bb-2bf413e 113->129 130 2bf4145 113->130 114->113 129->130 130->92
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \Ol$2l
                                                                                                    • API String ID: 0-1312013075
                                                                                                    • Opcode ID: 714a3a8483f5686b48c2b839499f043b3c3de3205ca4ed0b35d5590684d5f0b7
                                                                                                    • Instruction ID: 33dd04599eb37cf5876bea377fd1570d983ee4a460fbc434ac22ef076a660a62
                                                                                                    • Opcode Fuzzy Hash: 714a3a8483f5686b48c2b839499f043b3c3de3205ca4ed0b35d5590684d5f0b7
                                                                                                    • Instruction Fuzzy Hash: 8F324B34A00258CFDB14DF74D859BEDB7B2EB88308F1041A9D509AB3A4DB799E85CF50
                                                                                                    Function 02BF00B8 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 136 2bf00b8-2bf00cd 163 2bf00d0 call 10da20c 136->163 164 2bf00d0 call 10da23a 136->164 165 2bf00d0 call 10c0606 136->165 166 2bf00d0 call 10c05e0 136->166 138 2bf00d5-2bf00f7 141 2bf010b-2bf01d5 138->141 142 2bf00f9-2bf010a 138->142 158 2bf01d5 call 2bf37fa 141->158 159 2bf01d5 call 2bf39b7 141->159 160 2bf01d5 call 10c0606 141->160 161 2bf01d5 call 10c05e0 141->161 162 2bf01d5 call 2bf3b10 141->162 157 2bf01db-2bf01de 158->157 159->157 160->157 161->157 162->157 163->138 164->138 165->138 166->138
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l
                                                                                                    • API String ID: 0-1080021723
                                                                                                    • Opcode ID: 739511ad1d36ad931098976dfa19201f9ef589209a76dc2f3872377f420ca333
                                                                                                    • Instruction ID: 7962b5d0df3728b0a7ba85d8da75d21a37b927b13c43e97753065538da8adca7
                                                                                                    • Opcode Fuzzy Hash: 739511ad1d36ad931098976dfa19201f9ef589209a76dc2f3872377f420ca333
                                                                                                    • Instruction Fuzzy Hash: BF312635B003409FD718EB36A8157AE3BE7ABD2208F0485AED445CF781DF7A8C098792
                                                                                                    Function 02BF0118 Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 167 2bf0118-2bf0169 172 2bf0174-2bf017a 167->172 173 2bf0181-2bf01bd 172->173 178 2bf01c8-2bf01d5 173->178 181 2bf01d5 call 2bf37fa 178->181 182 2bf01d5 call 2bf39b7 178->182 183 2bf01d5 call 10c0606 178->183 184 2bf01d5 call 10c05e0 178->184 185 2bf01d5 call 2bf3b10 178->185 180 2bf01db-2bf01de 181->180 182->180 183->180 184->180 185->180
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l
                                                                                                    • API String ID: 0-1080021723
                                                                                                    • Opcode ID: d9ca32ac6a40a90f0a9117e6f0d448fa752bf1107b5aa756e70a80338e45215a
                                                                                                    • Instruction ID: d3e2120818ee252dbe72b5d02808a3f496950fd169f672e93683392073c91ef1
                                                                                                    • Opcode Fuzzy Hash: d9ca32ac6a40a90f0a9117e6f0d448fa752bf1107b5aa756e70a80338e45215a
                                                                                                    • Instruction Fuzzy Hash: 47112535B002008FC328E73AA0197FD36D7A7E220874455AED445CF741CFAACC098BA3
                                                                                                    Function 010DAA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 186 10daa75-10daafe 190 10dab00 186->190 191 10dab03-10dab0f 186->191 190->191 192 10dab14-10dab1d 191->192 193 10dab11 191->193 194 10dab1f-10dab43 CreateFileW 192->194 195 10dab6e-10dab73 192->195 193->192 198 10dab75-10dab7a 194->198 199 10dab45-10dab6b 194->199 195->194 198->199
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010DAB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 7f2a65cda1d6afa5224c5c4d8636e3b3e682f49b52b16b8fd5dd668eaeeacbcd
                                                                                                    • Instruction ID: 8f246ec8cf9d8f01d9b1fc8da426c916a01e1ec4b14f02a7b99d18a36cdf9160
                                                                                                    • Opcode Fuzzy Hash: 7f2a65cda1d6afa5224c5c4d8636e3b3e682f49b52b16b8fd5dd668eaeeacbcd
                                                                                                    • Instruction Fuzzy Hash: 43316471505340AFE721CF65CC45F56BFF8EF06224F08889EE9858B652D365E849CB61
                                                                                                    Function 010DAF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 202 10daf76-10daff9 206 10daffe-10db007 202->206 207 10daffb 202->207 208 10db00c-10db015 206->208 209 10db009 206->209 207->206 210 10db017-10db03b CreateMutexW 208->210 211 10db066-10db06b 208->211 209->208 214 10db06d-10db072 210->214 215 10db03d-10db063 210->215 211->210 214->215
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 010DB01D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: 6a24d30d27ebe980100a40301e3a92bd5e3375ca1d405a62ca38a6fa9349acdd
                                                                                                    • Instruction ID: 634aad2a4ca150188192b2f9fd3b2a0348b2eaffe0424db557186f0703bc99da
                                                                                                    • Opcode Fuzzy Hash: 6a24d30d27ebe980100a40301e3a92bd5e3375ca1d405a62ca38a6fa9349acdd
                                                                                                    • Instruction Fuzzy Hash: 3A31B3715093805FE722CB65CC85B96BFF8EF06210F0884DAE988CB292D375E908C772
                                                                                                    Function 010DA6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 218 10da6ce-10da72b 219 10da72e-10da786 OleGetClipboard 218->219 221 10da78c-10da7a2 219->221
                                                                                                    APIs
                                                                                                    • OleGetClipboard.OLE32(?,00000E84,?,?), ref: 010DA77E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: a01acf8f598d252a7fb7b79b3b4e7ae1b18682160948ad458aac0be1f4b98d83
                                                                                                    • Instruction ID: 87b80a666952992630b50b54fcf0d3df55a7186a164b701515e790469d74c73a
                                                                                                    • Opcode Fuzzy Hash: a01acf8f598d252a7fb7b79b3b4e7ae1b18682160948ad458aac0be1f4b98d83
                                                                                                    • Instruction Fuzzy Hash: D6316F7504D3C06FD3138B259C61B61BFB4EF47610F0A80CBE884CB6A3D2256919D772
                                                                                                    Function 010DAAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 222 10daaa6-10daafe 225 10dab00 222->225 226 10dab03-10dab0f 222->226 225->226 227 10dab14-10dab1d 226->227 228 10dab11 226->228 229 10dab1f-10dab27 CreateFileW 227->229 230 10dab6e-10dab73 227->230 228->227 231 10dab2d-10dab43 229->231 230->229 233 10dab75-10dab7a 231->233 234 10dab45-10dab6b 231->234 233->234
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010DAB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: a92eef4d5aa341f92cf5b931605786f50cdac09d05604355eaabec73b6c840a6
                                                                                                    • Instruction ID: d20d3f2392d4e6f903c44c1d61c5b566a445b011186b126e181195df8aab99ff
                                                                                                    • Opcode Fuzzy Hash: a92eef4d5aa341f92cf5b931605786f50cdac09d05604355eaabec73b6c840a6
                                                                                                    • Instruction Fuzzy Hash: F921A171600300AFE721CF65CD45B66FBE8EF09224F0488ADE9898B652D371E409CB72
                                                                                                    Function 010DA9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 237 10da9bf-10daa3c 242 10daa3e-10daa51 SetErrorMode 237->242 243 10daa67-10daa6c 237->243 244 10daa6e-10daa73 242->244 245 10daa53-10daa66 242->245 243->242 244->245
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 010DAA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 98f12445a7f28356738faca7fbc5c93f9157799873e3ca34a96d027037706aa8
                                                                                                    • Instruction ID: 9cca76f3cabda2c7f33465bd3c28c32a069b629a5a866c4304034acdc9588c23
                                                                                                    • Opcode Fuzzy Hash: 98f12445a7f28356738faca7fbc5c93f9157799873e3ca34a96d027037706aa8
                                                                                                    • Instruction Fuzzy Hash: A521486550E7C09FD7138B258C64A61BFB4EF53624F0E81DBD9C48F5A3D2689848C772
                                                                                                    Function 010DAC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 248 10dac37-10dacb5 252 10dacea-10dacef 248->252 253 10dacb7-10dacca GetFileType 248->253 252->253 254 10daccc-10dace9 253->254 255 10dacf1-10dacf6 253->255 255->254
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E84,D5DC10E7,00000000,00000000,00000000,00000000), ref: 010DACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: 35ad57efd62a274ff89129150eb534992cb41ab1e9efbe194ac564d11f10e584
                                                                                                    • Instruction ID: 84457042421f4602378a6679be59def2b1024eecc6f01318102c7f39572542de
                                                                                                    • Opcode Fuzzy Hash: 35ad57efd62a274ff89129150eb534992cb41ab1e9efbe194ac564d11f10e584
                                                                                                    • Instruction Fuzzy Hash: 862105B55093806FE7128B15DC50BE2BFB8EF43324F0880DAE984CB293D264A90DC772
                                                                                                    Function 010DAFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 259 10dafaa-10daff9 262 10daffe-10db007 259->262 263 10daffb 259->263 264 10db00c-10db015 262->264 265 10db009 262->265 263->262 266 10db017-10db01f CreateMutexW 264->266 267 10db066-10db06b 264->267 265->264 269 10db025-10db03b 266->269 267->266 270 10db06d-10db072 269->270 271 10db03d-10db063 269->271 270->271
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 010DB01D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: 4e9d4e34a1b829cb104758c633465cc8410cfc60db05f14328d099abdfd448cf
                                                                                                    • Instruction ID: 3f8475a38d0fd2da88dd5afaad61865bdf07f17176b49a5e000bd84cc796c9bc
                                                                                                    • Opcode Fuzzy Hash: 4e9d4e34a1b829cb104758c633465cc8410cfc60db05f14328d099abdfd448cf
                                                                                                    • Instruction Fuzzy Hash: 5A21AF716002409FE720CB69C945BA6FBE8EF05214F0484A9ED88CB681D771E808CAB2
                                                                                                    Function 010DADCE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 274 10dadce-10dae45 278 10dae89-10dae8e 274->278 279 10dae47-10dae67 WriteFile 274->279 278->279 282 10dae69-10dae86 279->282 283 10dae90-10dae95 279->283 283->282
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E84,D5DC10E7,00000000,00000000,00000000,00000000), ref: 010DAE4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: bc58bac64b59761ff5a0ca15e5cf2ef5574f876eab56a9a1debeea2a06be6aaf
                                                                                                    • Instruction ID: 9b3d43a34d8c4fabda0edbfe7ce03b2a39d265772bd7f7468ff2c49d6e6dde7d
                                                                                                    • Opcode Fuzzy Hash: bc58bac64b59761ff5a0ca15e5cf2ef5574f876eab56a9a1debeea2a06be6aaf
                                                                                                    • Instruction Fuzzy Hash: 0621A171505380AFDB22CF55DC44FA7BFB8EF46310F08849AE9898B152D335A548CBB2
                                                                                                    Function 010DA61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 286 10da61e-10da688 288 10da68a-10da692 OleInitialize 286->288 289 10da6c0-10da6c5 286->289 290 10da698-10da6aa 288->290 289->288 292 10da6ac-10da6bf 290->292 293 10da6c7-10da6cc 290->293 293->292
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: 3b595228fe0d0ff88e091f771bc214ad37809e4a480dddbbd9189ca6ec696046
                                                                                                    • Instruction ID: 803f6bed2a9c3feba9b5edee899002c7036c327c5217e5e84bd5ffe68ceac82c
                                                                                                    • Opcode Fuzzy Hash: 3b595228fe0d0ff88e091f771bc214ad37809e4a480dddbbd9189ca6ec696046
                                                                                                    • Instruction Fuzzy Hash: 0221477150E3C09FDB538B259C94692BFB4EF47220F0984DBD9848F1A3D2699908C7B2
                                                                                                    Function 010DA573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 295 10da573-10da5d6 297 10da5d8-10da5e0 DuplicateHandle 295->297 298 10da610-10da615 295->298 299 10da5e6-10da5f8 297->299 298->297 301 10da5fa-10da60d 299->301 302 10da617-10da61c 299->302 302->301
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010DA5DE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: f893c3b1c0fb53b730a2d3ae9070526d83e7201e5a8bca1230eb1d1495bf41af
                                                                                                    • Instruction ID: 629da1288e77daad3a6fbf42ad8d83c6a8f3ad7778b4b504d5271c2d8a36b02b
                                                                                                    • Opcode Fuzzy Hash: f893c3b1c0fb53b730a2d3ae9070526d83e7201e5a8bca1230eb1d1495bf41af
                                                                                                    • Instruction Fuzzy Hash: 42117F71509780AFDB228F55DC44A62FFF4EF4A310F0888DEED858B562D275A818DB62
                                                                                                    Function 010DADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 304 10dadee-10dae45 307 10dae89-10dae8e 304->307 308 10dae47-10dae4f WriteFile 304->308 307->308 310 10dae55-10dae67 308->310 311 10dae69-10dae86 310->311 312 10dae90-10dae95 310->312 312->311
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E84,D5DC10E7,00000000,00000000,00000000,00000000), ref: 010DAE4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: 321218adc9e3ebb32d2769613b21dca4b1a1e5df6b9c28acc38070d7966f60f6
                                                                                                    • Instruction ID: 37651080f664a6a330c32e091cc2c164f5c1bbde9aa277212ea5091491afd9d0
                                                                                                    • Opcode Fuzzy Hash: 321218adc9e3ebb32d2769613b21dca4b1a1e5df6b9c28acc38070d7966f60f6
                                                                                                    • Instruction Fuzzy Hash: EB11B271600300AFEB21CF55DC44BA6FBA8EF05714F08845AE9898B651D375E548CBB6
                                                                                                    Function 010DAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 315 10dac6a-10dacb5 318 10dacea-10dacef 315->318 319 10dacb7-10dacca GetFileType 315->319 318->319 320 10daccc-10dace9 319->320 321 10dacf1-10dacf6 319->321 321->320
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E84,D5DC10E7,00000000,00000000,00000000,00000000), ref: 010DACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: e0532888aebf0a304e2776c3499936525cd6924cc952dfaa34146f06f289a783
                                                                                                    • Instruction ID: f0f034810fd1b9391580bee14e1989b9bf3625633e7100b050f9d235c27ddd2f
                                                                                                    • Opcode Fuzzy Hash: e0532888aebf0a304e2776c3499936525cd6924cc952dfaa34146f06f289a783
                                                                                                    • Instruction Fuzzy Hash: C701D271600304AFE720CB05DD85BA6FBA8DF45624F08C09AEE488B781D774E54C8AB6
                                                                                                    Function 010DA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010DA5DE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 8398df595c75278de73613dd8eff2dc023b99bf625e2480535b733da2777f4c9
                                                                                                    • Instruction ID: c980f015a789c05b477c68d1b75e4bac5edda59cd1e1c3b166a9cc75a194a01d
                                                                                                    • Opcode Fuzzy Hash: 8398df595c75278de73613dd8eff2dc023b99bf625e2480535b733da2777f4c9
                                                                                                    • Instruction Fuzzy Hash: 41013972600740DFDB618F55D844B66FFE0EF49620F08889ADE894B652D376E418DB62
                                                                                                    Function 010DA72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OleGetClipboard.OLE32(?,00000E84,?,?), ref: 010DA77E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: a0ef532de58998fd8a8eac999905c725ec7f3d9271d34c3de7d8ab2dc556ff7f
                                                                                                    • Instruction ID: 337c508e8fd84f3c0d1b5a1eb8995e6a284ac67e04f87d54f77a09cc7eeee1dd
                                                                                                    • Opcode Fuzzy Hash: a0ef532de58998fd8a8eac999905c725ec7f3d9271d34c3de7d8ab2dc556ff7f
                                                                                                    • Instruction Fuzzy Hash: EE01A271500600ABD210DF16CD46B66FBA4FF89A20F148159EC089BB41D731F959CBE5
                                                                                                    Function 010DA65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: 645c06d2f53282b25ed71d229f5afe7b812c8274246fa17903b747a5889d7a7c
                                                                                                    • Instruction ID: 4f7208404f049b7a68a318d822d038f1b2725167e4fe5ce0294edb3878546113
                                                                                                    • Opcode Fuzzy Hash: 645c06d2f53282b25ed71d229f5afe7b812c8274246fa17903b747a5889d7a7c
                                                                                                    • Instruction Fuzzy Hash: 05018B71A04340DFDB50CF55D884766FBA4EF49220F08C4AADD898B252D379E408CAA2
                                                                                                    Function 010DAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 010DAA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 9ea6b2d99af2bc2ecfa573467a06f6331ef4bfb4a789f3a8e439bb191b95feb0
                                                                                                    • Instruction ID: 42db0e9fc27f9f9768e3d71d0b290ebad05a2b8b1edc758d485f4554e979c5a9
                                                                                                    • Opcode Fuzzy Hash: 9ea6b2d99af2bc2ecfa573467a06f6331ef4bfb4a789f3a8e439bb191b95feb0
                                                                                                    • Instruction Fuzzy Hash: 8EF08735A00740DFDB608F0AD985B65FBE0EF05625F08C19ADD894B752D379E948CEA3
                                                                                                    Function 02BF39B7 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l
                                                                                                    • API String ID: 0-2574689970
                                                                                                    • Opcode ID: 2b4cd8f51ae05f730d60c5dbd3600a4623c5b640020def8770cbfd75836da762
                                                                                                    • Instruction ID: 0a745504ad2ee346d19af74e33a7aab02786cb8dcce65c11ce8a4802445b0132
                                                                                                    • Opcode Fuzzy Hash: 2b4cd8f51ae05f730d60c5dbd3600a4623c5b640020def8770cbfd75836da762
                                                                                                    • Instruction Fuzzy Hash: A7815B34A00258CFDB18DFB5D855BEDB7B2EF89308F0041A9D509AB2A4DB798D85CF61
                                                                                                    Function 02BF3B10 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l
                                                                                                    • API String ID: 0-2574689970
                                                                                                    • Opcode ID: 63491500586f6c3b30b990526eb81a9e46c9b1b477e334609620c4b017c4f072
                                                                                                    • Instruction ID: 8466b7685628a99225952ca7ace0b36b6657f56a1f63179cda2b2fd9063f3711
                                                                                                    • Opcode Fuzzy Hash: 63491500586f6c3b30b990526eb81a9e46c9b1b477e334609620c4b017c4f072
                                                                                                    • Instruction Fuzzy Hash: 91413834A00258CFDB18DBB5D854BACB7F1FB85308F0041A9D449AB255DB798D85CF61
                                                                                                    Function 02BF02C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: 4e4fb156a7cf922a2505d9e8573714cd0d31834c0437d9b95e6fdefe7b68b029
                                                                                                    • Instruction ID: 1651a17da6f01c2d60827a575e4bfe8fe81aeeb8aa04baf8971d130f039ab6d0
                                                                                                    • Opcode Fuzzy Hash: 4e4fb156a7cf922a2505d9e8573714cd0d31834c0437d9b95e6fdefe7b68b029
                                                                                                    • Instruction Fuzzy Hash: AB31D034B002119FDB04BB79E8057BE32A7EBD8248F114469D505D7BA9DF7D8D0ACBA2
                                                                                                    Function 010DAB7C Relevance: 1.3, APIs: 1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 010DABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 3e2091f067323394c8889dd138a509b9a08f326eac195a015e8d00fd11387fd8
                                                                                                    • Instruction ID: f38356627487b5a6ab43d26fdad65b95b0201b8d10b78e4ae05335fe5a35b473
                                                                                                    • Opcode Fuzzy Hash: 3e2091f067323394c8889dd138a509b9a08f326eac195a015e8d00fd11387fd8
                                                                                                    • Instruction Fuzzy Hash: 6421CF7550A7C09FDB138B25DC95652BFB8EF07220F0984DBDD858F6A3D2649808C762
                                                                                                    Function 010DABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 010DABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184188503.00000000010DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10da000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: df0641eef1114a51ef1b6d5c361c254458a48d3059d5ae64d1f096c2077211a6
                                                                                                    • Instruction ID: 1144c268a9585dfa5d399bef1e7cdcebac2bca01a25cf2beeb4590de87d4a804
                                                                                                    • Opcode Fuzzy Hash: df0641eef1114a51ef1b6d5c361c254458a48d3059d5ae64d1f096c2077211a6
                                                                                                    • Instruction Fuzzy Hash: CA018F71A04344DFDB50CF5AD8857A6FBE4EF05221F08C4AADD898B652D275E448CBA2
                                                                                                    Function 02BF0006 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 555ed43f40e928c7524d0fb961df0c676b21ef57e5a6f06660f0713f493782e3
                                                                                                    • Instruction ID: c4c2c27acc895a2c3cf9f4bb9e922200ec75cd6dcdb6ae1f1ee4b08c60fc0f10
                                                                                                    • Opcode Fuzzy Hash: 555ed43f40e928c7524d0fb961df0c676b21ef57e5a6f06660f0713f493782e3
                                                                                                    • Instruction Fuzzy Hash: 45117BA590E3C65FC30387749879A91BFB05F63105B4E41DBC8E08B2E7D65CA82AD363
                                                                                                    Function 010C05E0 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184048543.00000000010C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10c0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f54c2aa40372b7b32af5aec69b6fe0059adc4b6efb0a855b0d36d2c18f78b02d
                                                                                                    • Instruction ID: b4dc4c195b98fda513037c00536e42cef48698fc75672b85a00905691ea37c13
                                                                                                    • Opcode Fuzzy Hash: f54c2aa40372b7b32af5aec69b6fe0059adc4b6efb0a855b0d36d2c18f78b02d
                                                                                                    • Instruction Fuzzy Hash: 5101A2755097C06FC7128B16AC508A2FFB8EF86120709C4DFE8898B612D225A809CBB2
                                                                                                    Function 02BF01E1 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eb4c7c89a7e269b2613b83c2c2c2f5e6a91ff6ffc77fe78d7a86c6fd9cfa8eaf
                                                                                                    • Instruction ID: d0d70cbac85a1b102a43178e1fad864a1914d3eb8c9c9a271346112994133a41
                                                                                                    • Opcode Fuzzy Hash: eb4c7c89a7e269b2613b83c2c2c2f5e6a91ff6ffc77fe78d7a86c6fd9cfa8eaf
                                                                                                    • Instruction Fuzzy Hash: A3012138705342DFCB01EF3AE54C5A97BD1EBE5609B04885CE485CB215DF759C54CB42
                                                                                                    Function 02BF00A8 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f3c4be83dbbfb82c6d821e3141b9e72ac88eab78661a225bf9968bd8a4ab06f3
                                                                                                    • Instruction ID: 3d6945ab7271b9ded92cb9131406852e834cf8c1c72cbe42451314feb734e00b
                                                                                                    • Opcode Fuzzy Hash: f3c4be83dbbfb82c6d821e3141b9e72ac88eab78661a225bf9968bd8a4ab06f3
                                                                                                    • Instruction Fuzzy Hash: DCF0C276A00304AFEB049A7098027AE7BB2DFD1224F1081AEE5419B2D1DA364D418740
                                                                                                    Function 010C0606 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184048543.00000000010C0000.00000040.00000020.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10c0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ab4cc47bf387f9b00ee312b2b1d2ebbc1efc549eb4ee950a4da7e0b8cd178ef4
                                                                                                    • Instruction ID: a9ad050e0c687357f4f7dddcea17c01a6d1aa9264a8dc99d302a459c2d6f6375
                                                                                                    • Opcode Fuzzy Hash: ab4cc47bf387f9b00ee312b2b1d2ebbc1efc549eb4ee950a4da7e0b8cd178ef4
                                                                                                    • Instruction Fuzzy Hash: D6E092B6600A404B9750CF0BEC41462F7D4EF84631B08C07FDC4D8B701E635F908CAA5
                                                                                                    Function 02BF3010 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2201431673.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_2bf0000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: acd55b30bd9e09707f2c8d3bf8ff19ed97861b7f5cc942f97d9c310a889154c0
                                                                                                    • Instruction ID: 0d3c34b8651c94b5f040d314713a9f4917cb8089fe9b7b3583643b0a032d8b09
                                                                                                    • Opcode Fuzzy Hash: acd55b30bd9e09707f2c8d3bf8ff19ed97861b7f5cc942f97d9c310a889154c0
                                                                                                    • Instruction Fuzzy Hash: 0EE0E6342553809FDB265B38512C4693BB59F8620976444FEC49ADA256DE3A8992CB10
                                                                                                    Function 010D23F4 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184066521.00000000010D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D2000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10d2000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9e5078648070b29aa28fe6ca8e06835031be6db94cd6458dab9fe4070a3cc982
                                                                                                    • Instruction ID: abd10bd31274ca5c8326309c324f5df2e0c960abed2efaa2719ea93d630edad5
                                                                                                    • Opcode Fuzzy Hash: 9e5078648070b29aa28fe6ca8e06835031be6db94cd6458dab9fe4070a3cc982
                                                                                                    • Instruction Fuzzy Hash: 0DD05E792057C14FE3178A1CC5A4B953BE4AB61704F4A44F9AC408B763CB68D5D1D200
                                                                                                    Function 010D23BC Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000011.00000002.2184066521.00000000010D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D2000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_17_2_10d2000_32cf646479fb52a6cecce80a3bf8d7deWindows Update.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 25654f9184ea6ea114b6accc672f54395fdfc89e58975f7395577a14eca9a008
                                                                                                    • Instruction ID: 20e5a0fac0204731b7f92082ad0052013d9dc151bc01eb3b0e3fcbb56e9c8400
                                                                                                    • Opcode Fuzzy Hash: 25654f9184ea6ea114b6accc672f54395fdfc89e58975f7395577a14eca9a008
                                                                                                    • Instruction Fuzzy Hash: C5D05E342002814BD715CA0CC6D4F593BD4AB90B04F1A84E8BC508B762CBA4D8D1CA00

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:15%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:52
                                                                                                    Total number of Limit Nodes:4
                                                                                                    execution_graph 1361 10fadee 1362 10fae23 WriteFile 1361->1362 1364 10fae55 1362->1364 1412 10fadce 1413 10fadee WriteFile 1412->1413 1415 10fae55 1413->1415 1365 10fafaa 1366 10fafe2 CreateMutexW 1365->1366 1368 10fb025 1366->1368 1373 10faaa6 1374 10faade CreateFileW 1373->1374 1376 10fab2d 1374->1376 1377 10fa5c6 1378 10fa5f2 OleInitialize 1377->1378 1379 10fa628 1377->1379 1380 10fa600 1378->1380 1379->1378 1396 10fa586 1397 10fa5c6 OleInitialize 1396->1397 1399 10fa600 1397->1399 1381 10fa502 1382 10fa578 1381->1382 1383 10fa540 DuplicateHandle 1381->1383 1382->1383 1384 10fa54e 1383->1384 1400 10fa9bf 1403 10fa9c9 SetErrorMode 1400->1403 1402 10faa53 1403->1402 1385 10fabbe 1386 10fabea CloseHandle 1385->1386 1387 10fac29 1385->1387 1388 10fabf8 1386->1388 1387->1386 1420 10fab7c 1421 10fabbe CloseHandle 1420->1421 1423 10fabf8 1421->1423 1416 10fa4db 1417 10fa502 DuplicateHandle 1416->1417 1419 10fa54e 1417->1419 1404 10fac37 1407 10fac6a GetFileType 1404->1407 1406 10faccc 1407->1406 1408 10fa636 1409 10fa696 OleGetClipboard 1408->1409 1411 10fa6f4 1409->1411 1424 10faf76 1426 10fafaa CreateMutexW 1424->1426 1427 10fb025 1426->1427 1428 10faa75 1431 10faaa6 CreateFileW 1428->1431 1430 10fab2d 1431->1430 1392 10faa12 1393 10faa3e SetErrorMode 1392->1393 1395 10faa67 1392->1395 1394 10faa53 1393->1394 1395->1393

                                                                                                    Callgraph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    • Opacity -> Relevance
                                                                                                    • Disassembly available
                                                                                                    callgraph 0 Function_010FA20C 1 Function_010FA70C 2 Function_01730074 3 Function_05304238 4 Function_010FA005 5 Function_0173067F 6 Function_010FA502 7 Function_010F201C 8 Function_0173066A 9 Function_010FAA12 10 Function_0173026D 11 Function_010F2310 12 Function_05304210 13 Function_010FA72E 14 Function_010FA02E 15 Function_05303011 16 Function_05300118 44 Function_01730606 16->44 59 Function_053036A8 16->59 70 Function_017305DF 16->70 94 Function_053039C0 16->94 17 Function_05304200 18 Function_010F213C 19 Function_01730040 20 Function_010FA23A 21 Function_05300007 21->44 53 Function_053000B8 21->53 60 Function_053000A8 21->60 21->70 22 Function_010FAC37 23 Function_010FA636 24 Function_010FA836 25 Function_01730648 25->8 26 Function_05303B0E 27 Function_010F2430 28 Function_010FA44A 29 Function_01730739 30 Function_010F2044 31 Function_010FA140 32 Function_010F2458 33 Function_05304269 79 Function_053040F0 33->79 34 Function_010FAD52 35 Function_01730710 36 Function_010FAC6A 37 Function_010FA865 38 Function_0530265A 39 Function_010F2364 40 Function_010F2264 41 Function_010F247C 42 Function_01730000 43 Function_010FAB7C 45 Function_010FA078 46 Function_05300449 47 Function_010FAF76 48 Function_010FAA75 49 Function_010FB074 50 Function_010FA472 51 Function_053002B1 51->53 52 Function_010F268D 53->0 53->20 53->44 53->59 53->70 53->94 54 Function_010FA186 55 Function_010FA586 56 Function_010FA384 57 Function_010F2098 58 Function_053040A8 58->44 58->70 60->0 60->20 60->44 60->59 60->70 60->94 61 Function_010FAE97 62 Function_010FA696 63 Function_010F2194 64 Function_010FA794 65 Function_05300290 66 Function_017305D0 67 Function_010FAFAA 68 Function_010FA3A8 69 Function_010FAAA6 71 Function_010FA9BF 72 Function_010FABBE 73 Function_010FA0BE 74 Function_010F23BC 75 Function_017305C0 76 Function_010F22B4 77 Function_010FB0B2 78 Function_010FA2B0 80 Function_010FADCE 81 Function_010FA3CA 82 Function_010FA5C6 83 Function_053001E1 83->44 83->70 84 Function_053041E1 85 Function_010FA4DB 86 Function_010FAED2 87 Function_010FA2D2 88 Function_010FA7D1 89 Function_010F25D1 90 Function_010F20D0 91 Function_010FADEE 92 Function_053040DF 93 Function_053002C0 93->53 95 Function_010FA2FE 96 Function_010FACF8 97 Function_010F23F4 98 Function_010F21F0

                                                                                                    Executed Functions

                                                                                                    Function 053036A8 Relevance: 3.0, Strings: 2, Instructions: 498COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 53036a8-53037b9 17 53037bb 0->17 18 53037bf-53037c1 0->18 19 53037c3 17->19 20 53037bd 17->20 21 53037c8-53037cf 18->21 19->21 20->18 22 5303865-5303987 21->22 23 53037d5-530385a 21->23 47 5303a03-5303a56 22->47 48 5303989-53039f9 22->48 23->22 55 5303a58 47->55 56 5303a5d-5303a77 47->56 48->47 55->56 59 5303a79-5303aa3 56->59 60 5303aae-5303b63 56->60 59->60 71 5303b69-5303ba7 60->71 72 5303beb 60->72 71->72 73 5304085-5304090 72->73 74 5303bf0-5303c0e 73->74 75 5304096-530409d 73->75 79 5303c10-5303c16 74->79 80 5303c19-5303c24 74->80 79->80 84 5303c2a-5303c3e 80->84 85 530403b-5304083 80->85 86 5303c40-5303c72 84->86 87 5303cb6-5303cc7 84->87 85->73 86->87 89 5303d17-5303d25 87->89 90 5303cc9-5303cf3 87->90 92 5304039 89->92 93 5303d2b-5303dde 89->93 90->89 102 5303cf5-5303d0f 90->102 92->73 113 5303de4-5303e67 93->113 114 5303e6e-5303f65 93->114 102->89 113->114 129 5303ff5 114->129 130 5303f6b-5303fee 114->130 129->92 130->129
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \Ol$2l
                                                                                                    • API String ID: 0-1312013075
                                                                                                    • Opcode ID: 690cd66b0b31d7a2543500d622f7f83b6c80532cf946a9128873bba1c98d20fd
                                                                                                    • Instruction ID: b5ae51cb358b92e4f5590c5f317d04c3f2b82ac8f3d1e6f8f6e7139b70447383
                                                                                                    • Opcode Fuzzy Hash: 690cd66b0b31d7a2543500d622f7f83b6c80532cf946a9128873bba1c98d20fd
                                                                                                    • Instruction Fuzzy Hash: 5C322230A00219DFDB28DF75C955BEDB7B2EB89308F1045A9D509AB3A4DB399E85CF40
                                                                                                    Function 053000B8 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 136 53000b8-53000cd 158 53000d0 call 10fa20c 136->158 159 53000d0 call 10fa23a 136->159 160 53000d0 call 1730606 136->160 161 53000d0 call 17305df 136->161 138 53000d5-53000f7 141 53000f9-530010a 138->141 142 530010b-53001d5 138->142 162 53001d5 call 53039c0 142->162 163 53001d5 call 1730606 142->163 164 53001d5 call 53036a8 142->164 165 53001d5 call 17305df 142->165 157 53001db-53001de 158->138 159->138 160->138 161->138 162->157 163->157 164->157 165->157
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l
                                                                                                    • API String ID: 0-1080021723
                                                                                                    • Opcode ID: 2f5033c14af02a7cf03ed7218644e35795987cf657a7c7404fd5449cf71c9dce
                                                                                                    • Instruction ID: 1d5f0fe5cfa9a14464a934c2cda2127dfcef2550a1cce09f1818d586d0852706
                                                                                                    • Opcode Fuzzy Hash: 2f5033c14af02a7cf03ed7218644e35795987cf657a7c7404fd5449cf71c9dce
                                                                                                    • Instruction Fuzzy Hash: 413145367043059FD708EB7698117AE7BA7ABD2208F0485BED005CB785CF7ACC498792
                                                                                                    Function 05300118 Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 166 5300118-5300169 171 5300174-530017a 166->171 172 5300181-53001bd 171->172 177 53001c8-53001d5 172->177 180 53001d5 call 53039c0 177->180 181 53001d5 call 1730606 177->181 182 53001d5 call 53036a8 177->182 183 53001d5 call 17305df 177->183 179 53001db-53001de 180->179 181->179 182->179 183->179
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l
                                                                                                    • API String ID: 0-1080021723
                                                                                                    • Opcode ID: e1310c94f7102e7ea10f238689b021b7d389f385d36a9b3c544f72faa1313d75
                                                                                                    • Instruction ID: 04d2cb72204989580015e4768895545a9322438fd7a95c8b55b74c81f5fa1217
                                                                                                    • Opcode Fuzzy Hash: e1310c94f7102e7ea10f238689b021b7d389f385d36a9b3c544f72faa1313d75
                                                                                                    • Instruction Fuzzy Hash: 111148367002064FC318EB36A0117ED66DBE7E220870455BED009CBB45CF7ACC488793
                                                                                                    Function 010FAA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 184 10faa75-10faafe 188 10fab03-10fab0f 184->188 189 10fab00 184->189 190 10fab14-10fab1d 188->190 191 10fab11 188->191 189->188 192 10fab1f-10fab43 CreateFileW 190->192 193 10fab6e-10fab73 190->193 191->190 196 10fab75-10fab7a 192->196 197 10fab45-10fab6b 192->197 193->192 196->197
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010FAB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 9d5ef5eba32de4d89993a0ffdad77ad0253fffd1ea1e86cc150f86c4224b8ad1
                                                                                                    • Instruction ID: 0c528b4c97c79e8a90e92c6a1d27b24b938439b80105c1fcdfdfc582e42ee6bb
                                                                                                    • Opcode Fuzzy Hash: 9d5ef5eba32de4d89993a0ffdad77ad0253fffd1ea1e86cc150f86c4224b8ad1
                                                                                                    • Instruction Fuzzy Hash: 92316571505344AFE722CF65CC45F56BFF8EF05314F08889EE9898B652D365E448CB61
                                                                                                    Function 010FAF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 200 10faf76-10faff9 204 10faffe-10fb007 200->204 205 10faffb 200->205 206 10fb00c-10fb015 204->206 207 10fb009 204->207 205->204 208 10fb017-10fb03b CreateMutexW 206->208 209 10fb066-10fb06b 206->209 207->206 212 10fb06d-10fb072 208->212 213 10fb03d-10fb063 208->213 209->208 212->213
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 010FB01D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: b962a429e23d7bbddd23d2b3f98dd09f0fb65fe18658ca831ee2e8593decb456
                                                                                                    • Instruction ID: 97146399ea1375c3975cab397ac6aa52f91e61304836664d847340400cf17843
                                                                                                    • Opcode Fuzzy Hash: b962a429e23d7bbddd23d2b3f98dd09f0fb65fe18658ca831ee2e8593decb456
                                                                                                    • Instruction Fuzzy Hash: 3231A4715093806FE712CB65CC45B96BFF8EF06210F08849EE984CB692D365E908CB62
                                                                                                    Function 010FA636 Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 216 10fa636-10fa693 217 10fa696-10fa6ee OleGetClipboard 216->217 219 10fa6f4-10fa70a 217->219
                                                                                                    APIs
                                                                                                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 010FA6E6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: 9d47bd42f64201edcca11da1e470db51e3b4dd8612e3f13342434b229b2c05e7
                                                                                                    • Instruction ID: 23e59daa089725f6103e757c1869b779b859bd57980dbb7271784bc5a7ec13d7
                                                                                                    • Opcode Fuzzy Hash: 9d47bd42f64201edcca11da1e470db51e3b4dd8612e3f13342434b229b2c05e7
                                                                                                    • Instruction Fuzzy Hash: 2531807504D3C06FD3138B259C61BA1BFB4EF87610F0A80CBE884CB6A3D2296919D772
                                                                                                    Function 010FAAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 220 10faaa6-10faafe 223 10fab03-10fab0f 220->223 224 10fab00 220->224 225 10fab14-10fab1d 223->225 226 10fab11 223->226 224->223 227 10fab1f-10fab27 CreateFileW 225->227 228 10fab6e-10fab73 225->228 226->225 229 10fab2d-10fab43 227->229 228->227 231 10fab75-10fab7a 229->231 232 10fab45-10fab6b 229->232 231->232
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 010FAB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: a2856c4cbe684b7d3dc942c595f7175b049b137f4805ab530324f5d70a689473
                                                                                                    • Instruction ID: 6639744f0c4ebb6ed3a42fdc40cbf0b19ad86b6afbaabbf00bb3f944a6358363
                                                                                                    • Opcode Fuzzy Hash: a2856c4cbe684b7d3dc942c595f7175b049b137f4805ab530324f5d70a689473
                                                                                                    • Instruction Fuzzy Hash: 4A218171604604AFE761CF65CD45B66FBE8EF09714F0488ADEA898BA52D371E408CB72
                                                                                                    Function 010FA9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 235 10fa9bf-10faa3c 240 10faa3e-10faa51 SetErrorMode 235->240 241 10faa67-10faa6c 235->241 242 10faa6e-10faa73 240->242 243 10faa53-10faa66 240->243 241->240 242->243
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 010FAA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 713dea06901d0159a261b7aaa9fb7768efc89f1847a2c5df86231a9412e35f4c
                                                                                                    • Instruction ID: 702a323b912d87dccb3f542bb29ff58414422db2b1f633b7b3ee7d8f576c5ee3
                                                                                                    • Opcode Fuzzy Hash: 713dea06901d0159a261b7aaa9fb7768efc89f1847a2c5df86231a9412e35f4c
                                                                                                    • Instruction Fuzzy Hash: 0A21457550E7C0AFD7138B258C65A51BFB4AF57624F0E80DBD9848F6A3C268980DCB72
                                                                                                    Function 010FAC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 246 10fac37-10facb5 250 10facea-10facef 246->250 251 10facb7-10facca GetFileType 246->251 250->251 252 10faccc-10face9 251->252 253 10facf1-10facf6 251->253 253->252
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E24,D55F265D,00000000,00000000,00000000,00000000), ref: 010FACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: 68732509e5e62f1bc9486a9ad86ff9f35db6aa58d8b205bc26ed92ad7f4b3241
                                                                                                    • Instruction ID: 91f57c4f1a60bded9a7584b9b699b7e5e9705dc32314842ee890a6852dc12217
                                                                                                    • Opcode Fuzzy Hash: 68732509e5e62f1bc9486a9ad86ff9f35db6aa58d8b205bc26ed92ad7f4b3241
                                                                                                    • Instruction Fuzzy Hash: D221F6B55083806FE7128B15DC51BE2BFB8DF47314F0880DAE9848B293C264A909C771
                                                                                                    Function 010FAFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 257 10fafaa-10faff9 260 10faffe-10fb007 257->260 261 10faffb 257->261 262 10fb00c-10fb015 260->262 263 10fb009 260->263 261->260 264 10fb017-10fb01f CreateMutexW 262->264 265 10fb066-10fb06b 262->265 263->262 266 10fb025-10fb03b 264->266 265->264 268 10fb06d-10fb072 266->268 269 10fb03d-10fb063 266->269 268->269
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 010FB01D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: 812f0b0a2dca3a5e3d91b81fded7cc0d47c97c18698202c705df38de22fbf376
                                                                                                    • Instruction ID: 3117b194efaae6c1c2e71ee428a14e9c2f41f328b43e8a0c1e6e9b975e038c0c
                                                                                                    • Opcode Fuzzy Hash: 812f0b0a2dca3a5e3d91b81fded7cc0d47c97c18698202c705df38de22fbf376
                                                                                                    • Instruction Fuzzy Hash: B921B371600200AFE720CF69CD45BA6FBE8EF05214F04846DEE49CB641D371E408CA72
                                                                                                    Function 010FADCE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 272 10fadce-10fae45 276 10fae89-10fae8e 272->276 277 10fae47-10fae67 WriteFile 272->277 276->277 280 10fae69-10fae86 277->280 281 10fae90-10fae95 277->281 281->280
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E24,D55F265D,00000000,00000000,00000000,00000000), ref: 010FAE4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: ee4e7cab98c433bd71ada63084fd5979c5161c8bd63d4530e089662dd62a0a5d
                                                                                                    • Instruction ID: a224b21aada5be1f86ed58d3f9f783ec0209eef24d41594ea5e1da5aaffefa1a
                                                                                                    • Opcode Fuzzy Hash: ee4e7cab98c433bd71ada63084fd5979c5161c8bd63d4530e089662dd62a0a5d
                                                                                                    • Instruction Fuzzy Hash: 55219F71505380AFDB22CF55DC45F97BFB8EF46310F08849AEA898B552C325A508CBB6
                                                                                                    Function 010FA586 Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 284 10fa586-10fa5f0 286 10fa628-10fa62d 284->286 287 10fa5f2-10fa5fa OleInitialize 284->287 286->287 289 10fa600-10fa612 287->289 290 10fa62f-10fa634 289->290 291 10fa614-10fa627 289->291 290->291
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: 22b90bd1c85b0599edf23454d57e58830ee6191ffdea0e084f4a2e5f54550801
                                                                                                    • Instruction ID: 62bd1a242cafaa3d65d81f8124b57ffa52dfaf5a88e91954c926409911b471b0
                                                                                                    • Opcode Fuzzy Hash: 22b90bd1c85b0599edf23454d57e58830ee6191ffdea0e084f4a2e5f54550801
                                                                                                    • Instruction Fuzzy Hash: 4F21497150D3C09FDB538B259C95A52BFB49F47220F0984DBD9848F1A3D2699908C772
                                                                                                    Function 010FA4DB Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 293 10fa4db-10fa53e 295 10fa578-10fa57d 293->295 296 10fa540-10fa548 DuplicateHandle 293->296 295->296 297 10fa54e-10fa560 296->297 299 10fa57f-10fa584 297->299 300 10fa562-10fa575 297->300 299->300
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010FA546
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: e98cc3c7fa2bd04ab6d672103b761118aa9be1f0114947ee70a6887792dea000
                                                                                                    • Instruction ID: 7857e53c1f477309ebfb9aa94244818c644fb86aae068d5945de629a6f482feb
                                                                                                    • Opcode Fuzzy Hash: e98cc3c7fa2bd04ab6d672103b761118aa9be1f0114947ee70a6887792dea000
                                                                                                    • Instruction Fuzzy Hash: 4811A271509780AFDB228F55DC44A62FFF4EF4A310F0884DEEE858B562D335A418DB62
                                                                                                    Function 010FADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 302 10fadee-10fae45 305 10fae89-10fae8e 302->305 306 10fae47-10fae4f WriteFile 302->306 305->306 307 10fae55-10fae67 306->307 309 10fae69-10fae86 307->309 310 10fae90-10fae95 307->310 310->309
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E24,D55F265D,00000000,00000000,00000000,00000000), ref: 010FAE4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: dbe537f40719c2db91fc1de1cdb9a5df85c9b5178b16e1b7746c2eaea58dca7c
                                                                                                    • Instruction ID: 0a70b10de8ef2b8e3ca4610f8cb64349f32e192760087592066a4e34655ddb97
                                                                                                    • Opcode Fuzzy Hash: dbe537f40719c2db91fc1de1cdb9a5df85c9b5178b16e1b7746c2eaea58dca7c
                                                                                                    • Instruction Fuzzy Hash: C211B271600200EFEB21CF55DC45FA6FBE8EF05714F04845AEA498B651C375E5488BB6
                                                                                                    Function 010FAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 313 10fac6a-10facb5 316 10facea-10facef 313->316 317 10facb7-10facca GetFileType 313->317 316->317 318 10faccc-10face9 317->318 319 10facf1-10facf6 317->319 319->318
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E24,D55F265D,00000000,00000000,00000000,00000000), ref: 010FACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: 95186bfc45f1f9a1147346fd077318f0522fc64c93f3dfeaba4fb251727521d1
                                                                                                    • Instruction ID: 21d0898232c8af987790e7fbc85291c3dc28c694ea77a312e1944bee980de66f
                                                                                                    • Opcode Fuzzy Hash: 95186bfc45f1f9a1147346fd077318f0522fc64c93f3dfeaba4fb251727521d1
                                                                                                    • Instruction Fuzzy Hash: A601D671600204AFE711CB05DD86BA6F7E8DF45724F08C09AEE488B741D774E5488AB6
                                                                                                    Function 010FA502 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010FA546
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 66aff8378a77c5ad2afa04322a36c488832a2cb1bdf491085058e5a481f2dbd7
                                                                                                    • Instruction ID: a43c97bd5758ccd8664ed975747d3752981061eb193326f19f03956796fedba9
                                                                                                    • Opcode Fuzzy Hash: 66aff8378a77c5ad2afa04322a36c488832a2cb1bdf491085058e5a481f2dbd7
                                                                                                    • Instruction Fuzzy Hash: D0018B32A00600DFDB21CF55D845B56FBE0EF09720F08889EDE894BA52D336E418CF62
                                                                                                    Function 010FA696 Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 010FA6E6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: c55e6bcd8f5a6f5bd99895f4d37e86bd6f7c2d2244a65f1165afd5d3f3b42a65
                                                                                                    • Instruction ID: 14f42f9d3051d67d5a4d73f4bc5f19d1ebae965049fef6c4dfcff29b21ef5937
                                                                                                    • Opcode Fuzzy Hash: c55e6bcd8f5a6f5bd99895f4d37e86bd6f7c2d2244a65f1165afd5d3f3b42a65
                                                                                                    • Instruction Fuzzy Hash: C601A271500600ABD210DF16CD46B66FBE8FB88A20F148159ED089BB41D731F955CBE5
                                                                                                    Function 010FA5C6 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: 723fac66cd12316a987831ce7dff68f37f77ca803f5bbf48068dcfabd12c5fd3
                                                                                                    • Instruction ID: 9079a16c5e8f82732717e05b57cca0e1e968250b81492f020c495c46430b8457
                                                                                                    • Opcode Fuzzy Hash: 723fac66cd12316a987831ce7dff68f37f77ca803f5bbf48068dcfabd12c5fd3
                                                                                                    • Instruction Fuzzy Hash: A401A271A04240DFDB50CF15D886765FBE4DF45720F08C4AEDE498F642D379E444CA62
                                                                                                    Function 010FAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 010FAA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: e469acd7abd6064cd3480a3081bec9ebb4bb14695bd648d1e40c9a337a1bdbcb
                                                                                                    • Instruction ID: 7daaee1c9165140146f269c5206a94bdfa117a5e275cfbb0edefa9f586e80ce0
                                                                                                    • Opcode Fuzzy Hash: e469acd7abd6064cd3480a3081bec9ebb4bb14695bd648d1e40c9a337a1bdbcb
                                                                                                    • Instruction Fuzzy Hash: E1F08C75A00640DFDB608F05D986B65FBE4EF05624F08C09ADE894BB52D379E50CCEA2
                                                                                                    Function 053039C0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l
                                                                                                    • API String ID: 0-2574689970
                                                                                                    • Opcode ID: 250c5caea2e2f1c30fa7a53df842090d78e62a72fa995fe387b3b178dd7e471a
                                                                                                    • Instruction ID: 3d4f5ae961a082755fecbbc60423ec02330f0c9d39a6af958f0dfa7e171744d8
                                                                                                    • Opcode Fuzzy Hash: 250c5caea2e2f1c30fa7a53df842090d78e62a72fa995fe387b3b178dd7e471a
                                                                                                    • Instruction Fuzzy Hash: 5C415D30A00219CFDB18DFB5C955BECB7B2BF85308F0045A9D009AB695DB799E84CF52
                                                                                                    Function 053002C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: a3206fdfcf070c7a07cefde99543f54df70ff78a53b525f2d205dbd9fb658414
                                                                                                    • Instruction ID: 0ae4f12ca8063af0375af24c38fdc2ff7ef9f43c76b4dd1f1800ffede1300866
                                                                                                    • Opcode Fuzzy Hash: a3206fdfcf070c7a07cefde99543f54df70ff78a53b525f2d205dbd9fb658414
                                                                                                    • Instruction Fuzzy Hash: A631F631B00212AFDB08AB75D8157BF33ABEB98208F544429C405D77A4EF3C8C8AC792
                                                                                                    Function 010FAB7C Relevance: 1.3, APIs: 1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 010FABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 291046ca14f40ab93925cb2d4343f41ad7e3ef9bbea0f4fcda566cabfe65b10c
                                                                                                    • Instruction ID: 8824087935ccf36fd15c3accb257521084f86efe165239ff2599f6c33064b040
                                                                                                    • Opcode Fuzzy Hash: 291046ca14f40ab93925cb2d4343f41ad7e3ef9bbea0f4fcda566cabfe65b10c
                                                                                                    • Instruction Fuzzy Hash: DB21CFB550A7C09FDB138B25DC95752BFB8AF07220F0984DBDD858F6A3D2649809CB62
                                                                                                    Function 010FABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 010FABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252616607.00000000010FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FA000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10fa000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 7c51cdae8039e8a9ee8e5a3a07038ebd433d07089ad1113e40266f5aeb4ba609
                                                                                                    • Instruction ID: bd92795c18f07dbaf1490ae5949c0e95e4825f725c16f7899c991e86e7632fba
                                                                                                    • Opcode Fuzzy Hash: 7c51cdae8039e8a9ee8e5a3a07038ebd433d07089ad1113e40266f5aeb4ba609
                                                                                                    • Instruction Fuzzy Hash: E5018F75A04244DFDB50CF1AD8867A6FBE4DF05220F08C4AFDE498BA52D275E408CAA2
                                                                                                    Function 05300007 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1f6778ac39985d1a5744d7db912587a6df694f6d8fe9fce5c5127b4d878b92b0
                                                                                                    • Instruction ID: e37c5b461bab9859902d88a32667edc8fa72537e3e7d9cf8efc09a99086bc1f3
                                                                                                    • Opcode Fuzzy Hash: 1f6778ac39985d1a5744d7db912587a6df694f6d8fe9fce5c5127b4d878b92b0
                                                                                                    • Instruction Fuzzy Hash: BF01D06240E3C26FD3038734DC652857F70AF13214B8E45DBD090CF1A7E6AC8889C762
                                                                                                    Function 017305DF Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253302462.0000000001730000.00000040.00000020.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_1730000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6bad5da8e0a3b6fc08e5a7e8b8434e6022d08f2d4f67fc54645e9f6e0c9b26b
                                                                                                    • Instruction ID: e962f810d41bb8611e91f05104161bd2ba68fafbb594915beeb37538208e0f31
                                                                                                    • Opcode Fuzzy Hash: b6bad5da8e0a3b6fc08e5a7e8b8434e6022d08f2d4f67fc54645e9f6e0c9b26b
                                                                                                    • Instruction Fuzzy Hash: 4E01DB755097846FC7118F15AC40862FFB8DF86230709C49FEC4987652C125B909CB72
                                                                                                    Function 053001E1 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5e56702e03edf3c3122d54ac82dc0feeb1d3ec6e8503f6c09ba367b1652e9ce7
                                                                                                    • Instruction ID: 18ef2fbdf6e770f5a5999497c94661a0a407e307a5466aa4c9fe461b14c24c9e
                                                                                                    • Opcode Fuzzy Hash: 5e56702e03edf3c3122d54ac82dc0feeb1d3ec6e8503f6c09ba367b1652e9ce7
                                                                                                    • Instruction Fuzzy Hash: DF013534606207DFCB04EB78D248598B7E2EF95308B10882CE5958B719EF349C94DB43
                                                                                                    Function 053000A8 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0f58eb6372cf9caa14163a352f784598dbf38792df5931aa172d48b691b5cd4f
                                                                                                    • Instruction ID: 50a1fd19cb5c1e50702bf2908a05a3e14c13524dd3158b84347d714772231f3c
                                                                                                    • Opcode Fuzzy Hash: 0f58eb6372cf9caa14163a352f784598dbf38792df5931aa172d48b691b5cd4f
                                                                                                    • Instruction Fuzzy Hash: A5F0F676A00304AFEB08DB7088117AEBBB2DFC2228F0081BED541DB1C4DA324C418790
                                                                                                    Function 01730606 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253302462.0000000001730000.00000040.00000020.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_1730000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c4e258c51c3f448dcddfd5238753691a9e845c2ce6cc9f5ba53cfb48141d0ac0
                                                                                                    • Instruction ID: d5e75ca4a7bd1674bfcb5c0e76c3e7b6aa1f6999b470d1829607523cd2144bc4
                                                                                                    • Opcode Fuzzy Hash: c4e258c51c3f448dcddfd5238753691a9e845c2ce6cc9f5ba53cfb48141d0ac0
                                                                                                    • Instruction Fuzzy Hash: B6E092B6600A005B9750CF0BEC41452F7D8EB88630708C07FDC0D8B701D635F509CAA5
                                                                                                    Function 053040A8 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2253628189.0000000005300000.00000040.00000800.00020000.00000000.sdmp, Offset: 05300000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_5300000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 78834356369e3cf710e97a6643e327ff44a46c458bf3f42c24ce273201b24cef
                                                                                                    • Instruction ID: 488e62063ef59a75f14e376f9b373da1a35fefe12d561ef5fcde37602fa5ea12
                                                                                                    • Opcode Fuzzy Hash: 78834356369e3cf710e97a6643e327ff44a46c458bf3f42c24ce273201b24cef
                                                                                                    • Instruction Fuzzy Hash: EBE0C271205305CFD7192F74910805D3B62EBD5349B9104BDC04686788DB3A8882CB00
                                                                                                    Function 010F23F4 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252588022.00000000010F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F2000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10f2000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9a497fc03ee45d4c0f6f524c8d619b361bb194beb10c463931ae1bb135cfed51
                                                                                                    • Instruction ID: def154dd73330c0d3860a29ea10a59d4a6425e3af3ab2badba1b9618ebb8ff5a
                                                                                                    • Opcode Fuzzy Hash: 9a497fc03ee45d4c0f6f524c8d619b361bb194beb10c463931ae1bb135cfed51
                                                                                                    • Instruction Fuzzy Hash: E2D02E792006C04FE3138A0CC1A5B853BE8AB60704F0A00FEA8408BB63CBA8E4C1C200
                                                                                                    Function 010F23BC Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000012.00000002.2252588022.00000000010F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F2000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_18_2_10f2000_Explore.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9b39aa3a8564c6af10b7a72cdd958f64c68afeb223b839fdc1220b801aad5661
                                                                                                    • Instruction ID: 8c66ea6efe92543e4347b0bbe954f02aa4cf75efd269a93c24dc40363223bd90
                                                                                                    • Opcode Fuzzy Hash: 9b39aa3a8564c6af10b7a72cdd958f64c68afeb223b839fdc1220b801aad5661
                                                                                                    • Instruction Fuzzy Hash: B3D05E742006814BD715DA0CC6D5F593BD8AB50B14F1A84ECAD508BB62C7A4D8C5CA00

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:13.4%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:52
                                                                                                    Total number of Limit Nodes:4
                                                                                                    execution_graph 1373 146a5c6 1374 146a5f2 OleInitialize 1373->1374 1375 146a628 1373->1375 1376 146a600 1374->1376 1375->1374 1377 146aaa6 1378 146aade CreateFileW 1377->1378 1380 146ab2d 1378->1380 1428 146a586 1430 146a5c6 OleInitialize 1428->1430 1431 146a600 1430->1431 1381 146a502 1382 146a540 DuplicateHandle 1381->1382 1383 146a578 1381->1383 1384 146a54e 1382->1384 1383->1382 1385 146adee 1387 146ae23 WriteFile 1385->1387 1388 146ae55 1387->1388 1408 146adce 1410 146adee WriteFile 1408->1410 1411 146ae55 1410->1411 1393 146afaa 1394 146afe2 CreateMutexW 1393->1394 1396 146b025 1394->1396 1416 146af76 1418 146afaa CreateMutexW 1416->1418 1419 146b025 1418->1419 1432 146a636 1433 146a696 OleGetClipboard 1432->1433 1435 146a6f4 1433->1435 1436 146ac37 1438 146ac6a GetFileType 1436->1438 1439 146accc 1438->1439 1420 146aa75 1422 146aaa6 CreateFileW 1420->1422 1423 146ab2d 1422->1423 1400 146aa12 1401 146aa67 1400->1401 1402 146aa3e SetErrorMode 1400->1402 1401->1402 1403 146aa53 1402->1403 1404 146abbe 1405 146abea CloseHandle 1404->1405 1406 146ac29 1404->1406 1407 146abf8 1405->1407 1406->1405 1440 146a9bf 1441 146a9c9 SetErrorMode 1440->1441 1443 146aa53 1441->1443 1424 146ab7c 1425 146abbe CloseHandle 1424->1425 1427 146abf8 1425->1427 1412 146a4db 1413 146a502 DuplicateHandle 1412->1413 1415 146a54e 1413->1415

                                                                                                    Callgraph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    • Opacity -> Relevance
                                                                                                    • Disassembly available
                                                                                                    callgraph 0 Function_0146A5C6 1 Function_056741E1 2 Function_0146A140 3 Function_0146ADCE 4 Function_0146A3CA 5 Function_0146A44A 6 Function_0146AED2 7 Function_0146AD52 8 Function_0146A2D2 9 Function_014620D0 10 Function_056701F0 25 Function_01370606 10->25 11 Function_056740F0 12 Function_0146A7D1 13 Function_014625D1 14 Function_0146A4DB 15 Function_01462458 16 Function_01462364 17 Function_01462264 18 Function_0146A865 19 Function_056702C0 63 Function_056700B8 19->63 20 Function_056739C0 21 Function_0146ADEE 22 Function_0146AC6A 23 Function_05670449 24 Function_0146AF76 26 Function_0146B074 27 Function_014623F4 28 Function_0146AA75 29 Function_0146A472 30 Function_01370003 31 Function_014621F0 32 Function_0146A2FE 33 Function_056740DF 34 Function_0146AB7C 35 Function_0146247C 36 Function_0567265A 37 Function_0146A078 38 Function_0146ACF8 39 Function_0146A186 40 Function_0146A586 41 Function_01462006 42 Function_0146A384 43 Function_0146A005 44 Function_01370074 45 Function_0146A502 46 Function_056702A2 47 Function_0137067F 48 Function_0146A20C 49 Function_0146A70C 50 Function_0146268D 51 Function_056700A8 51->20 51->25 51->48 53 Function_056736A8 51->53 90 Function_0146A23A 51->90 52 Function_056740A8 52->25 54 Function_0146A696 55 Function_0146AE97 56 Function_0146A794 57 Function_01462194 58 Function_0146AA12 59 Function_056702B1 59->63 60 Function_0137026D 61 Function_0137066A 62 Function_01462098 63->20 63->25 63->48 63->53 63->90 64 Function_05674238 65 Function_0146AAA6 66 Function_05670006 67 Function_05674200 68 Function_05674280 68->11 69 Function_013705D0 70 Function_0146A02E 71 Function_0146A72E 72 Function_05673B0E 73 Function_0146AFAA 74 Function_0146A3A8 75 Function_0146A636 76 Function_0146A836 77 Function_0146AC37 78 Function_0146B0B2 79 Function_05673011 80 Function_0146A2B0 81 Function_01462430 82 Function_05674210 83 Function_013705C0 84 Function_01370740 85 Function_0146ABBE 86 Function_0146A0BE 87 Function_0146A9BF 88 Function_014623BC 89 Function_0146213C 91 Function_05670118 91->20 91->25 91->53 92 Function_01370648 92->61

                                                                                                    Executed Functions

                                                                                                    Function 056700B8 Relevance: 5.1, Strings: 4, Instructions: 103COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 56700b8-56700cd 29 56700d0 call 1370606 0->29 30 56700d0 call 146a20c 0->30 31 56700d0 call 146a23a 0->31 2 56700d5-56700f7 5 567010b-567011a 2->5 6 56700f9-567010a 2->6 9 567011d-5670122 5->9 10 567011c 5->10 11 5670125-56701d5 9->11 12 5670124 9->12 10->9 26 56701d5 call 1370606 11->26 27 56701d5 call 56739c0 11->27 28 56701d5 call 56736a8 11->28 12->11 25 56701db-56701de 26->25 27->25 28->25 29->2 30->2 31->2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l$5]Tk^$E]Tk^
                                                                                                    • API String ID: 0-3143303430
                                                                                                    • Opcode ID: 997f67846fae7af98395502ad74a8480cfb740021541e41987c23111973c46ff
                                                                                                    • Instruction ID: 2a7c1873d4925dfd8f4d326ebcedbb6c3cb864a12f1dc5d03460adf2a88cc8aa
                                                                                                    • Opcode Fuzzy Hash: 997f67846fae7af98395502ad74a8480cfb740021541e41987c23111973c46ff
                                                                                                    • Instruction Fuzzy Hash: 9C3134317083815FD7199B759851BAE3BA7AB93218F0484AFC004CB392CF7A9C05C7A2
                                                                                                    Function 05670118 Relevance: 5.1, Strings: 4, Instructions: 61COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 32 5670118-567011a 33 567011d-5670122 32->33 34 567011c 32->34 35 5670125-5670169 33->35 36 5670124 33->36 34->33 41 5670174-567017a 35->41 36->35 42 5670181-56701bd 41->42 47 56701c8-56701d5 42->47 50 56701d5 call 1370606 47->50 51 56701d5 call 56739c0 47->51 52 56701d5 call 56736a8 47->52 49 56701db-56701de 50->49 51->49 52->49
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$2l$5]Tk^$E]Tk^
                                                                                                    • API String ID: 0-3143303430
                                                                                                    • Opcode ID: 03fbc202656942cc4a6cb8d7da3fff7ffdcd2281f9f4a9fe18ff1b3166b6d94d
                                                                                                    • Instruction ID: 1ed7a38d25c69cdcc1bd483ed24673db129bf5a6ac96feac79f8fb83fca4563d
                                                                                                    • Opcode Fuzzy Hash: 03fbc202656942cc4a6cb8d7da3fff7ffdcd2281f9f4a9fe18ff1b3166b6d94d
                                                                                                    • Instruction Fuzzy Hash: 3B1102317042914FC329AB76A411BF927E7ABE721C30468AFC005CB751CFB98C098BA3
                                                                                                    Function 056736A8 Relevance: 4.3, Strings: 3, Instructions: 503COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 53 56736a8-56736aa 54 56736ad-56736ae 53->54 55 56736ac 53->55 56 56736b1-56736b2 54->56 57 56736b0 54->57 55->54 58 56736b5-56737b9 56->58 59 56736b4 56->59 57->56 76 56737bf-56737c1 58->76 77 56737bb 58->77 59->58 78 56737c8-56737cf 76->78 79 56737c3 77->79 80 56737bd 77->80 81 5673865-5673987 78->81 82 56737d5-567385a 78->82 79->78 80->76 106 5673a03-5673a56 81->106 107 5673989-56739f9 81->107 82->81 114 5673a5d-5673a77 106->114 115 5673a58 106->115 107->106 118 5673aae-5673b63 114->118 119 5673a79-5673aa3 114->119 115->114 130 5673beb 118->130 131 5673b69-5673ba7 118->131 119->118 132 5674085-5674090 130->132 131->130 133 5674096-567409d 132->133 134 5673bf0-5673c0e 132->134 138 5673c10-5673c16 134->138 139 5673c19-5673c24 134->139 138->139 143 567403b-5674083 139->143 144 5673c2a-5673c3e 139->144 143->132 145 5673cb6-5673cc7 144->145 146 5673c40-5673c72 144->146 147 5673d17-5673d25 145->147 148 5673cc9-5673cf3 145->148 146->145 150 5673d2b-5673dde 147->150 151 5674039 147->151 148->147 159 5673cf5-5673d0f 148->159 172 5673de4-5673e67 150->172 173 5673e6e-5673f65 150->173 151->132 159->147 172->173 188 5673ff5 173->188 189 5673f6b-5673fee 173->189 188->151 189->188
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \Ol$2l$YTk^
                                                                                                    • API String ID: 0-182819475
                                                                                                    • Opcode ID: dd2574fe58c6e0aadcf93e545c109e10690949797eecedd85df6c86a1ede8263
                                                                                                    • Instruction ID: 8e3c76e03c4cf719a20f3d5870efe8404514c910849271d3b3874c0a3c0a3f6a
                                                                                                    • Opcode Fuzzy Hash: dd2574fe58c6e0aadcf93e545c109e10690949797eecedd85df6c86a1ede8263
                                                                                                    • Instruction Fuzzy Hash: 4F321430A00259CFEB24DF74C955BADB7B2FB49308F1045A9D509AB3A4DB799E82CF50
                                                                                                    Function 056739C0 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 195 56739c0-5673a56 206 5673a5d-5673a77 195->206 207 5673a58 195->207 209 5673aae-5673b63 206->209 210 5673a79-5673aa3 206->210 207->206 221 5673beb 209->221 222 5673b69-5673ba7 209->222 210->209 223 5674085-5674090 221->223 222->221 224 5674096-567409d 223->224 225 5673bf0-5673c0e 223->225 229 5673c10-5673c16 225->229 230 5673c19-5673c24 225->230 229->230 234 567403b-5674083 230->234 235 5673c2a-5673c3e 230->235 234->223 236 5673cb6-5673cc7 235->236 237 5673c40-5673c72 235->237 238 5673d17-5673d25 236->238 239 5673cc9-5673cf3 236->239 237->236 241 5673d2b-5673dde 238->241 242 5674039 238->242 239->238 250 5673cf5-5673d0f 239->250 263 5673de4-5673e67 241->263 264 5673e6e-5673f65 241->264 242->223 250->238 263->264 279 5673ff5 264->279 280 5673f6b-5673fee 264->280 279->242 280->279
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 2l$YTk^
                                                                                                    • API String ID: 0-1889258510
                                                                                                    • Opcode ID: 8db2ddbaf301c8b833a453d8c1c03efaf6891df2f0051c4e636cc5b8bae224df
                                                                                                    • Instruction ID: 0c968fb6f8b2453490c20f33a8ba34ddae56835f38a4917e5712568736e629d6
                                                                                                    • Opcode Fuzzy Hash: 8db2ddbaf301c8b833a453d8c1c03efaf6891df2f0051c4e636cc5b8bae224df
                                                                                                    • Instruction Fuzzy Hash: B4415830A002598FDB14DFB4C955BECB7B2BB99308F0045AAD009AB764DB788E45CF62
                                                                                                    Function 0146AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 286 146aa75-146aafe 290 146ab03-146ab0f 286->290 291 146ab00 286->291 292 146ab14-146ab1d 290->292 293 146ab11 290->293 291->290 294 146ab6e-146ab73 292->294 295 146ab1f-146ab43 CreateFileW 292->295 293->292 294->295 298 146ab75-146ab7a 295->298 299 146ab45-146ab6b 295->299 298->299
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0146AB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 5c81227b24d2ad456a52b4478c988dee27fe363e80c835a9a2662999ba9d4b99
                                                                                                    • Instruction ID: 4fad9f4f00ddfc533ae4e55b876da88d7583d6e7b2deec3104de6e2e448b3aee
                                                                                                    • Opcode Fuzzy Hash: 5c81227b24d2ad456a52b4478c988dee27fe363e80c835a9a2662999ba9d4b99
                                                                                                    • Instruction Fuzzy Hash: 2C3192715087406FE721CF65CC44F56BFF8EF06614F08889EE9458B252D375E808CB61
                                                                                                    Function 0146AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 302 146af76-146aff9 306 146affe-146b007 302->306 307 146affb 302->307 308 146b00c-146b015 306->308 309 146b009 306->309 307->306 310 146b066-146b06b 308->310 311 146b017-146b03b CreateMutexW 308->311 309->308 310->311 314 146b06d-146b072 311->314 315 146b03d-146b063 311->315 314->315
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 0146B01D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: 5b7623ffbab2ceccae3fc4bd1373d0683ed48a782d8405e9c705bad12e1c06f8
                                                                                                    • Instruction ID: e119e9ecbcbb0bdcd4ac34b553fc969ccba29f18b12821266ebcea6091debf5c
                                                                                                    • Opcode Fuzzy Hash: 5b7623ffbab2ceccae3fc4bd1373d0683ed48a782d8405e9c705bad12e1c06f8
                                                                                                    • Instruction Fuzzy Hash: 3931A4B15097805FE711CB65CC55B96BFF8EF06214F08849AE944CB2A2D375E908C772
                                                                                                    Function 0146A636 Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 318 146a636-146a693 319 146a696-146a6ee OleGetClipboard 318->319 321 146a6f4-146a70a 319->321
                                                                                                    APIs
                                                                                                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0146A6E6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: 924d97d89bb7a1522149e9ad5eb6e5248451746f2267a636c0143ec159f7e68a
                                                                                                    • Instruction ID: 3c7c249d9eb46b50c6398f5df6437d71074658a1f26608bce3840689449f7454
                                                                                                    • Opcode Fuzzy Hash: 924d97d89bb7a1522149e9ad5eb6e5248451746f2267a636c0143ec159f7e68a
                                                                                                    • Instruction Fuzzy Hash: 52317E7514D3C06FD3138B259C61BA1BFB4EF87610F0A80CBE884CB6A3D2296919D772
                                                                                                    Function 0146AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 322 146aaa6-146aafe 325 146ab03-146ab0f 322->325 326 146ab00 322->326 327 146ab14-146ab1d 325->327 328 146ab11 325->328 326->325 329 146ab6e-146ab73 327->329 330 146ab1f-146ab27 CreateFileW 327->330 328->327 329->330 332 146ab2d-146ab43 330->332 333 146ab75-146ab7a 332->333 334 146ab45-146ab6b 332->334 333->334
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0146AB25
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 91b4190fc4f32c4f5081b15d9f67c3de6f3ce7294baceedd638de3d2fe389bb8
                                                                                                    • Instruction ID: c65257d3828bc0826a2765efdfc3502a2ca37678ce93423211d6c7205386782c
                                                                                                    • Opcode Fuzzy Hash: 91b4190fc4f32c4f5081b15d9f67c3de6f3ce7294baceedd638de3d2fe389bb8
                                                                                                    • Instruction Fuzzy Hash: BD21D171600600AFEB21CF65CC44F66FBE8EF04624F14886AEA499B751D371E408CB76
                                                                                                    Function 0146AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 348 146ac37-146acb5 352 146acb7-146acca GetFileType 348->352 353 146acea-146acef 348->353 354 146acf1-146acf6 352->354 355 146accc-146ace9 352->355 353->352 354->355
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E24,13696E37,00000000,00000000,00000000,00000000), ref: 0146ACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: b81f2ba10a55c05bc428609ec2356ea6559aca7b678642bfbe3c91ffd3ea6667
                                                                                                    • Instruction ID: 6a8b2a334fff2dd1a533ebafed2c94135e023ebd832afda458a51f9e3b5b3cb7
                                                                                                    • Opcode Fuzzy Hash: b81f2ba10a55c05bc428609ec2356ea6559aca7b678642bfbe3c91ffd3ea6667
                                                                                                    • Instruction Fuzzy Hash: 5521C3B55097806FE7128B15DC50BE2BFB8EF47324F1880DBE9848B293D264A909D776
                                                                                                    Function 0146A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 337 146a9bf-146aa3c 342 146aa67-146aa6c 337->342 343 146aa3e-146aa51 SetErrorMode 337->343 342->343 344 146aa53-146aa66 343->344 345 146aa6e-146aa73 343->345 345->344
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 0146AA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: f6c2c878a67a6e112f139821f8d4396e98028fa64244ab259e68c1b8ef6cbeed
                                                                                                    • Instruction ID: 09db32c052a2477f85c96c1848d98802eeff763352c7e493e30f3b9d2564f42e
                                                                                                    • Opcode Fuzzy Hash: f6c2c878a67a6e112f139821f8d4396e98028fa64244ab259e68c1b8ef6cbeed
                                                                                                    • Instruction Fuzzy Hash: A6214A6550E7C09FD7138B259C64A52BF74AF53624F0E80DBD9848F6A3D1685808C773
                                                                                                    Function 0146AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 359 146afaa-146aff9 362 146affe-146b007 359->362 363 146affb 359->363 364 146b00c-146b015 362->364 365 146b009 362->365 363->362 366 146b066-146b06b 364->366 367 146b017-146b01f CreateMutexW 364->367 365->364 366->367 369 146b025-146b03b 367->369 370 146b06d-146b072 369->370 371 146b03d-146b063 369->371 370->371
                                                                                                    APIs
                                                                                                    • CreateMutexW.KERNELBASE(?,?), ref: 0146B01D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMutex
                                                                                                    • String ID:
                                                                                                    • API String ID: 1964310414-0
                                                                                                    • Opcode ID: f91a7502d5d9816cffdb2a83a6043db3115a94d743b7a1ce98d30b956589872a
                                                                                                    • Instruction ID: dce604155afc0b1b1e2f160278d38de29a29303e80bc32544f67b664b6068519
                                                                                                    • Opcode Fuzzy Hash: f91a7502d5d9816cffdb2a83a6043db3115a94d743b7a1ce98d30b956589872a
                                                                                                    • Instruction Fuzzy Hash: E721AFB16042009FE720CB69CD45BA6FBE8EF05224F04846AED48CB751D371E808CA76
                                                                                                    Function 0146ADCE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 374 146adce-146ae45 378 146ae47-146ae67 WriteFile 374->378 379 146ae89-146ae8e 374->379 382 146ae90-146ae95 378->382 383 146ae69-146ae86 378->383 379->378 382->383
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E24,13696E37,00000000,00000000,00000000,00000000), ref: 0146AE4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: da546e59f23879a944952d50cc43079cd444009e524d6d0905ee0db5937d9c26
                                                                                                    • Instruction ID: 0f2ffb184a4aa88b4bb3b0b57831da9f29cf84704cc49c2f973e1721c7f81c30
                                                                                                    • Opcode Fuzzy Hash: da546e59f23879a944952d50cc43079cd444009e524d6d0905ee0db5937d9c26
                                                                                                    • Instruction Fuzzy Hash: 0621C271505340AFDB22CF55DC44F97BFB8EF45224F08849AE9449B252C334A408CBB6
                                                                                                    Function 0146A586 Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 386 146a586-146a5f0 388 146a5f2-146a5fa OleInitialize 386->388 389 146a628-146a62d 386->389 390 146a600-146a612 388->390 389->388 392 146a614-146a627 390->392 393 146a62f-146a634 390->393 393->392
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: 020b561f75744077fe90a7c5bcb586676d070ca7b2224c1bc481212fb3f41e28
                                                                                                    • Instruction ID: f28e2ca40ea0f7bd2430b5921478114f37a651d82bccff37e0d0a0a7a5bb94f9
                                                                                                    • Opcode Fuzzy Hash: 020b561f75744077fe90a7c5bcb586676d070ca7b2224c1bc481212fb3f41e28
                                                                                                    • Instruction Fuzzy Hash: BD21477190E3C05FDB138B259C94A92BFB49F47224F0984DBD9849F2A3D2699908CB62
                                                                                                    Function 0146A4DB Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 395 146a4db-146a53e 397 146a540-146a548 DuplicateHandle 395->397 398 146a578-146a57d 395->398 400 146a54e-146a560 397->400 398->397 401 146a562-146a575 400->401 402 146a57f-146a584 400->402 402->401
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146A546
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 3ca03a249e9ec4d89dae84d9c35c7645a77fc3d4887d19fc91587bc5d87dddc6
                                                                                                    • Instruction ID: 9f485626314ceeb367b7249ba4a6d7c83fcabb4418849da41af3d89317e1bdd2
                                                                                                    • Opcode Fuzzy Hash: 3ca03a249e9ec4d89dae84d9c35c7645a77fc3d4887d19fc91587bc5d87dddc6
                                                                                                    • Instruction Fuzzy Hash: 1411A271409780AFDB228F54DC44A62FFF8EF4A320F08849AED858B563D335A418DB62
                                                                                                    Function 0146ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 404 146adee-146ae45 407 146ae47-146ae4f WriteFile 404->407 408 146ae89-146ae8e 404->408 410 146ae55-146ae67 407->410 408->407 411 146ae90-146ae95 410->411 412 146ae69-146ae86 410->412 411->412
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(?,00000E24,13696E37,00000000,00000000,00000000,00000000), ref: 0146AE4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: e48a6e0503caca20102832e397e58909af2f54a6c5c630644a81ee59a126244e
                                                                                                    • Instruction ID: 0adb04cc2d73690e0c5aa511dea75d3d3643b9b174136225ac878d72399611d5
                                                                                                    • Opcode Fuzzy Hash: e48a6e0503caca20102832e397e58909af2f54a6c5c630644a81ee59a126244e
                                                                                                    • Instruction Fuzzy Hash: 7F11EF72600700AFEB21CF55DC44FA6FBACEF04324F18845AE9499B651C330A408CBB6
                                                                                                    Function 0146AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileType.KERNELBASE(?,00000E24,13696E37,00000000,00000000,00000000,00000000), ref: 0146ACBD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileType
                                                                                                    • String ID:
                                                                                                    • API String ID: 3081899298-0
                                                                                                    • Opcode ID: f1db0d95bb06505d63bcaab08d69911de185aa2b94a09e9a771e012099aa9240
                                                                                                    • Instruction ID: a107b181fa1e4d59d6a78e1718ad12918cc952aab16856af72ada914910d2010
                                                                                                    • Opcode Fuzzy Hash: f1db0d95bb06505d63bcaab08d69911de185aa2b94a09e9a771e012099aa9240
                                                                                                    • Instruction Fuzzy Hash: C40122B1600600AFE720CB09DC84BE6F7ACDF05628F18C096EE099B752D374E54CCAB6
                                                                                                    Function 0146A502 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146A546
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DuplicateHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3793708945-0
                                                                                                    • Opcode ID: 6d2cf46d485e48efcc8b139b94c3ad6b1e19fbbcdbd485284b516d064c6e3dde
                                                                                                    • Instruction ID: 384898551df14ef1751890583fb1f0dd7fb169aa78425f275bbc201d93243153
                                                                                                    • Opcode Fuzzy Hash: 6d2cf46d485e48efcc8b139b94c3ad6b1e19fbbcdbd485284b516d064c6e3dde
                                                                                                    • Instruction Fuzzy Hash: 4201AD329007009FDB21CF55D844B66FBE4EF19324F18889ADE495B622D336E418DF62
                                                                                                    Function 0146A696 Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0146A6E6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 220874293-0
                                                                                                    • Opcode ID: b74792a2d91e7e86ad10a816a8807840bffe540509c006caef25f328534ce1de
                                                                                                    • Instruction ID: 47b79633c55960ea8e7d55c94a51b83c2ebc9163fb38451d62dda99b216c74e1
                                                                                                    • Opcode Fuzzy Hash: b74792a2d91e7e86ad10a816a8807840bffe540509c006caef25f328534ce1de
                                                                                                    • Instruction Fuzzy Hash: 2001D671600200AFD310DF16CD46B66FBE8FB88A20F148159EC089BB41D731F955CBE5
                                                                                                    Function 0146A5C6 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2538663250-0
                                                                                                    • Opcode ID: ced2a8e76d97897a57e51c8b655ce3400bc42d53b89fc875a87a3d5489edbfe9
                                                                                                    • Instruction ID: 35b39062f2d1b3e9c5c483d2e1ec505cedb6eed1c623354df79167a004acd8a2
                                                                                                    • Opcode Fuzzy Hash: ced2a8e76d97897a57e51c8b655ce3400bc42d53b89fc875a87a3d5489edbfe9
                                                                                                    • Instruction Fuzzy Hash: 5F01DF709046408FDB10CF15D884766FBA8DF41228F18C4AACD499B322D379E804CA63
                                                                                                    Function 0146AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(?), ref: 0146AA44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 1848be784378c52f57556a7d749811e410e76411873e088455b22e4db410c18a
                                                                                                    • Instruction ID: f6b9178f8f8e120f23a28e577a7e21665a69c18aae9b950fc7323e1dba1ba178
                                                                                                    • Opcode Fuzzy Hash: 1848be784378c52f57556a7d749811e410e76411873e088455b22e4db410c18a
                                                                                                    • Instruction Fuzzy Hash: 89F0FF31A006409FDB208F05D984B66FBE8EF05728F18C09BDD484B762D279E908CEA3
                                                                                                    Function 056702C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :@k
                                                                                                    • API String ID: 0-2277858631
                                                                                                    • Opcode ID: aefc4691deee90093ebddbe3bdb45110a52afe127698bf6c347194c3bda033ed
                                                                                                    • Instruction ID: 098ce17d17c3291b38ace22ab9f0c7ebd6b08cc50a82d7a7fe264ebd5864e309
                                                                                                    • Opcode Fuzzy Hash: aefc4691deee90093ebddbe3bdb45110a52afe127698bf6c347194c3bda033ed
                                                                                                    • Instruction Fuzzy Hash: 0531E430B002159FEB04AB74D8157BE37ABEB98218F10406ED505D77A4EF7C9D0ACBA2
                                                                                                    Function 0146AB7C Relevance: 1.3, APIs: 1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0146ABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: d8eb91b92a694851cd548cacd243773473fbc5fad085f35556700b4f01bc9b8d
                                                                                                    • Instruction ID: f68cf4ecac112d8d972657effebc1ddb818d03a22f0c4bac6f6e64a6bb41ec51
                                                                                                    • Opcode Fuzzy Hash: d8eb91b92a694851cd548cacd243773473fbc5fad085f35556700b4f01bc9b8d
                                                                                                    • Instruction Fuzzy Hash: 9D21D4755097C05FDB138B25DC95652BFB8EF07224F0984DBDD858F6A3D2749808C762
                                                                                                    Function 0146ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0146ABF0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353660561.000000000146A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146A000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_146a000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 447c9ae02809007e531dab82b09c94576282041da1fe3a27b584c0643ffa75ee
                                                                                                    • Instruction ID: e91ca8b26e701413d2864c34ae279784a48480035f9d4dad3b416606f9b89d44
                                                                                                    • Opcode Fuzzy Hash: 447c9ae02809007e531dab82b09c94576282041da1fe3a27b584c0643ffa75ee
                                                                                                    • Instruction Fuzzy Hash: CD01DF71A046008FDB10CF19E8857A6FBE8EF01224F18C4ABDD098F766D275E408CE63
                                                                                                    Function 05670006 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 80e453ff16a42f4eae59e139864ef152f3bb7fd8b9e4a33aedbc06d9e1f0e96e
                                                                                                    • Instruction ID: 75f7af3cc903ee89dd131ad63e0ef15f9e54c54c745dd5257a5a12c77ac337f7
                                                                                                    • Opcode Fuzzy Hash: 80e453ff16a42f4eae59e139864ef152f3bb7fd8b9e4a33aedbc06d9e1f0e96e
                                                                                                    • Instruction Fuzzy Hash: 0901046144E3C69FD3038B249C657807FB4AF53228B4E85D7D080CB6A3D6AC881AD763
                                                                                                    Function 056700A8 Relevance: .0, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5fc265bdfac246182811114b505cb1971ac436c0b1ff06b49b809c6caa590859
                                                                                                    • Instruction ID: b1772d1d666621db9b5e471ff8dd795e90b965dedebe15e3e18ac47032a05d3f
                                                                                                    • Opcode Fuzzy Hash: 5fc265bdfac246182811114b505cb1971ac436c0b1ff06b49b809c6caa590859
                                                                                                    • Instruction Fuzzy Hash: E4F0FC71A04345ABEB04DFB1CC417AE7B76EF81624F0081AED5459B1D1EA765D41C7A0
                                                                                                    Function 056701F0 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4d14e7e67b953b724610bda47c70053240f45c4a9abe51ce0feb4c6dfed2093e
                                                                                                    • Instruction ID: 16e4391c68abe35d776116ffc35c468cfdccaeddf0d06c878a4068972b14005c
                                                                                                    • Opcode Fuzzy Hash: 4d14e7e67b953b724610bda47c70053240f45c4a9abe51ce0feb4c6dfed2093e
                                                                                                    • Instruction Fuzzy Hash: A301FB70605246DFDB44FF78D55C8AD77E2EFE8209B44882DE6458B368EF7498058B83
                                                                                                    Function 01370606 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353150398.0000000001370000.00000040.00000020.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_1370000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f81bbbec969edc49f05bf86ce912fba84e836f1227cffdf6865fd86a89a9b04
                                                                                                    • Instruction ID: 32763fd53898dbd0f69525ed780599db618dfdca360bab7ed89df0235112e644
                                                                                                    • Opcode Fuzzy Hash: 4f81bbbec969edc49f05bf86ce912fba84e836f1227cffdf6865fd86a89a9b04
                                                                                                    • Instruction Fuzzy Hash: E6E092B66046004F9750CF0AFC41462F7D8EB84630B08C07FDC0D8B711E235F908CAA5
                                                                                                    Function 056740A8 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2368692111.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_5670000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b8b37e9728e56ee1cfa1f7417bc52f9a34af93baad6923d3121abd9b536dbffb
                                                                                                    • Instruction ID: 27b979339d931f2e85429eefc71a3a4a5f025f90e5d28e5abaebc296e1d0f90d
                                                                                                    • Opcode Fuzzy Hash: b8b37e9728e56ee1cfa1f7417bc52f9a34af93baad6923d3121abd9b536dbffb
                                                                                                    • Instruction Fuzzy Hash: ADE0923010E3848FDB1B1B3464644B83FB69F8B32979904EEC0858A656DA3A9C47C721
                                                                                                    Function 014623F4 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353563361.0000000001462000.00000040.00000800.00020000.00000000.sdmp, Offset: 01462000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_1462000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9d88cab76074753f574ff588df067978f636ab8703ab68ef2cdb155944b8a5b3
                                                                                                    • Instruction ID: 0632d78db337e8c0082f97c85927c16d85afa8f93d0dadf4b868a30e45eb5dd3
                                                                                                    • Opcode Fuzzy Hash: 9d88cab76074753f574ff588df067978f636ab8703ab68ef2cdb155944b8a5b3
                                                                                                    • Instruction Fuzzy Hash: 15D05B752056D15FE3169A1CC158F963BE86F51718F4644FA98008B773C768D585D601
                                                                                                    Function 014623BC Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.2353563361.0000000001462000.00000040.00000800.00020000.00000000.sdmp, Offset: 01462000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_1462000_Microsoft Corporation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2ada4b235757ac5bbf7f9e455b0a5f4473b4a9772c67fbecc40bb1bb2eee82c0
                                                                                                    • Instruction ID: 0469b21894c44cd37492d833d992ac5949aee35c15bdb0f00cbdb3c3b80a874d
                                                                                                    • Opcode Fuzzy Hash: 2ada4b235757ac5bbf7f9e455b0a5f4473b4a9772c67fbecc40bb1bb2eee82c0
                                                                                                    • Instruction Fuzzy Hash: D0D05E342002814BD715DB1CC6D4F5A3BD8AB50B18F1A44EAAC108B772C7B4D8C1CA01