Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KJKJJJECFI.exe

Overview

General Information

Sample name:KJKJJJECFI.exe
Analysis ID:1420081
MD5:ce355f68f7fb9bcc5a1e140da2398489
SHA1:917b5d290b3a0a28e092ccd53d6f9206223d9293
SHA256:56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KJKJJJECFI.exe (PID: 380 cmdline: "C:\Users\user\Desktop\KJKJJJECFI.exe" MD5: CE355F68F7FB9BCC5A1E140DA2398489)
    • cmd.exe (PID: 892 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 2792 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • Sendevsvc.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe" MD5: CE355F68F7FB9BCC5A1E140DA2398489)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "pleasurecanbesafe.com/7vAficZogD/index.php", "Version": "4.18"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\qsbtcxhJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.2254651788.0000000006040000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000006.00000002.2255985779.0000000002981000.00000020.00000001.01000000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x1dc88:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1df14:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x1dd13:$s1: CoGetObject
                • 0x1df9f:$s1: CoGetObject
                • 0x1dc6c:$s2: Elevation:Administrator!new:
                • 0x1def8:$s2: Elevation:Administrator!new:
                6.2.explorer.exe.4cbac93.3.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  6.2.explorer.exe.4cbac93.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x1d088:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x1d314:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x1d113:$s1: CoGetObject
                  • 0x1d39f:$s1: CoGetObject
                  • 0x1d06c:$s2: Elevation:Administrator!new:
                  • 0x1d2f8:$s2: Elevation:Administrator!new:
                  6.2.explorer.exe.4cba093.5.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Proxy Execution Via Explorer.exe
                    Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 892, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 2792, ProcessName: explorer.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: pleasurecanbesafe.com/7vAficZogD/index.phpAvira URL Cloud: Label: phishing
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\qsbtcxhAvira: detection malicious, Label: HEUR/AGEN.1319380
                    Found malware configuration
                    Source: 2.2.cmd.exe.60400c8.7.unpackMalware Configuration Extractor: Amadey {"C2 url": "pleasurecanbesafe.com/7vAficZogD/index.php", "Version": "4.18"}
                    Multi AV Scanner detection for domain / URL
                    Source: pleasurecanbesafe.com/7vAficZogD/index.phpVirustotal: Detection: 18%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\qsbtcxhReversingLabs: Detection: 83%
                    Source: C:\Users\user\AppData\Local\Temp\qsbtcxhVirustotal: Detection: 76%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: KJKJJJECFI.exeReversingLabs: Detection: 87%
                    Source: KJKJJJECFI.exeVirustotal: Detection: 68%Perma Link
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\qsbtcxhJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: pleasurecanbesafe.com
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: /7vAficZogD/index.php
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: S-%lu-
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: 40c3273379
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Dctooux.exe
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Startup
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: cmd /C RMDIR /s/q
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: rundll32
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Programs
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: %USERPROFILE%
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: cred.dll|clip.dll|
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: http://
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: https://
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: /Plugins/
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: &unit=
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: shell32.dll
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: kernel32.dll
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: GetNativeSystemInfo
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: ProgramData\
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: AVAST Software
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Kaspersky Lab
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Panda Security
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Doctor Web
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: 360TotalSecurity
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Bitdefender
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Norton
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Sophos
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Comodo
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: WinDefender
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: 0123456789
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: ------
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: ?scr=1
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Content-Type: application/x-www-form-urlencoded
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: ComputerName
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: -unicode-
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: VideoID
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: DefaultSettings.XResolution
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: DefaultSettings.YResolution
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: ProductName
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: CurrentBuild
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: rundll32.exe
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: "taskkill /f /im "
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: " && timeout 1 && del
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: && Exit"
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: " && ren
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: Powershell.exe
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: -executionpolicy remotesigned -File "
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: shutdown -s -t 0
                    Source: 2.2.cmd.exe.60400c8.7.unpackString decryptor: random
                    Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_e2355f6c-3

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: KJKJJJECFI.exe PID: 380, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2792, type: MEMORYSTR
                    Source: KJKJJJECFI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 155.101.98.133:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: KJKJJJECFI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: KJKJJJECFI.exe
                    Source: Binary string: CareUEyes.pdb source: KJKJJJECFI.exe
                    Source: Binary string: wntdll.pdbUGP source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: KJKJJJECFI.exe
                    Source: Binary string: wntdll.pdb source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: CareUEyes.pdb&a source: KJKJJJECFI.exe

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: pleasurecanbesafe.com/7vAficZogD/index.php
                    Source: Joe Sandbox ViewIP Address: 155.101.98.133 155.101.98.133
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /docs/info/regex_1.html HTTP/1.1User-Agent: howHost: www.math.utah.edu
                    Source: unknownDNS traffic detected: queries for: www.math.utah.edu
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c0rl.m
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: KJKJJJECFI.exeString found in binary or memory: http://care-eyes.com/careueyes/v1/analyzer/tj.html?uuid=%s&tm=%I64d&ver=%s&it=%s&reg=%dhttp://care-e
                    Source: KJKJJJECFI.exeString found in binary or memory: http://care-eyes.com/careueyes/v1/config/switch.datenablehttp://care-eyes.com/careueyes/v1/config/sw
                    Source: KJKJJJECFI.exeString found in binary or memory: http://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eye
                    Source: KJKJJJECFI.exeString found in binary or memory: http://care-eyes.com/careueyes/v1/pay/query_license.php&method=leftcodesubscriptionend
                    Source: KJKJJJECFI.exeString found in binary or memory: http://care-eyes.com/invite/query_rewards.phpid=http://care-eyes.com/invite.html?inv=%s/RtlGetNtVers
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.d
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: KJKJJJECFI.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: KJKJJJECFI.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: KJKJJJECFI.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicer
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: KJKJJJECFI.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://ocsp.digicert.com0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://ocsp.digicert.com0A
                    Source: KJKJJJECFI.exeString found in binary or memory: http://ocsp.digicert.com0C
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: KJKJJJECFI.exeString found in binary or memory: http://ocsp.digicert.com0X
                    Source: KJKJJJECFI.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://s.symcd.com06
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
                    Source: KJKJJJECFI.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: KJKJJJECFI.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: KJKJJJECFI.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: KJKJJJECFI.exeString found in binary or memory: http://www.digicert.com/CPS0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005B77000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.0000000005623000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
                    Source: KJKJJJECFI.exeString found in binary or memory: https://api.myip.la/en?jsonhttp://ip-api.com/jsonhttps://ipv4.ip.nf/me.jsonhttps://freegeoip.app/jso
                    Source: KJKJJJECFI.exeString found in binary or memory: https://bit.ly/3feVIiY
                    Source: Sendevsvc.exe, 00000007.00000003.2228548837.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, Sendevsvc.exe, 00000007.00000003.2228163024.00000000015B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/3feVIiYUEyes
                    Source: KJKJJJECFI.exe, 00000000.00000003.1976607989.0000000001A10000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1997071563.0000000001A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/3feVIiYfinder
                    Source: KJKJJJECFI.exeString found in binary or memory: https://care-eyes.com/buy.html?uuid=%s&tm=%I64d&ver=%s&it=%sd
                    Source: KJKJJJECFI.exeString found in binary or memory: https://care-eyes.com/how-to-use-magicx-feature/%.2fs$
                    Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp, KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://care-eyes.com/how-to-use-magicx-feature/%.2fs$8
                    Source: KJKJJJECFI.exeString found in binary or memory: https://care-eyes.com/how-to-use-sunrise-sunset-feature/openslider_orange_progressslider_orange_bart
                    Source: KJKJJJECFI.exeString found in binary or memory: https://care-eyes.com/license-reset.html
                    Source: KJKJJJECFI.exeString found in binary or memory: https://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd
                    Source: KJKJJJECFI.exeString found in binary or memory: https://care-eyes.com/what-is-pomodoro-technique/
                    Source: KJKJJJECFI.exeString found in binary or memory: https://care-eyes.com?about
                    Source: KJKJJJECFI.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.co
                    Source: KJKJJJECFI.exeString found in binary or memory: https://d.symcb.com/cps0%
                    Source: KJKJJJECFI.exeString found in binary or memory: https://d.symcb.com/rpa0
                    Source: KJKJJJECFI.exeString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.math.utah.edu/
                    Source: KJKJJJECFI.exeString found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html
                    Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html/
                    Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.html0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmlU
                    Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmlws
                    Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.math.utah.edu/docs/info/regex_1.htmly
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownHTTPS traffic detected: 155.101.98.133:443 -> 192.168.2.5:49707 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: KJKJJJECFI.exeStatic PE information: invalid certificate
                    Source: KJKJJJECFI.exe, 00000000.00000002.1999157020.000000000612D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs KJKJJJECFI.exe
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs KJKJJJECFI.exe
                    Source: KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000064E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs KJKJJJECFI.exe
                    Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: kernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998361646.0000000005422000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Ekernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
                    Source: KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: kernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
                    Source: KJKJJJECFI.exeBinary or memory string: Ekernel32SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICMSoftware\Microsoft\Windows\CurrentVersion\RunGdiICMGammaRangeSOFTWARE\DisplayLink\Core /trayEnableGammaRamptrue"%s" %shttp://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyes.com/careueyes/v1/main/report.php?uuid=%s&tm=%I64d&ver=%s&ty=%d&sty=%d&it=%s&channel=%d&active=%d&os=%d&build=%d&gamma_dc=%d&gamma_ddraw=%d&adv_api=%dSoftware\Google\Chrome\NativeMessagingHosts\com.careueyes.dimmercontent=%s&mail=%s&os=%d&build=%dhttps://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd\VarFileInfo\TranslationCompanyName\StringFileInfo\%04X%04X\FileVersionFileDescriptionLegalCopyrightInternalNameProductNameOriginalFileNameCommentsProductVersionPrivateBuildLegalTrademarksSpecialBuild vs KJKJJJECFI.exe
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: nvapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: magnification.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: d3d9.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: mscms.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: coloradapterclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: pla.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: pdh.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: tdh.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: wevtapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: shdocvw.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exeSection loaded: profapi.dllJump to behavior
                    Source: KJKJJJECFI.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.KJKJJJECFI.exe.5c0f6ab.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.explorer.exe.4cbac93.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.explorer.exe.4cba093.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.KJKJJJECFI.exe.5bd3e7a.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.cmd.exe.56aec93.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.cmd.exe.56ae093.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.KJKJJJECFI.exe.5c102ab.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.cmd.exe.5672862.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 6.2.explorer.exe.4c7e862.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@7/4@1/1
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeFile created: C:\Users\user\AppData\Roaming\careueyesJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeFile created: C:\Users\user\AppData\Local\Temp\4476cd9cJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: KJKJJJECFI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: KJKJJJECFI.exeReversingLabs: Detection: 87%
                    Source: KJKJJJECFI.exeVirustotal: Detection: 68%
                    Source: KJKJJJECFI.exeString found in binary or memory: id-cmc-addExtensions
                    Source: KJKJJJECFI.exeString found in binary or memory: set-addPolicy
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeFile read: C:\Users\user\Desktop\KJKJJJECFI.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\KJKJJJECFI.exe "C:\Users\user\Desktop\KJKJJJECFI.exe"
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe "C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe"
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: ivls.2.drLNK file: ..\..\Roaming\NBFoundation\Sendevsvc.exe
                    Source: KJKJJJECFI.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: KJKJJJECFI.exeStatic file information: File size 6699592 > 1048576
                    Source: KJKJJJECFI.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x37b800
                    Source: KJKJJJECFI.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x137600
                    Source: KJKJJJECFI.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x163600
                    Source: KJKJJJECFI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: KJKJJJECFI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: KJKJJJECFI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: KJKJJJECFI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: KJKJJJECFI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: KJKJJJECFI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: KJKJJJECFI.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: KJKJJJECFI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMcrypto\ex_data.c source: KJKJJJECFI.exe
                    Source: Binary string: CareUEyes.pdb source: KJKJJJECFI.exe
                    Source: Binary string: wntdll.pdbUGP source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: KJKJJJECFI.exe
                    Source: Binary string: wntdll.pdb source: KJKJJJECFI.exe, 00000000.00000002.1999017093.0000000005CA9000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999157020.0000000006000000.00000004.00000800.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1999318510.00000000063C4000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254063422.00000000052C6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254267571.0000000005740000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256396897.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256202347.00000000048C5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: CareUEyes.pdb&a source: KJKJJJECFI.exe
                    Source: qsbtcxh.2.drStatic PE information: real checksum: 0x0 should be: 0x6e9ad
                    Source: KJKJJJECFI.exeStatic PE information: real checksum: 0x3dab6c should be: 0x66661f
                    Source: qsbtcxh.2.drStatic PE information: section name: lxp
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qsbtcxhJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\qsbtcxhJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Found hidden mapped module (file has been removed from disk)
                    Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\QSBTCXH
                    Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qsbtcxhJump to dropped file
                    Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
                    Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Qvmware
                    Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1997071563.0000000001A8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
                    Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
                    Source: explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
                    Source: KJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeProcess information queried: ProcessInformationJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeNtSetInformationThread: Direct from: 0x10F1A4FJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeNtQuerySystemInformation: Direct from: 0x5A9D020Jump to behavior
                    Injects code into the Windows Explorer (explorer.exe)
                    Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 2792 base: 5179C0 value: 55Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 2792 base: 2980000 value: 00Jump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5179C0Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2980000Jump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                    Source: KJKJJJECFI.exeBinary or memory string: Eskin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl
                    Source: KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp, KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: skin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl
                    Source: Sendevsvc.exe, 00000007.00000000.2222647313.000000000074D000.00000002.00000001.01000000.0000000C.sdmp, Sendevsvc.exe, 00000007.00000002.2229766624.000000000074D000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: Bskin_slide_select_btnskin_slide_btn%sLight: %02d:%02dDark user32.dllShell_TrayWndShell_SecondaryTrayWndcomboboxl
                    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\KJKJJJECFI.exeCode function: 0_2_01047996 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_01047996

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Amadey
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Yara detected Amadeys stealer DLL
                    Source: Yara matchFile source: 2.2.cmd.exe.60400c8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.cmd.exe.60400c8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2254651788.0000000006040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2255985779.0000000002981000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qsbtcxh, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Command and Scripting Interpreter                    		11
                    DLL Side-Loading                    		312
                    Process Injection                    		11
                    Masquerading                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    Abuse Elevation Control Mechanism                    		312
                    Process Injection                    		LSASS Memory11
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		Security Account Manager2
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    DLL Side-Loading                    		NTDS1
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    KJKJJJECFI.exe88%ReversingLabsWin32.Spyware.Lummastealer
                    KJKJJJECFI.exe68%VirustotalBrowse

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\qsbtcxh100%AviraHEUR/AGEN.1319380
                    C:\Users\user\AppData\Local\Temp\qsbtcxh100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\qsbtcxh83%ReversingLabsWin32.Trojan.Amadey
                    C:\Users\user\AppData\Local\Temp\qsbtcxh76%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://c0rl.m0%URL Reputationsafe
                    https://care-eyes.com/what-is-pomodoro-technique/0%Avira URL Cloudsafe
                    http://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eye0%Avira URL Cloudsafe
                    https://care-eyes.com?about0%Avira URL Cloudsafe
                    http://care-eyes.com/careueyes/v1/config/switch.datenablehttp://care-eyes.com/careueyes/v1/config/sw0%Avira URL Cloudsafe
                    http://care-eyes.com/careueyes/v1/pay/query_license.php&method=leftcodesubscriptionend0%Avira URL Cloudsafe
                    pleasurecanbesafe.com/7vAficZogD/index.php100%Avira URL Cloudphishing
                    http://care-eyes.com/careueyes/v1/pay/query_license.php&method=leftcodesubscriptionend0%VirustotalBrowse
                    http://crl4.digicer0%Avira URL Cloudsafe
                    http://care-eyes.com/careueyes/v1/config/switch.datenablehttp://care-eyes.com/careueyes/v1/config/sw1%VirustotalBrowse
                    https://care-eyes.com?about1%VirustotalBrowse
                    https://d.symcb.co0%Avira URL Cloudsafe
                    http://care-eyes.com/invite/query_rewards.phpid=http://care-eyes.com/invite.html?inv=%s/RtlGetNtVers0%Avira URL Cloudsafe
                    https://care-eyes.com/how-to-use-magicx-feature/%.2fs$80%Avira URL Cloudsafe
                    https://care-eyes.com/buy.html?uuid=%s&tm=%I64d&ver=%s&it=%sd0%Avira URL Cloudsafe
                    http://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eye1%VirustotalBrowse
                    https://care-eyes.com/license-reset.html0%Avira URL Cloudsafe
                    https://d.symcb.co0%VirustotalBrowse
                    https://api.myip.la/en?jsonhttp://ip-api.com/jsonhttps://ipv4.ip.nf/me.jsonhttps://freegeoip.app/jso0%Avira URL Cloudsafe
                    https://care-eyes.com/how-to-use-sunrise-sunset-feature/openslider_orange_progressslider_orange_bart0%Avira URL Cloudsafe
                    https://care-eyes.com/buy.html?uuid=%s&tm=%I64d&ver=%s&it=%sd1%VirustotalBrowse
                    http://care-eyes.com/careueyes/v1/analyzer/tj.html?uuid=%s&tm=%I64d&ver=%s&it=%s&reg=%dhttp://care-e0%Avira URL Cloudsafe
                    pleasurecanbesafe.com/7vAficZogD/index.php18%VirustotalBrowse
                    https://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd0%Avira URL Cloudsafe
                    https://care-eyes.com/license-reset.html0%VirustotalBrowse
                    https://api.myip.la/en?jsonhttp://ip-api.com/jsonhttps://ipv4.ip.nf/me.jsonhttps://freegeoip.app/jso0%VirustotalBrowse
                    http://crl3.d0%Avira URL Cloudsafe
                    https://care-eyes.com/how-to-use-magicx-feature/%.2fs$0%Avira URL Cloudsafe
                    http://care-eyes.com/invite/query_rewards.phpid=http://care-eyes.com/invite.html?inv=%s/RtlGetNtVers0%VirustotalBrowse
                    https://care-eyes.com/what-is-pomodoro-technique/1%VirustotalBrowse
                    https://care-eyes.com/how-to-use-sunrise-sunset-feature/openslider_orange_progressslider_orange_bart0%VirustotalBrowse
                    https://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupd1%VirustotalBrowse
                    https://care-eyes.com/how-to-use-magicx-feature/%.2fs$1%VirustotalBrowse
                    http://care-eyes.com/careueyes/v1/analyzer/tj.html?uuid=%s&tm=%I64d&ver=%s&it=%s&reg=%dhttp://care-e0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    www.math.utah.edu
                    		155.101.98.133
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      pleasurecanbesafe.com/7vAficZogD/index.phptrue
                      • 18%, Virustotal, Browse
                      • Avira URL Cloud: phishing
                      		low
                      https://www.math.utah.edu/docs/info/regex_1.htmlfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.math.utah.edu/docs/info/regex_1.html/KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.vmware.com/0KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://www.math.utah.edu/docs/info/regex_1.html0KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://care-eyes.com/careueyes/v1/pay/query_license.php&method=leftcodesubscriptionendKJKJJJECFI.exefalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://care-eyes.com/careueyes/v1/config/switch.datenablehttp://care-eyes.com/careueyes/v1/config/swKJKJJJECFI.exefalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://care-eyes.com/careueyes/v1/main/feedback_msg.php?uuid=%s&tm=%I64d&ver=%s&it=%shttp://care-eyeKJKJJJECFI.exefalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://care-eyes.com/what-is-pomodoro-technique/KJKJJJECFI.exefalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.math.utah.edu/docs/info/regex_1.htmlyKJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.vmware.com/0/KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://care-eyes.com?aboutKJKJJJECFI.exefalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://bit.ly/3feVIiYfinderKJKJJJECFI.exe, 00000000.00000003.1976607989.0000000001A10000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 00000000.00000002.1997071563.0000000001A07000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.math.utah.edu/docs/info/regex_1.htmlwsKJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl4.digicerKJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.symauth.com/cps0(KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://d.symcb.coKJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://c0rl.mKJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://curl.haxx.se/docs/http-cookies.htmlKJKJJJECFI.exefalse
                                          		high
                                          http://care-eyes.com/invite/query_rewards.phpid=http://care-eyes.com/invite.html?inv=%s/RtlGetNtVersKJKJJJECFI.exefalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://care-eyes.com/how-to-use-magicx-feature/%.2fs$8KJKJJJECFI.exe, 00000000.00000002.1996673675.000000000126D000.00000002.00000001.01000000.00000003.sdmp, KJKJJJECFI.exe, 00000000.00000000.1973658720.000000000126D000.00000002.00000001.01000000.00000003.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://care-eyes.com/buy.html?uuid=%s&tm=%I64d&ver=%s&it=%sdKJKJJJECFI.exefalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://bit.ly/3feVIiYKJKJJJECFI.exefalse
                                            		high
                                            https://bit.ly/3feVIiYUEyesSendevsvc.exe, 00000007.00000003.2228548837.00000000015B0000.00000004.00000020.00020000.00000000.sdmp, Sendevsvc.exe, 00000007.00000003.2228163024.00000000015B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.math.utah.edu/docs/info/regex_1.htmlUKJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://care-eyes.com/license-reset.htmlKJKJJJECFI.exefalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://api.myip.la/en?jsonhttp://ip-api.com/jsonhttps://ipv4.ip.nf/me.jsonhttps://freegeoip.app/jsoKJKJJJECFI.exefalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.symauth.com/rpa00KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.info-zip.org/KJKJJJECFI.exe, 00000000.00000002.1998916468.0000000005B77000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2254182536.0000000005623000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2256315034.0000000004C2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://care-eyes.com/how-to-use-sunrise-sunset-feature/openslider_orange_progressslider_orange_bartKJKJJJECFI.exefalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.math.utah.edu/KJKJJJECFI.exe, 00000000.00000002.1997650869.000000000477C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://care-eyes.com/careueyes/v1/analyzer/tj.html?uuid=%s&tm=%I64d&ver=%s&it=%s&reg=%dhttp://care-eKJKJJJECFI.exefalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://care-eyes.com/uninstall.htmlcom.careueyes.dimmer.json%s?activate=%dchannelconfig.datupdKJKJJJECFI.exefalse
                                                      • 1%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crl3.dKJKJJJECFI.exe, 00000000.00000002.1998842076.0000000005A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://care-eyes.com/how-to-use-magicx-feature/%.2fs$KJKJJJECFI.exefalse
                                                      • 1%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      155.101.98.133
                                                      		www.math.utah.eduUnited States
                                                      		17055UTAHUSfalse

                                                      General Information

                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                      Analysis ID:1420081
                                                      Start date and time:2024-04-04 12:36:09 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 5m 49s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:9
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:KJKJJJECFI.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.expl.evad.winEXE@7/4@1/1
                                                      EGA Information:Failed
                                                      HCA Information:Failed
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target KJKJJJECFI.exe, PID 380 because there are no executed function
                                                      • Execution Graph export aborted for target Sendevsvc.exe, PID 6048 because there are no executed function
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      12:36:55API Interceptor1x Sleep call for process: KJKJJJECFI.exe modified
                                                      12:37:10AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sendevsvc.lnk
                                                      12:37:11API Interceptor2x Sleep call for process: cmd.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      155.101.98.133CocFAer8MC.exeGet hashmaliciousUnknownBrowse
                                                        vGPoWZM3lZ.exeGet hashmaliciousAmadeyBrowse
                                                          SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exeGet hashmaliciousAsyncRATBrowse
                                                            SecuriteInfo.com.Win64.Malware-gen.6815.27736.exeGet hashmaliciousAsyncRATBrowse
                                                              7VAFdANAsr.exeGet hashmaliciousUnknownBrowse
                                                                7VAFdANAsr.exeGet hashmaliciousUnknownBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  www.math.utah.eduCocFAer8MC.exeGet hashmaliciousUnknownBrowse
                                                                  • 155.101.98.133
                                                                  vGPoWZM3lZ.exeGet hashmaliciousAmadeyBrowse
                                                                  • 155.101.98.133
                                                                  SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exeGet hashmaliciousAsyncRATBrowse
                                                                  • 155.101.98.133
                                                                  SecuriteInfo.com.Win64.Malware-gen.6815.27736.exeGet hashmaliciousAsyncRATBrowse
                                                                  • 155.101.98.133
                                                                  7VAFdANAsr.exeGet hashmaliciousUnknownBrowse
                                                                  • 155.101.98.133
                                                                  7VAFdANAsr.exeGet hashmaliciousUnknownBrowse
                                                                  • 155.101.98.133

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  UTAHUSFewiVGKGLr.elfGet hashmaliciousMirai, GafgytBrowse
                                                                  • 155.101.54.113
                                                                  nTDlOKAKOW.elfGet hashmaliciousUnknownBrowse
                                                                  • 128.110.228.100
                                                                  CocFAer8MC.exeGet hashmaliciousUnknownBrowse
                                                                  • 155.101.98.133
                                                                  kt46zhUGCl.elfGet hashmaliciousMiraiBrowse
                                                                  • 155.97.31.14
                                                                  pERaPMaznu.elfGet hashmaliciousMiraiBrowse
                                                                  • 155.101.143.110
                                                                  f6JaV6F9NN.elfGet hashmaliciousMiraiBrowse
                                                                  • 155.103.234.200
                                                                  vGPoWZM3lZ.exeGet hashmaliciousAmadeyBrowse
                                                                  • 155.101.98.133
                                                                  pUQL9ZI8ks.elfGet hashmaliciousMiraiBrowse
                                                                  • 74.82.45.122
                                                                  SecuriteInfo.com.Trojan.Win32.Penguish.aqk.2138.32152.exeGet hashmaliciousAsyncRATBrowse
                                                                  • 155.101.98.133

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  37f463bf4616ecd445d4a1937da06e19WAhYftpepO.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                                                                  • 155.101.98.133
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • 155.101.98.133
                                                                  Purchasing_49427020424_8568658.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 155.101.98.133
                                                                  03-04024 AQQ -T7630-CVE84 7281 Rieckermann.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 155.101.98.133
                                                                  UNLP-9004898-Oferta#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                  • 155.101.98.133
                                                                  SCO 2024.PDF.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 155.101.98.133
                                                                  Order inquiry.vbsGet hashmaliciousRemcosBrowse
                                                                  • 155.101.98.133
                                                                  U00b7pdf.vbeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 155.101.98.133
                                                                  New Wage Structure pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 155.101.98.133
                                                                  RFQ20240403_Commerical_List_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 155.101.98.133

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\regex_1[1].htm

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\KJKJJJECFI.exe
                                                                  File Type:HTML document, ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):27645
                                                                  Entropy (8bit):5.154952528259852
                                                                  Encrypted:false
                                                                  SSDEEP:384:uvVzoGQocsTVqly+F3kfbmg6OtGCqUx/BRvNy4Ifq93HE/N4GjDgbJwefnmccFsx:uv5ojDaE50mupBx3vNfKa2DgbJz1MsuG
                                                                  MD5:3BCAC0C44DB080CE09E54DA0902D215B
                                                                  SHA1:63FD5AA932400DB98514798180CB3AFB9039F622
                                                                  SHA-256:E2BDD382B97FE8630663685ADC8C718E67C405B4D66AC54F9FA5BA5DC04A8D07
                                                                  SHA-512:DD3D302DB6846CBD3611C94A1D48B0F57217EA7B154FBA29421135E72AFBFF155054FDF5D0F6DEE4AF1BEF77BAEBF77A21B717E873D474B7231CE58123D63000
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">.<HTML>.<HEAD>. This HTML file has been created by texi2html 1.45. from /home/share/emacs-18.58/man/regex.texinfo on 8 March 1996 -->..<TITLE>Untitled Document - regex regular expression matching library.</TITLE>.</HEAD>.<BODY>.Go to the first, previous, next, last section, <A HREF="regex_toc.html">table of contents</A>..<HR>...<H1><A NAME="SEC1" HREF="regex_toc.html#SEC1"><STRONG>regex</STRONG> regular expression matching library.</A></H1>....<H2><A NAME="SEC2" HREF="regex_toc.html#SEC2">Overview</A></H2>..<P>.Regular expression matching allows you to test whether a string fits.into a specific syntactic shape. You can also search a string for a.substring that fits a pattern...</P>.<P>.A regular expression describes a set of strings. The simplest case is.one that describes a particular string; for example, the string <SAMP>`foo'</SAMP>.when regarded as a regular expression matches <SAMP>`foo'</SAMP> and nothing else..Nontrivial re

                                                                  C:\Users\user\AppData\Local\Temp\4476cd9c

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\KJKJJJECFI.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1124138
                                                                  Entropy (8bit):7.621968104191185
                                                                  Encrypted:false
                                                                  SSDEEP:24576:qJEj1Ac2DN95fgVDOoUWlpUzNT6W6TZHXAQqSzH2JVkDC1zfMWXwNh1:qKjWc2D35fgVDOoBlpUBTbQZHXAQqSDh
                                                                  MD5:04AFEC2C99CD93234E4FF565A7D19794
                                                                  SHA1:61321775F904DB8AC0B19ABF3EBF84D4D84BC9DD
                                                                  SHA-256:C563247275EEEC2A8C9C6A486AED1858B2FA5FED674C4EE3E171D138B66BEAC8
                                                                  SHA-512:525B58B15897EAF13F57706EA8DC4837DC93E58EC8DD1E59E5BF2DDAAB832C4E68E022761625D2166BEC28BAEF070F4E98B9D4A6B9C037247D4EA1DCDC207048
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\ivls

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 4 13:16:50 2023, mtime=Thu Apr 4 09:36:55 2024, atime=Thu Apr 4 09:36:52 2024, length=6699592, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):912
                                                                  Entropy (8bit):5.076432546061586
                                                                  Encrypted:false
                                                                  SSDEEP:12:8T2IKe4f8Ed88CTlsY//6dL6/raCslnUQd8SKmr4AjAbnHXYLJg+0hpmV:8T2ff8EO8IZSpvWQAML63pm
                                                                  MD5:AEB050D811A6A888EA7862E28F0A744E
                                                                  SHA1:D6D2C44432BD89C62634F991ED5A8890B7A6EBBB
                                                                  SHA-256:8C829AD064618C8AB75F11130A027A28B179327335897EF07DF2E47245F0DED3
                                                                  SHA-512:FDB8E1F9363CA88892FDD3CA56FCA0051154C7800CCC5E56FA59D21FC33B97FCB5D43DD633411861F1B1EADE366BD80D6ED54C608BA5C916B5343617E74032E4
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:L..................F.... .....j........|...G...|...H:f.......................:..DG..Yr?.D..U..k0.&...&...... M......~..{...!h..|.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X.T....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......X.T..Roaming.@......DWSl.X.T....C.......................).R.o.a.m.i.n.g.....b.1......X.T..NBFOUN~1..J......X.T.X.T....l.....................ij..N.B.F.o.u.n.d.a.t.i.o.n.....h.2.H:f..X.T .SENDEV~1.EXE..L......DW.r.X.T....x......................1..S.e.n.d.e.v.s.v.c...e.x.e.......i...............-.......h.............q.....C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe..(.....\.....\.R.o.a.m.i.n.g.\.N.B.F.o.u.n.d.a.t.i.o.n.\.S.e.n.d.e.v.s.v.c...e.x.e.`.......X.......715575...........hT..CrF.f4... .!.2=.b...,...W..hT..CrF.f4... .!.2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                  C:\Users\user\AppData\Local\Temp\qsbtcxh

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):429568
                                                                  Entropy (8bit):6.513117480954766
                                                                  Encrypted:false
                                                                  SSDEEP:12288:xIp0oG34tODC5TPCZzynB/qupORs7HwNI:I0V34tOCV6yVyI
                                                                  MD5:3E36745728E1302C0DD36455A818DA59
                                                                  SHA1:83207703EE94B56A583D676FD281A1078832798C
                                                                  SHA-256:8B224791DCD7DD8337A5115B432E1B847F6D5D418BADB39BC0F50C19981C9D9A
                                                                  SHA-512:384817845E81CC864C7488CF06E9CF1C5F81262D4474A7DD5A8C4E92F7A1D7EA1162ED9092383107291B9870FD986CE099349FA9B819FF730203712EA9310908
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\qsbtcxh, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                  • Antivirus: Virustotal, Detection: 76%, Browse
                                                                  Reputation:low
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L......Y..........................................@.......................................@.................................L........`.......................p...K..0...8...........................h...@............................................text............................... ..`.rdata..............................@..@.data....E.......2..................@....rsrc........`.......0..............@..@.reloc...K...p...L...2..............@..Blxp..................~..............@...........................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.02894012544124
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:KJKJJJECFI.exe
                                                                  File size:6'699'592 bytes
                                                                  MD5:ce355f68f7fb9bcc5a1e140da2398489
                                                                  SHA1:917b5d290b3a0a28e092ccd53d6f9206223d9293
                                                                  SHA256:56fd2541a36680249ec670d07a5682d2ef5a343d1feccbcf2c3da86bd546af85
                                                                  SHA512:69e19e29b0d72b444288d6f575cb0b65066495c609ecb4a476b929837299f54cedf1704475928d8683e17aedb74a5af993a84ea3c2f2e75af1cc2e48c4f87637
                                                                  SSDEEP:196608:6BBgUSIC1sbmHSZ9S8OqHRKrxQe5Ajz+T0:6BBgUSIC1sbWSZ9BzxExQ/z+T0
                                                                  TLSH:8A66BF02F9D18471E1630231356DB7AAADBDA9618B31D5CFB78C162E8F309C19B37B91
                                                                  File Content Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$..........`..a3..a3..a3)R.3..a3)R.3P.a3)R.3..a3...3..a3..e2..a3..b2..a3<.e2..a3..d2..a3...3..a3...3..a3..a3..a3..e2..a3..k3..a3...3..a

                                                                  File Icon

                                                                  Icon Hash:499669d8d82916a8

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x556cb4
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:true
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x65703BBA [Wed Dec 6 09:15:38 2023 UTC]
                                                                  TLS Callbacks:0x70518c
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:1
                                                                  File Version Major:5
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:101a1ec978d0316fc91f9ad0f1533e6b

                                                                  Authenticode Signature

                                                                  Signature Valid:false
                                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                  Error Number:-2146869232
                                                                  Not Before, Not After
                                                                  • 13/12/2021 01:00:00 09/01/2025 00:59:59
                                                                  Subject Chain
                                                                  • CN=philandro Software GmbH, O=philandro Software GmbH, L=Stuttgart, S=Baden-W\xfcrttemberg, C=DE
                                                                  Version:3
                                                                  Thumbprint MD5:EAE713DFC05244CF4301BF1C9F68B1BE
                                                                  Thumbprint SHA-1:9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE
                                                                  Thumbprint SHA-256:9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF
                                                                  Serial:0DBF152DEAF0B981A8A938D53F769DB8

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F32A07D931Fh
                                                                  jmp 00007F32A07D846Fh
                                                                  mov ecx, dword ptr [ebp-0Ch]
                                                                  mov dword ptr fs:[00000000h], ecx
                                                                  pop ecx
                                                                  pop edi
                                                                  pop edi
                                                                  pop esi
                                                                  pop ebx
                                                                  mov esp, ebp
                                                                  pop ebp
                                                                  push ecx
                                                                  ret
                                                                  mov ecx, dword ptr [ebp-10h]
                                                                  xor ecx, ebp
                                                                  call 00007F32A07D7AF3h
                                                                  jmp 00007F32A07D85D2h
                                                                  mov ecx, dword ptr [ebp-14h]
                                                                  xor ecx, ebp
                                                                  call 00007F32A07D7AE4h
                                                                  jmp 00007F32A07D85C3h
                                                                  push eax
                                                                  push dword ptr fs:[00000000h]
                                                                  lea eax, dword ptr [esp+0Ch]
                                                                  sub esp, dword ptr [esp+0Ch]
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov dword ptr [eax], ebp
                                                                  mov ebp, eax
                                                                  mov eax, dword ptr [008B58E8h]
                                                                  xor eax, ebp
                                                                  push eax
                                                                  push dword ptr [ebp-04h]
                                                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                  mov dword ptr fs:[00000000h], eax
                                                                  ret
                                                                  push eax
                                                                  push dword ptr fs:[00000000h]
                                                                  lea eax, dword ptr [esp+0Ch]
                                                                  sub esp, dword ptr [esp+0Ch]
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov dword ptr [eax], ebp
                                                                  mov ebp, eax
                                                                  mov eax, dword ptr [008B58E8h]
                                                                  xor eax, ebp
                                                                  push eax
                                                                  mov dword ptr [ebp-10h], eax
                                                                  push dword ptr [ebp-04h]
                                                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                  mov dword ptr fs:[00000000h], eax
                                                                  ret
                                                                  push eax
                                                                  push dword ptr fs:[00000000h]
                                                                  lea eax, dword ptr [esp+0Ch]
                                                                  sub esp, dword ptr [esp+0Ch]
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov dword ptr [eax], ebp
                                                                  mov ebp, eax
                                                                  mov eax, dword ptr [008B58E8h]
                                                                  xor eax, ebp
                                                                  push eax
                                                                  mov dword ptr [ebp-10h], esp

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [C++] VS2008 SP1 build 30729
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [ C ] VS98 (6.0) SP6 build 8804
                                                                  • [IMP] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x4b14000x1a4.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e50000x163444.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x65f4000x4648.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x6490000x331d6
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x4774d00x54.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x4775400x18.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x397bd80x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x37d0000x908.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4b139c0x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x37b7f30x37b800f4cff882e51783311699ec8eac1a9885unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x37d0000x1374080x137600a553269feef5c20192e3ac241e8b003fFalse0.3314800469189081data5.05991244260527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x4b50000x2f9a40x15a00a098909401b0880bba6cc5f95248ed55False0.21347769147398843data5.132238992675893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x4e50000x1634440x1636004bb24fe2e41d22f3596255ece9cc16cdFalse0.6922746108863876data7.6192929340838305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x6490000x331340x33200516ef0ba9663e1f2219d5ecaf18d414fFalse0.498476658007335GLS_BINARY_LSB_FIRST6.547441120857822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  BAO0x4e83780xd6ddePNG image data, 1024 x 768, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9607394210163914
                                                                  IMG0x5bf1580x584PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.7889518413597734
                                                                  IMG0x5bf6dc0x72PNG image data, 4 x 4, 8-bit/color RGB, non-interlacedChineseChina0.9912280701754386
                                                                  IMG0x5bf7500x2c5PNG image data, 112 x 14, 8-bit/color RGBA, non-interlacedChineseChina1.0155148095909732
                                                                  IMG0x5bfa180x67PNG image data, 14 x 14, 8-bit/color RGBA, non-interlacedChineseChina0.9805825242718447
                                                                  IMG0x5bfa800x52bPNG image data, 42 x 60, 8-bit/color RGBA, non-interlacedChineseChina0.7898715041572184
                                                                  IMG0x5bffac0x114PNG image data, 8 x 7, 8-bit/color RGBA, non-interlacedChineseChina1.0181159420289856
                                                                  IMG0x5c00c00x2f2PNG image data, 96 x 32, 8-bit/color RGBA, non-interlacedChineseChina1.0145888594164456
                                                                  IMG0x5c03b40x80dPNG image data, 21 x 21, 8-bit/color RGBA, non-interlacedChineseChina0.881125667151868
                                                                  IMG0x5c0bc40x191PNG image data, 18 x 18, 8-bit/color RGBA, non-interlacedChineseChina1.027431421446384
                                                                  IMG0x5c0d580x5e5PNG image data, 18 x 18, 8-bit/color RGBA, non-interlacedChineseChina0.8210735586481114
                                                                  IMG0x5c13400x235PNG image data, 18 x 18, 8-bit/color RGBA, non-interlacedChineseChina1.0194690265486726
                                                                  IMG0x5c15780x191PNG image data, 18 x 18, 8-bit colormap, non-interlacedChineseChina1.027431421446384
                                                                  IMG0x5c170c0x5b4PNG image data, 18 x 18, 8-bit/color RGBA, non-interlacedChineseChina0.8136986301369863
                                                                  IMG0x5c1cc00x533PNG image data, 32 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0082644628099173
                                                                  IMG0x5c21f40x1acPNG image data, 54 x 10, 8-bit/color RGBA, non-interlacedChineseChina1.0257009345794392
                                                                  IMG0x5c23a00x14cPNG image data, 20 x 20, 8-bit colormap, non-interlacedChineseChina0.7891566265060241
                                                                  IMG0x5c24ec0x1a5PNG image data, 96 x 32, 8-bit/color RGB, non-interlacedChineseChina1.0261282660332542
                                                                  IMG0x5c26940x1a2PNG image data, 20 x 20, 8-bit colormap, non-interlacedChineseChina0.7655502392344498
                                                                  IMG0x5c28380x230PNG image data, 44 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.019642857142857
                                                                  IMG0x5c2a680x4dfPNG image data, 112 x 16, 8-bit/color RGBA, non-interlacedChineseChina1.008821170809944
                                                                  IMG0x5c2f480x8baPNG image data, 112 x 16, 8-bit/color RGBA, non-interlacedChineseChina1.004923903312444
                                                                  IMG0x5c38040x404PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0107003891050583
                                                                  IMG0x5c3c080x50dPNG image data, 48 x 16, 8-bit/color RGBA, non-interlacedChineseChina1.008507347254447
                                                                  IMG0x5c41180x49aPNG image data, 160 x 20, 8-bit/color RGBA, non-interlacedChineseChina1.0093378607809846
                                                                  IMG0x5c45b40x49dPNG image data, 160 x 20, 8-bit/color RGBA, non-interlacedChineseChina1.0093141405588484
                                                                  IMG0x5c4a540x8fPNG image data, 210 x 85, 2-bit colormap, non-interlacedChineseChina0.9300699300699301
                                                                  IMG0x5c4ae40x8fPNG image data, 210 x 85, 2-bit colormap, non-interlacedChineseChina0.958041958041958
                                                                  IMG0x5c4b740x97PNG image data, 210 x 85, 2-bit colormap, non-interlacedChineseChina0.9668874172185431
                                                                  IMG0x5c4c0c0x14ePNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedChineseChina0.9970059880239521
                                                                  IMG0x5c4d5c0x2ddPNG image data, 112 x 14, 8-bit colormap, non-interlacedChineseChina0.9822646657571623
                                                                  IMG0x5c503c0x67PNG image data, 14 x 14, 8-bit/color RGBA, non-interlacedChineseChina0.9805825242718447
                                                                  IMG0x5c50a40x6b0PNG image data, 96 x 32, 8-bit colormap, non-interlacedChineseChina1.0064252336448598
                                                                  IMG0x5c57540x579PNG image data, 96 x 32, 8-bit/color RGBA, non-interlacedChineseChina1.0078515346181298
                                                                  IMG0x5c5cd00xc8aPNG image data, 100 x 100, 8-bit colormap, non-interlacedChineseChina1.0034267912772585
                                                                  IMG0x5c695c0x592PNG image data, 84 x 28, 8-bit/color RGBA, non-interlacedChineseChina1.0077138849929874
                                                                  IMG0x5c6ef00x5dfPNG image data, 78 x 26, 8-bit/color RGBA, non-interlacedChineseChina1.0073186959414504
                                                                  IMG0x5c74d00x167PNG image data, 78 x 26, 8-bit/color RGBA, non-interlacedChineseChina0.9805013927576601
                                                                  IMG0x5c76380x862PNG image data, 78 x 26, 8-bit/color RGBA, non-interlacedChineseChina1.005125815470643
                                                                  IMG0x5c7e9c0x69aPNG image data, 96 x 32, 8-bit/color RGBA, non-interlacedChineseChina1.006508875739645
                                                                  IMG0x5c85380x45aPNG image data, 71 x 48, 8-bit colormap, non-interlacedChineseChina1.0098743267504489
                                                                  IMG0x5c89940x5baPNG image data, 71 x 48, 8-bit colormap, non-interlacedChineseChina1.0075034106412006
                                                                  IMG0x5c8f500xacPNG image data, 26 x 26, 8-bit/color RGBA, non-interlacedChineseChina0.9593023255813954
                                                                  IMG0x5c8ffc0x96PNG image data, 80 x 5, 8-bit/color RGBA, non-interlacedChineseChina0.98
                                                                  IMG0x5c90940x70PNG image data, 80 x 5, 8-bit/color RGB, non-interlacedChineseChina1.0
                                                                  IMG0x5c91040x5dPNG image data, 4 x 1, 8-bit/color RGB, non-interlacedChineseChina0.989247311827957
                                                                  IMG0x5c91640x5cPNG image data, 4 x 1, 8-bit/color RGB, non-interlacedChineseChina0.9891304347826086
                                                                  IMG0x5c91c00x5f6PNG image data, 71 x 48, 8-bit colormap, non-interlacedChineseChina1.0072083879423328
                                                                  IMG0x5c97b80x821PNG image data, 81 x 27, 8-bit/color RGBA, non-interlacedChineseChina1.0052859202306583
                                                                  IMG0x5c9fdc0x3d6PNG image data, 81 x 27, 8-bit/color RGBA, non-interlacedChineseChina1.0112016293279023
                                                                  IMG0x5ca3b40xd3PNG image data, 8 x 7, 8-bit/color RGBA, non-interlacedChineseChina1.0
                                                                  IMG0x5ca4880x95PNG image data, 8 x 7, 4-bit colormap, non-interlacedChineseChina0.9731543624161074
                                                                  IMG0x5ca5200x90PNG image data, 8 x 7, 4-bit colormap, non-interlacedChineseChina0.9097222222222222
                                                                  IMG0x5ca5b00x2ddPNG image data, 28 x 48, 8-bit/color RGBA, non-interlacedChineseChina1.015006821282401
                                                                  IMG0x5ca8900x2c1PNG image data, 28 x 48, 8-bit/color RGBA, non-interlacedChineseChina1.0156028368794325
                                                                  IMG0x5cab540x16b8PNG image data, 552 x 418, 8-bit colormap, non-interlacedChineseChina0.967503438789546
                                                                  IMG0x5cc20c0x4bdPNG image data, 125 x 418, 2-bit colormap, non-interlacedChineseChina1.0090684253915911
                                                                  IMG0x5cc6cc0x4c6PNG image data, 125 x 418, 2-bit colormap, non-interlacedChineseChina1.0090016366612111
                                                                  IMG0x5ccb940x395PNG image data, 72 x 24, 8-bit colormap, non-interlacedChineseChina0.8767720828789531
                                                                  IMG0x5ccf2c0x445PNG image data, 51 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.6989935956084172
                                                                  IMG0x5cd3740x13cPNG image data, 51 x 24, 8-bit/color RGBA, non-interlacedChineseChina0.9715189873417721
                                                                  IMG0x5cd4b00x191PNG image data, 100 x 24, 8-bit/color RGBA, non-interlacedChineseChina1.0124688279301746
                                                                  IMG0x5cd6440x4ddPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedChineseChina0.7726907630522089
                                                                  LAYOUT0x5cdb240x78eUnicode text, UTF-8 (with BOM) textChineseChina0.2828335056876939
                                                                  LAYOUT0x5ce2b40xc2dUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.29547641963426374
                                                                  LAYOUT0x5ceee40x126Unicode text, UTF-8 (with BOM) textChineseChina0.7448979591836735
                                                                  LAYOUT0x5cf00c0xceUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.7815533980582524
                                                                  LAYOUT0x5cf0dc0xb50Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.31353591160220995
                                                                  LAYOUT0x5cfc2c0xbbUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.7272727272727273
                                                                  LAYOUT0x5cfce80x73cUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4087473002159827
                                                                  LAYOUT0x5d04240x1703Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.246477677813614
                                                                  LAYOUT0x5d1b280x759HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.42955874534821903
                                                                  LAYOUT0x5d22840x7f2exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4444444444444444
                                                                  LAYOUT0x5d2a780x1ffUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.6301369863013698
                                                                  LAYOUT0x5d2c780x350Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4834905660377358
                                                                  LAYOUT0x5d2fc80x221Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.5853211009174312
                                                                  LAYOUT0x5d31ec0x80eUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.3617846750727449
                                                                  LAYOUT0x5d39fc0x11fUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.7317073170731707
                                                                  LAYOUT0x5d3b1c0x6baUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4645760743321719
                                                                  LAYOUT0x5d41d80x29eUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.5432835820895522
                                                                  LAYOUT0x5d44780x69cUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.41371158392434987
                                                                  LAYOUT0x5d4b140x668exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4304878048780488
                                                                  LAYOUT0x5d517c0x4f5Unicode text, UTF-8 (with BOM) textChineseChina0.3979511426319937
                                                                  LAYOUT0x5d56740xbbUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.7272727272727273
                                                                  LAYOUT0x5d57300x9c2Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.3366693354683747
                                                                  LAYOUT0x5d60f40x27bUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.5291338582677165
                                                                  LAYOUT0x5d63700x4faUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4073783359497645
                                                                  LAYOUT0x5d686c0xccUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.7892156862745098
                                                                  LAYOUT0x5d69380xaa0Unicode text, UTF-8 (with BOM) text, with very long lines (430), with CRLF line terminatorsChineseChina0.35441176470588237
                                                                  LAYOUT0x5d73d80x5afUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4336769759450172
                                                                  LAYOUT0x5d79880x3d7Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4313326551373347
                                                                  LAYOUT0x5d7d600x595Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.3198040587823653
                                                                  LAYOUT0x5d82f80x8a0Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.353713768115942
                                                                  LAYOUT0x5d8b980x940Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.16300675675675674
                                                                  LAYOUT0x5d94d80x202bUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.19368548876745598
                                                                  LAYOUT0x5db5040x927Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.39479300042680326
                                                                  LAYOUT0x5dbe2c0x60dUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4525500322788896
                                                                  LAYOUT0x5dc43c0x67eUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.3953068592057762
                                                                  LAYOUT0x5dcabc0x2aaUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.6085043988269795
                                                                  LAYOUT0x5dcd680x9eaUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.3195429472025217
                                                                  LAYOUT0x5dd7540x54cUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.47271386430678464
                                                                  LAYOUT0x5ddca00x1a42Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.19994049390062482
                                                                  LAYOUT0x5df6e40x7dbUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.3545499751367479
                                                                  LAYOUT0x5dfec00x69fUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.3775811209439528
                                                                  LAYOUT0x5e05600x59dUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.37230340988169797
                                                                  LAYOUT0x5e0b000x562Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.4462989840348331
                                                                  LAYOUT0x5e10640x1216Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.30107991360691144
                                                                  LAYOUT0x5e227c0x17dUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.6482939632545932
                                                                  LAYOUT0x5e23fc0x22bUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.6072072072072072
                                                                  PNG0x5e26280x4a8PNG image data, 52 x 26, 8-bit/color RGB, non-interlacedChineseChina0.735738255033557
                                                                  PNG0x5e2ad00x108fPNG image data, 114 x 25, 8-bit/color RGBA, non-interlacedChineseChina1.0025949516395376
                                                                  PNG0x5e3b600xe73PNG image data, 108 x 25, 8-bit/color RGBA, non-interlacedChineseChina1.0029737766964044
                                                                  PNG0x5e49d40xd7cPNG image data, 108 x 25, 8-bit/color RGBA, non-interlacedChineseChina1.0031865585168018
                                                                  PNG0x5e57500x3ee7PNG image data, 48 x 16, 8-bit/color RGBA, non-interlacedChineseChina0.11097311060050923
                                                                  PNG0x5e96380x1faPNG image data, 48 x 16, 8-bit/color RGBA, non-interlacedChineseChina1.0217391304347827
                                                                  PNG0x5e98340xf37PNG image data, 108 x 25, 8-bit/color RGBA, non-interlacedChineseChina1.002824133504493
                                                                  PNG0x5ea76c0xdb9PNG image data, 120 x 15, 8-bit/color RGBA, non-interlacedChineseChina1.0031312268716197
                                                                  PNG0x5eb5280xcf2PNG image data, 48 x 16, 8-bit/color RGB, non-interlacedChineseChina1.0033192516596259
                                                                  PNG0x5ec21c0xb1fPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedChineseChina1.0038637161924833
                                                                  PNG0x5ecd3c0xcdfPNG image data, 15 x 15, 8-bit/color RGBA, non-interlacedChineseChina1.0033383915022762
                                                                  PNG0x5eda1c0x715PNG image data, 360 x 35, 8-bit/color RGBA, non-interlacedChineseChina1.0060672917815774
                                                                  PNG0x5ee1340x1867PNG image data, 192 x 16, 8-bit/color RGBA, non-interlacedChineseChina1.0017608452056987
                                                                  PNG0x5ef99c0xb79PNG image data, 32 x 16, 8-bit/color RGBA, non-interlacedChineseChina1.00374531835206
                                                                  PNG0x5f05180xb87PNG image data, 26 x 26, 8-bit/color RGB, non-interlacedChineseChina1.0037275499830567
                                                                  PNG0x5f10a00xdd0PNG image data, 48 x 16, 8-bit/color RGBA, non-interlacedChineseChina1.0031108597285068
                                                                  PNG0x5f1e700xaf7PNG image data, 50 x 2, 8-bit/color RGBA, non-interlacedChineseChina1.0039187744923406
                                                                  PNG0x5f29680xb97PNG image data, 200 x 26, 8-bit/color RGBA, non-interlacedChineseChina1.0037074486012807
                                                                  PNG0x5f35000xe6PNG image data, 9 x 8, 8-bit/color RGBA, non-interlacedChineseChina1.0304347826086957
                                                                  PNG0x5f35e80x1caPNG image data, 12 x 12, 8-bit/color RGBA, non-interlacedChineseChina1.0240174672489082
                                                                  PNG0x5f37b40x1163PNG image data, 120 x 15, 8-bit/color RGBA, non-interlacedChineseChina1.0024713547517412
                                                                  PNG0x5f49180x1361PNG image data, 144 x 48, 8-bit/color RGBA, non-interlacedChineseChina1.0022172949002217
                                                                  PNG0x5f5c7c0x1650PNG image data, 80 x 20, 8-bit/color RGBA, non-interlacedChineseChina1.0019257703081232
                                                                  PNG0x5f72cc0xd14PNG image data, 15 x 30, 8-bit/color RGBA, non-interlacedChineseChina1.0032855436081243
                                                                  PNG0x5f7fe00xd0aPNG image data, 15 x 30, 8-bit/color RGBA, non-interlacedChineseChina1.0032953864589575
                                                                  PNG0x5f8cec0xc37PNG image data, 85 x 6, 8-bit/color RGBA, non-interlacedChineseChina1.0035177486408697
                                                                  PNG0x5f99240xc3cPNG image data, 6 x 85, 8-bit/color RGBA, non-interlacedChineseChina1.0035121328224776
                                                                  PNG0x5fa5600x3faPNG image data, 282 x 38, 8-bit/color RGBA, non-interlacedChineseChina1.0108055009823183
                                                                  PNG0x5fa95c0xfc8PNG image data, 153 x 17, 8-bit/color RGBA, non-interlacedChineseChina1.0027227722772276
                                                                  PNG0x5fb9240x186PNG image data, 162 x 18, 8-bit/color RGBA, non-interlacedChineseChina0.9153846153846154
                                                                  PNG0x5fbaac0xca2PNG image data, 102 x 17, 8-bit/color RGBA, non-interlacedChineseChina1.0034013605442176
                                                                  PNG0x5fc7500xb67PNG image data, 8 x 9, 8-bit/color RGBA, non-interlacedChineseChina1.0037684138403562
                                                                  PNG0x5fd2b80x1caPNG image data, 12 x 12, 8-bit/color RGBA, non-interlacedChineseChina1.0240174672489082
                                                                  PNG0x5fd4840x50fPNG image data, 13 x 85, 8-bit/color RGBA, non-interlacedChineseChina0.7598455598455598
                                                                  SKIN0x5fd9940x18d0JSON dataChineseChina0.13759445843828716
                                                                  SMENU0x5ff2640x6eaUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.29774011299435027
                                                                  SMENU0x5ff9500x6eeUnicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.2993235625704622
                                                                  TRANSLATOR0x6000400xa1a8XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.17912719891745602
                                                                  TRANSLATOR0x60a1e80xab9dXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.1740149773518767
                                                                  TRANSLATOR0x614d880xaeb6XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (304), with CRLF line terminatorsChineseChina0.16918570853642176
                                                                  TRANSLATOR0x61fc400xac36XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.16683300821122352
                                                                  TRANSLATOR0x62a8780xaa1dXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.16748949459229834
                                                                  TRANSLATOR0x6352980xa20bXML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminatorsChineseChina0.17860328327266592
                                                                  TRANSLATOR0x63f4a40x9cXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.9230769230769231
                                                                  UIDEF0x63f5400xa6bXML 1.0 document, Unicode text, UTF-8 (with BOM) textChineseChina0.29733783277090364
                                                                  VALUES0x63ffac0xe2XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.6238938053097345
                                                                  VALUES0x6400900x2c45XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (317), with CRLF line terminatorsChineseChina0.17709344392482132
                                                                  VALUES0x642cd80x9fcXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.3877151799687011
                                                                  XML0x6436d40x135ASCII text, with CRLF line terminatorsChineseChina0.5436893203883495
                                                                  XML0x64380c0x6e5HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseChina0.42039660056657224
                                                                  XML0x643ef40xbe4ASCII text, with CRLF line terminatorsChineseChina0.2585413929040736
                                                                  RT_CURSOR0x644ad80x8acTarga image data 64 x 65536 x 1 +32 "\010"ChineseChina0.06531531531531531
                                                                  RT_ICON0x6453840x1b8ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9167848029486816
                                                                  RT_ICON0x646f140x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.299390243902439
                                                                  RT_ICON0x64757c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.478494623655914
                                                                  RT_ICON0x6478640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 00.48155737704918034
                                                                  RT_ICON0x647a4c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.597972972972973
                                                                  RT_GROUP_CURSOR0x647b740x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                                  RT_GROUP_ICON0x647b880x4cdata0.8026315789473685
                                                                  RT_VERSION0x647bd40x250dataEnglishUnited States0.4814189189189189
                                                                  RT_MANIFEST0x647e240x61fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1507), with CRLF line terminatorsEnglishUnited States0.400765794511806

                                                                  Imports

                                                                  DLLImport
                                                                  WINMM.dlltimeKillEvent, mciSendStringW, timeSetEvent
                                                                  WTSAPI32.dllWTSRegisterSessionNotification, WTSUnRegisterSessionNotification
                                                                  KERNEL32.dllDeleteFileW, GetFileAttributesExW, GetCurrentDirectoryW, MapViewOfFile, GetVolumeInformationW, GetFileAttributesW, SetFilePointerEx, SetEndOfFile, FlushFileBuffers, GetFileInformationByHandle, CreateToolhelp32Snapshot, GetFileSizeEx, FormatMessageW, SystemTimeToFileTime, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetVersionExW, GetSystemInfo, GetSystemDirectoryW, GetTimeZoneInformation, GetUserDefaultLangID, FindFirstChangeNotificationW, FindCloseChangeNotification, WaitForMultipleObjects, FindNextChangeNotification, Process32FirstW, Process32NextW, ResetEvent, OpenFileMappingW, IsBadReadPtr, GetSystemTime, GetCurrentDirectoryA, GetModuleFileNameA, GetVersionExA, HeapCreate, FreeResource, GetFullPathNameW, SleepEx, VerSetConditionMask, QueryPerformanceFrequency, VerifyVersionInfoW, QueryPerformanceCounter, MoveFileExA, GetSystemTimeAsFileTime, CompareFileTime, GetFileType, GetStdHandle, PeekNamedPipe, FormatMessageA, InterlockedDecrement, CreateFileMappingW, GetFileSize, WriteFile, UnmapViewOfFile, SuspendThread, lstrlenA, InterlockedIncrement, GlobalAlloc, GlobalLock, GetThreadContext, VirtualFree, VirtualAlloc, FlushInstructionCache, VirtualProtect, GetEnvironmentVariableW, GetEnvironmentVariableA, CreateProcessW, ResumeThread, TerminateProcess, ReadProcessMemory, LoadLibraryExA, LoadLibraryA, FindNextFileW, ConvertThreadToFiber, ConvertFiberToThread, CreateFiber, DeleteFiber, SwitchToFiber, ReadConsoleA, SetConsoleMode, WriteConsoleW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, IsValidCodePage, FindFirstFileExW, SetConsoleCtrlHandler, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetConsoleCP, ReadConsoleW, GetConsoleMode, GetACP, GetDriveTypeW, SetStdHandle, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, GetStartupInfoW, UnhandledExceptionFilter, GetCPInfo, LocalFree, InitializeCriticalSectionEx, GetStringTypeW, GetExitCodeThread, WaitForSingleObjectEx, IsProcessorFeaturePresent, InterlockedPushEntrySList, InterlockedPopEntrySList, InitializeSListHead, EncodePointer, IsDebuggerPresent, GetLocalTime, OutputDebugStringW, IsBadWritePtr, SetLastError, lstrcmpW, GetCurrentThreadId, ExitProcess, GlobalAddAtomA, Sleep, GetTickCount, InterlockedCompareExchange, FindFirstFileW, FindClose, ReadFile, CreateFileW, GlobalUnlock, MulDiv, GetComputerNameA, WideCharToMultiByte, OutputDebugStringA, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TerminateThread, GetProcAddress, FreeLibrary, GetLastError, GetCurrentProcess, GetCurrentProcessId, GetCommandLineA, LoadLibraryW, GetModuleHandleA, CloseHandle, SetEvent, CreateEventW, WaitForSingleObject, InitializeCriticalSection, GetProcessHeap, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, HeapDestroy, GetCommandLineW, GetModuleHandleW, SetCurrentDirectoryW, InitializeCriticalSectionAndSpinCount, lstrcmpiW, LockResource, SizeofResource, FindResourceExW, DecodePointer, RaiseException, MultiByteToWideChar, LoadResource, FindResourceW, LoadLibraryExW, GetCurrentThread, GetModuleFileNameW, VirtualQuery, SetUnhandledExceptionFilter
                                                                  USER32.dllIsWindowVisible, GetFocus, GetDlgItem, GetDlgCtrlID, IsChild, GetWindow, SetFocus, RedrawWindow, GetActiveWindow, RegisterClassExW, MessageBoxW, UpdateLayeredWindow, MapVirtualKeyA, CharLowerBuffW, SystemParametersInfoA, DrawTextW, MsgWaitForMultipleObjects, CallNextHookEx, UnhookWindowsHookEx, SetWindowsHookExW, ReleaseDC, GetDC, LoadCursorW, GetClassInfoExW, RegisterWindowMessageW, DefWindowProcW, CreateAcceleratorTableW, FillRect, DestroyAcceleratorTable, GetSysColor, GetParent, ShowWindow, SetWindowPos, DestroyWindow, SendMessageW, UnregisterClassW, CharNextW, OffsetRect, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindow, FindWindowW, GetWindowRect, MonitorFromRect, PostMessageW, UnhookWinEvent, SetWinEventHook, GetForegroundWindow, BringWindowToTop, SetWindowLongW, GetCursorPos, PtInRect, SetForegroundWindow, GetUserObjectInformationW, GetProcessWindowStation, DrawIconEx, CallWindowProcW, WindowFromPoint, EqualRect, IsIconic, MonitorFromPoint, GetSystemMetrics, GetMonitorInfoW, GetAsyncKeyState, UnregisterHotKey, RegisterHotKey, EnumDisplayMonitors, CopyRect, ScreenToClient, GetWindowLongW, MonitorFromWindow, GetClassNameW, GetShellWindow, GetAncestor, ClientToScreen, GetWindowThreadProcessId, SystemParametersInfoW, AttachThreadInput, LockWorkStation, SetCursor, SetCapture, ReleaseCapture, GetDesktopWindow, CreateWindowExW, SetWindowTextW, GetWindowTextW, GetWindowTextLengthW, MoveWindow, GetClientRect, BeginPaint, EndPaint, SetClassLongW, GetClassLongW, RemovePropW, GetPropW, SetPropW, SetMenuContextHelpId, GetMenuItemInfoW, SetMenuInfo, GetMenuInfo, TrackPopupMenu, AppendMenuW, GetMenuItemCount, DestroyMenu, CreatePopupMenu, IsMenu, GetIconInfo, SetLayeredWindowAttributes, EnumDisplayDevicesW, SetTimer, KillTimer, DestroyIcon, SendMessageA, GetWindowDC, GetWindowRgn, IsZoomed, SetSysColors, DestroyCursor, GetKeyState, EnableMenuItem, SetRect, InflateRect, InvalidateRect, SetActiveWindow, IsWindowEnabled, EnableWindow, LoadImageW, CreateIconFromResource, LoadBitmapW, MapWindowPoints, SetCaretPos, HideCaret, GetCaretBlinkTime, CreateCaret, UpdateWindow, GetCapture, AnimateWindow, PostQuitMessage, TrackMouseEvent, PeekMessageW, DispatchMessageW, TranslateMessage, GetMessageW, IsRectEmpty, UnionRect, IntersectRect, InvalidateRgn
                                                                  GDI32.dllExcludeClipRect, CreateRoundRectRgn, SetGraphicsMode, Rectangle, FrameRgn, SetROP2, CreateRectRgn, SetDeviceGammaRamp, RestoreDC, GetObjectW, GetStockObject, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, CreateSolidBrush, DeleteObject, GetDeviceCaps, SaveDC, EnumFontsW, CreateBitmap, CreateFontIndirectW, SetBkMode, StretchBlt, SetViewportOrgEx, ExtCreateRegion, GetRegionData, IntersectClipRect, SelectClipRgn, CreateDIBSection, GetCurrentObject, GetViewportOrgEx, GetGlyphIndicesW, GetTextExtentPointI, AddFontMemResourceEx, RemoveFontMemResourceEx, SetTextColor, SetTextAlign, GetTextMetricsW, CreatePen, SetWorldTransform, ExtTextOutW, GetTextFaceW, GdiFlush, SelectObject, CreateHatchBrush, EnumFontFamiliesExW, GetCharABCWidthsW, GetFontData, GetGlyphOutlineW, GetOutlineTextMetricsW, GetFontUnicodeRanges
                                                                  COMDLG32.dllChooseColorW, GetOpenFileNameW
                                                                  ADVAPI32.dllCryptGetUserKey, CryptSignHashW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegNotifyChangeKeyValue, CryptDestroyHash, CryptCreateHash, CryptDecrypt, CryptExportKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptReleaseContext, CryptAcquireContextW, ReportEventW, RegisterEventSourceW, RegQueryValueExW, GetUserNameA, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey, RegDeleteKeyW, DeregisterEventSource, CryptEnumProvidersW
                                                                  SHELL32.dllShellExecuteW, SHCreateDirectoryExW, SHGetSpecialFolderPathW, SHGetSpecialFolderLocation, SHBrowseForFolderW, SHGetPathFromIDListW, SHFileOperationW, Shell_NotifyIconW
                                                                  ole32.dllCreateStreamOnHGlobal, IIDFromString, CreateBindCtx, CoCreateGuid, OleLockRunning, StringFromGUID2, CoGetClassObject, CLSIDFromProgID, CLSIDFromString, CoTaskMemRealloc, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance
                                                                  OLEAUT32.dllLoadTypeLib, LoadRegTypeLib, VariantClear, OleCreateFontIndirect, DispCallFunc, VarUdateFromDate, SysStringLen, VariantInit, SysAllocStringLen, SysFreeString, SysAllocString, VarUI4FromStr, VariantTimeToSystemTime, SystemTimeToVariantTime, VarBstrFromDate
                                                                  SHLWAPI.dllPathAppendW, PathRemoveFileSpecW, PathFindExtensionW, PathIsDirectoryW, PathFileExistsW, StrToIntExW, PathQuoteSpacesW
                                                                  gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipSaveImageToFile, GdipGetPropertyItem, GdipGetPropertyItemSize, GdipGraphicsClear, GdipImageGetFrameCount, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipDeleteGraphics, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCreateBitmapFromFile, GdipGetImageEncodersSize, GdipAlloc, GdipFree, GdipGetImageEncoders, GdipImageSelectActiveFrame
                                                                  VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                  dwmapi.dllDwmGetWindowAttribute
                                                                  WS2_32.dllgetnameinfo, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, __WSAFDIsSet, ioctlsocket, listen, htonl, accept, WSACleanup, WSAStartup, WSAIoctl, WSASetLastError, socket, setsockopt, ntohs, htons, getsockopt, getsockname, getpeername, connect, bind, WSAGetLastError, send, recv, closesocket, shutdown
                                                                  IPHLPAPI.DLLGetAdaptersInfo
                                                                  IMM32.dllImmReleaseContext, ImmAssociateContext, ImmGetContext
                                                                  CRYPT32.dllCertGetCertificateContextProperty, CertDuplicateCertificateContext, CertFindCertificateInStore, CertOpenStore, CertOpenSystemStoreA, CertGetIntendedKeyUsage, CertGetEnhancedKeyUsage, CertFreeCertificateContext, CertEnumCertificatesInStore, CertCloseStore
                                                                  WLDAP32.dll
                                                                  USP10.dllScriptItemize, ScriptFreeCache, ScriptShape

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States
                                                                  ChineseChina

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 4, 2024 12:36:55.038450003 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.038474083 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.038570881 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.047399044 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.047415018 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.428030968 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.428184986 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.627238989 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.627262115 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.627543926 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.627597094 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.630459070 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.676229954 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.814026117 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.814093113 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.997432947 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.997443914 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.997463942 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.997524023 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.997541904 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.997687101 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.997687101 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.997901917 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.997931004 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.997961998 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.997967005 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.997987032 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.997999907 CEST44349707155.101.98.133192.168.2.5
                                                                  Apr 4, 2024 12:36:55.998002052 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.998039961 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.998128891 CEST49707443192.168.2.5155.101.98.133
                                                                  Apr 4, 2024 12:36:55.998136997 CEST44349707155.101.98.133192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 4, 2024 12:36:54.767431021 CEST5033353192.168.2.51.1.1.1
                                                                  Apr 4, 2024 12:36:55.032830954 CEST53503331.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Apr 4, 2024 12:36:54.767431021 CEST192.168.2.51.1.1.10xe23eStandard query (0)www.math.utah.eduA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Apr 4, 2024 12:36:55.032830954 CEST1.1.1.1192.168.2.50xe23eNo error (0)www.math.utah.edu155.101.98.133A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • www.math.utah.edu

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549707155.101.98.133443380C:\Users\user\Desktop\KJKJJJECFI.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2024-04-04 10:36:55 UTC82OUTGET /docs/info/regex_1.html HTTP/1.1
                                                                  User-Agent: how
                                                                  Host: www.math.utah.edu
                                                                  2024-04-04 10:36:55 UTC184INHTTP/1.1 200 OK
                                                                  Date: Thu, 04 Apr 2024 10:36:55 GMT
                                                                  Server: Apache
                                                                  Accept-Ranges: bytes
                                                                  Vary: Accept-Encoding
                                                                  Content-Length: 27645
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  2024-04-04 10:36:55 UTC16384INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 21 2d 2d 20 54 68 69 73 20 48 54 4d 4c 20 66 69 6c 65 20 68 61 73 20 62 65 65 6e 20 63 72 65 61 74 65 64 20 62 79 20 74 65 78 69 32 68 74 6d 6c 20 31 2e 34 35 0a 20 20 20 20 20 66 72 6f 6d 20 2f 68 6f 6d 65 2f 73 68 61 72 65 2f 65 6d 61 63 73 2d 31 38 2e 35 38 2f 6d 61 6e 2f 72 65 67 65 78 2e 74 65 78 69 6e 66 6f 20 6f 6e 20 38 20 4d 61 72 63 68 20 31 39 39 36 20 2d 2d 3e 0a 0a 3c 54 49 54 4c 45 3e 55 6e 74 69 74 6c 65 64 20 44 6f 63 75 6d 65 6e 74 20 2d 20 72 65 67 65 78 20 72 65 67 75 6c 61 72 20 65 78 70 72 65 73 73 69 6f 6e 20 6d 61 74 63 68 69 6e 67 20 6c 69 62 72 61
                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"><HTML><HEAD>... This HTML file has been created by texi2html 1.45 from /home/share/emacs-18.58/man/regex.texinfo on 8 March 1996 --><TITLE>Untitled Document - regex regular expression matching libra
                                                                  2024-04-04 10:36:55 UTC11261INData Raw: 20 61 20 72 65 67 75 6c 61 72 20 65 78 70 72 65 73 73 69 6f 6e 0a 69 6e 74 6f 20 74 68 65 20 62 75 66 66 65 72 3a 0a 0a 3c 50 52 45 3e 0a 72 65 5f 63 6f 6d 70 69 6c 65 5f 70 61 74 74 65 72 6e 20 28 3c 56 41 52 3e 72 65 67 65 78 3c 2f 56 41 52 3e 2c 20 3c 56 41 52 3e 72 65 67 65 78 5f 73 69 7a 65 3c 2f 56 41 52 3e 2c 20 3c 56 41 52 3e 62 75 66 3c 2f 56 41 52 3e 29 0a 3c 2f 50 52 45 3e 0a 0a 3c 50 3e 0a 3c 56 41 52 3e 72 65 67 65 78 3c 2f 56 41 52 3e 20 69 73 20 74 68 65 20 61 64 64 72 65 73 73 20 6f 66 20 74 68 65 20 72 65 67 75 6c 61 72 20 65 78 70 72 65 73 73 69 6f 6e 20 28 3c 43 4f 44 45 3e 63 68 61 72 20 2a 3c 2f 43 4f 44 45 3e 29 2c 0a 3c 56 41 52 3e 72 65 67 65 78 5f 73 69 7a 65 3c 2f 56 41 52 3e 20 69 73 20 69 74 73 20 6c 65 6e 67 74 68 20 28 3c 43
                                                                  Data Ascii: a regular expressioninto the buffer:<PRE>re_compile_pattern (<VAR>regex</VAR>, <VAR>regex_size</VAR>, <VAR>buf</VAR>)</PRE><P><VAR>regex</VAR> is the address of the regular expression (<CODE>char *</CODE>),<VAR>regex_size</VAR> is its length (<C


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:12:36:53
                                                                  Start date:04/04/2024
                                                                  Path:C:\Users\user\Desktop\KJKJJJECFI.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\KJKJJJECFI.exe"
                                                                  Imagebase:0xef0000
                                                                  File size:6'699'592 bytes
                                                                  MD5 hash:CE355F68F7FB9BCC5A1E140DA2398489
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1998916468.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:12:36:55
                                                                  Start date:04/04/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2254651788.0000000006040000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2254182536.000000000566B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:12:36:55
                                                                  Start date:04/04/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:12:37:13
                                                                  Start date:04/04/2024
                                                                  Path:C:\Windows\SysWOW64\explorer.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                  Imagebase:0x430000
                                                                  File size:4'514'184 bytes
                                                                  MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2255985779.0000000002981000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2256315034.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:12:37:18
                                                                  Start date:04/04/2024
                                                                  Path:C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Roaming\NBFoundation\Sendevsvc.exe"
                                                                  Imagebase:0x3d0000
                                                                  File size:6'699'592 bytes
                                                                  MD5 hash:CE355F68F7FB9BCC5A1E140DA2398489
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Disassembly

                                                                  No disassembly