Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
En3e396wX1.exe

Overview

General Information

Sample name:En3e396wX1.exe
renamed because original name is a hash value
Original sample name:F0FF2A2046A4FEFCD2D04C92C812FCF2.exe
Analysis ID:1425675
MD5:f0ff2a2046a4fefcd2d04c92c812fcf2
SHA1:d2004f23d6b5a90888395c1f2d72d288b2dea821
SHA256:06b314e6e7127b58bdafcd05252a28af38233afe2b188584eb4d27ab372c8762
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables zone checking for all users
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • En3e396wX1.exe (PID: 5348 cmdline: "C:\Users\user\Desktop\En3e396wX1.exe" MD5: F0FF2A2046A4FEFCD2D04C92C812FCF2)
    • netsh.exe (PID: 1892 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\En3e396wX1.exe" "En3e396wX1.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "02a10a06650130398868c04656615034", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
En3e396wX1.exeJoeSecurity_NjratYara detected NjratJoe Security
    En3e396wX1.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x1266a:$a1: get_Registry
    • 0x15177:$a2: SEE_MASK_NOZONECHECKS
    • 0x14e19:$a3: Download ERROR
    • 0x153cd:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13356:$a5: netsh firewall delete allowedprogram "
    En3e396wX1.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x153cd:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x12ee2:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x14e37:$s3: Executed As
    • 0x1165d:$s5: Stub.exe
    • 0x14e19:$s6: Download ERROR
    • 0x12ea4:$s8: Select * From AntiVirusProduct
    En3e396wX1.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15177:$reg: SEE_MASK_NOZONECHECKS
    • 0x14dfd:$msg: Execute ERROR
    • 0x14e51:$msg: Execute ERROR
    • 0x153cd:$ping: cmd.exe /c ping 0 -n 2 & del
    En3e396wX1.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13356:$s1: netsh firewall delete allowedprogram
    • 0x133a8:$s2: netsh firewall add allowedprogram
    • 0x153cd:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x14dfd:$s4: Execute ERROR
    • 0x14e51:$s4: Execute ERROR
    • 0x14e19:$s5: Download ERROR

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x1246a:$a1: get_Registry
      • 0x14f77:$a2: SEE_MASK_NOZONECHECKS
      • 0x14c19:$a3: Download ERROR
      • 0x151cd:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13156:$a5: netsh firewall delete allowedprogram "
      00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x14f77:$reg: SEE_MASK_NOZONECHECKS
      • 0x14bfd:$msg: Execute ERROR
      • 0x14c51:$msg: Execute ERROR
      • 0x151cd:$ping: cmd.exe /c ping 0 -n 2 & del
      00000000.00000002.4484946830.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        Process Memory Space: En3e396wX1.exe PID: 5348JoeSecurity_NjratYara detected NjratJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.En3e396wX1.exe.8f0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.0.En3e396wX1.exe.8f0000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x1266a:$a1: get_Registry
            • 0x15177:$a2: SEE_MASK_NOZONECHECKS
            • 0x14e19:$a3: Download ERROR
            • 0x153cd:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13356:$a5: netsh firewall delete allowedprogram "
            0.0.En3e396wX1.exe.8f0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x153cd:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x12ee2:$s1: winmgmts:\\.\root\SecurityCenter2
            • 0x14e37:$s3: Executed As
            • 0x1165d:$s5: Stub.exe
            • 0x14e19:$s6: Download ERROR
            • 0x12ea4:$s8: Select * From AntiVirusProduct
            0.0.En3e396wX1.exe.8f0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x15177:$reg: SEE_MASK_NOZONECHECKS
            • 0x14dfd:$msg: Execute ERROR
            • 0x14e51:$msg: Execute ERROR
            • 0x153cd:$ping: cmd.exe /c ping 0 -n 2 & del
            0.0.En3e396wX1.exe.8f0000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
            • 0x13356:$s1: netsh firewall delete allowedprogram
            • 0x133a8:$s2: netsh firewall add allowedprogram
            • 0x153cd:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
            • 0x14dfd:$s4: Execute ERROR
            • 0x14e51:$s4: Execute ERROR
            • 0x14e19:$s5: Download ERROR

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:04/14/24-06:54:11.093222
            SID:2033132
            Source Port:49716
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:53:07.096652
            SID:2033132
            Source Port:49714
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:54:11.400675
            SID:2814856
            Source Port:49716
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:54:14.327523
            SID:2825564
            Source Port:49716
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:52:08.702264
            SID:2825564
            Source Port:49705
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:53:07.405791
            SID:2814856
            Source Port:49714
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:55:15.097163
            SID:2033132
            Source Port:49717
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:52:08.702264
            SID:2814860
            Source Port:49705
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:52:03.604825
            SID:2814856
            Source Port:49705
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:52:03.291445
            SID:2033132
            Source Port:49705
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:54:14.327523
            SID:2814860
            Source Port:49716
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/14/24-06:55:15.404401
            SID:2814856
            Source Port:49717
            Destination Port:14095
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: En3e396wX1.exeAvira: detected
            Found malware configuration
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "02a10a06650130398868c04656615034", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
            Multi AV Scanner detection for domain / URL
            Source: 2.tcp.eu.ngrok.ioVirustotal: Detection: 11%Perma Link
            Multi AV Scanner detection for submitted file
            Source: En3e396wX1.exeReversingLabs: Detection: 81%
            Source: En3e396wX1.exeVirustotal: Detection: 79%Perma Link
            Yara detected Njrat
            Source: Yara matchFile source: En3e396wX1.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4484946830.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: En3e396wX1.exe PID: 5348, type: MEMORYSTR
            Machine Learning detection for sample
            Source: En3e396wX1.exeJoe Sandbox ML: detected
            Source: En3e396wX1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\En3e396wX1.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: En3e396wX1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Spreading

            barindex
            Contains functionality to spread to USB devices (.Net source)
            Source: En3e396wX1.exe, -.cs.Net Code: @
            Source: En3e396wX1.exe, 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
            Source: En3e396wX1.exe, 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
            Source: En3e396wX1.exe, 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
            Source: En3e396wX1.exeBinary or memory string: \autorun.inf
            Source: En3e396wX1.exeBinary or memory string: [autorun]
            Source: En3e396wX1.exeBinary or memory string: autorun.inf

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49705 -> 18.197.239.5:14095
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49705 -> 18.197.239.5:14095
            Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49705 -> 18.197.239.5:14095
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49705 -> 18.197.239.5:14095
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49714 -> 3.127.138.57:14095
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49714 -> 3.127.138.57:14095
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49716 -> 18.156.13.209:14095
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49716 -> 18.156.13.209:14095
            Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.5:49716 -> 18.156.13.209:14095
            Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.5:49716 -> 18.156.13.209:14095
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.5:49717 -> 18.197.239.5:14095
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.5:49717 -> 18.197.239.5:14095
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 3.127.138.57 ports 14095,0,1,4,5,9
            Source: global trafficTCP traffic: 18.156.13.209 ports 14095,0,1,4,5,9
            Source: global trafficTCP traffic: 18.197.239.5 ports 14095,0,1,4,5,9
            Source: global trafficTCP traffic: 192.168.2.5:49705 -> 18.197.239.5:14095
            Source: global trafficTCP traffic: 192.168.2.5:49714 -> 3.127.138.57:14095
            Source: global trafficTCP traffic: 192.168.2.5:49716 -> 18.156.13.209:14095
            Source: Joe Sandbox ViewIP Address: 3.127.138.57 3.127.138.57
            Source: Joe Sandbox ViewIP Address: 18.156.13.209 18.156.13.209
            Source: Joe Sandbox ViewIP Address: 18.197.239.5 18.197.239.5
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: 2.tcp.eu.ngrok.io
            Source: C:\Users\user\Desktop\En3e396wX1.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            E-Banking Fraud

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: En3e396wX1.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4484946830.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: En3e396wX1.exe PID: 5348, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: En3e396wX1.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: En3e396wX1.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: En3e396wX1.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: En3e396wX1.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C42980_2_050C4298
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C470F0_2_050C470F
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C49360_2_050C4936
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C46300_2_050C4630
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C45440_2_050C4544
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C4B5B0_2_050C4B5B
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C42870_2_050C4287
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C499D0_2_050C499D
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C47D40_2_050C47D4
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C49F90_2_050C49F9
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C44F10_2_050C44F1
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C50000_2_050C5000
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C4F2F0_2_050C4F2F
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C505D0_2_050C505D
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C54590_2_050C5459
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C536F0_2_050C536F
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C4C8F0_2_050C4C8F
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C4F9D0_2_050C4F9D
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_050C50E30_2_050C50E3
            Source: En3e396wX1.exe, 00000000.00000002.4484672844.000000000108E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs En3e396wX1.exe
            Source: En3e396wX1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: En3e396wX1.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: En3e396wX1.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: En3e396wX1.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: En3e396wX1.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: classification engineClassification label: mal100.spre.phis.troj.evad.winEXE@4/2@4/3
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_052324CE AdjustTokenPrivileges,0_2_052324CE
            Source: C:\Users\user\Desktop\En3e396wX1.exeCode function: 0_2_05232497 AdjustTokenPrivileges,0_2_05232497
            Source: C:\Users\user\Desktop\En3e396wX1.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeMutant created: NULL
            Source: C:\Users\user\Desktop\En3e396wX1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\Desktop\En3e396wX1.exeMutant created: \Sessions\1\BaseNamedObjects\02a10a06650130398868c04656615034
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
            Source: C:\Users\user\Desktop\En3e396wX1.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
            Source: En3e396wX1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: En3e396wX1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\En3e396wX1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: En3e396wX1.exeReversingLabs: Detection: 81%
            Source: En3e396wX1.exeVirustotal: Detection: 79%
            Source: unknownProcess created: C:\Users\user\Desktop\En3e396wX1.exe "C:\Users\user\Desktop\En3e396wX1.exe"
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\En3e396wX1.exe" "En3e396wX1.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\En3e396wX1.exe" "En3e396wX1.exe" ENABLEJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: En3e396wX1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\En3e396wX1.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: En3e396wX1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: En3e396wX1.exe, -.cs.Net Code: @ System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeMemory allocated: 4EC0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeWindow / User API: threadDelayed 694Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeWindow / User API: threadDelayed 4987Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeWindow / User API: threadDelayed 3646Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeWindow / User API: foregroundWindowGot 778Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeWindow / User API: foregroundWindowGot 775Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exe TID: 6568Thread sleep count: 694 > 30Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exe TID: 6568Thread sleep time: -69400s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exe TID: 5788Thread sleep count: 4987 > 30Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exe TID: 5788Thread sleep time: -4987000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exe TID: 5788Thread sleep count: 3646 > 30Jump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exe TID: 5788Thread sleep time: -3646000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: netsh.exe, 00000002.00000002.2055561038.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: En3e396wX1.exe, 00000000.00000002.4484672844.0000000001101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeMemory allocated: page read and write | page guardJump to behavior
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:41:17 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:36:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:49:37 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:50:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:59:18 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:24:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:49:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:23:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:32:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:05:56 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:47:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:15:15 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:28:35 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:42:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:39:17 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/24 | 17:56:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:54:55 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:58:06 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:16:38 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:29:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:56:32 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:56:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:02:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:12:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:41:35 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:46:51 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:44:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:48:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:19:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:18:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:20:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 09:12:05 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:28:13 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:26:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:00:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/24 | 18:12:50 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 08:04:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:36:17 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:10:08 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:42:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:04:44 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:31:15 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:30:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:44:35 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:26:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 13:25:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:21:56 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:52:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:20:51 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:55:11 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:16:45 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:48:29 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:24:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/14 | 06:56:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:08:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:00:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:33:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 12:01:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 03:07:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:15:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:25:28 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:15:24 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:52:35 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 13:47:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:23:37 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:55:24 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:53:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:48:50 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:03:12 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:55:02 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:15:08 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:13:52 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:01:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:47:17 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:09:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:37:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:30:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:31:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:07:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:57:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:03:03 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:53:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 08:47:03 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:01:28 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:22:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:51:09 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:40:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:32:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:45:50 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:11:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:45:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:47:37 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:49:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 09:45:48 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:56:25 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:33:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:59:36 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:04:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:01:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:20:26 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:56:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:09:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:36:28 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:42:11 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 11:57:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:43:05 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:38:12 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:04:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:32:52 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:40:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:19:18 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/15 | 03:02:14 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 07:58:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:22:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 13:51:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 09:09:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:09:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:46:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:53:25 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:06:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:40:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:16:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 16:48:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:24:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:16:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:03:25 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:46:29 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 10:21:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:16:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:14:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:10:52 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:52:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:19:55 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:22:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 03:11:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:29:14 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:13:02 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:37:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:27:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:12:51 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:00:32 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:27:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:39:02 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:06:03 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:01:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:37:18 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:35:30 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 09:33:29 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:28:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:56:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:02:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:35:18 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:12:08 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:43:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:25:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:25:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:25:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:54:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:50:30 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:59:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 03:43:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 08:47:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 16:38:25 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:43:50 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:49:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:50:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:13:09 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:18:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:51:32 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:51:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:28:06 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:54:48 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:49:08 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:29:29 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:13:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:39:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:14:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:46:44 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:31:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:31:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:59:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:41:06 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:15:22 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:23:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:49:05 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:23:43 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:39:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:49:48 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:19:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:53:30 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/15 | 02:45:24 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/15 | 02:55:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:22:05 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:18:38 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 10:52:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:07:28 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:05:05 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 16:59:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:30:09 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:03:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:33:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:13:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:59:25 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:05:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:01:03 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:14:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:44:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:50:02 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:39:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:12:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:47:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:21:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:02:26 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:14:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:54:18 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:04:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 16:29:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 11:11:07 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:26:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:51:13 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:29:11 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:36:55 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:19:52 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:09:11 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:58:26 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:29:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/15 | 03:12:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:26:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:51:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:36:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:02:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:46:13 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:04:15 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:26:35 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:28:50 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:02:50 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:10:45 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:38:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:12:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:24:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:55:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:26:13 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:16:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:54:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 12:13:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:24:29 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:21:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:23:08 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/15 | 02:56:13 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:50:32 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:15:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:43:28 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 09:03:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 10:49:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/24 | 17:23:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/15 | 03:56:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:37:24 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:35:24 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 03:44:51 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:03:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:23:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:13:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:19:09 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:45:28 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:27:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:59:48 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:11:45 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:17:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:40:43 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:19:30 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:48:07 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:51:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:47:44 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:30:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:39:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:42:07 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:27:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:07:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:08:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:55:48 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:18:17 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:38:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:32:48 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:43:30 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 16:59:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:08:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/15 | 03:17:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:52:24 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:17:17 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:35:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:02:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:08:29 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:45:12 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:12:17 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:13:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:30:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 08:26:55 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 10:53:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:19:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:48:36 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:32:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:02:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:00:02 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:22:26 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 12:34:07 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:50:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:21:15 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:27:05 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:24:12 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:17:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:22:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:53:36 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:05:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:57:55 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:55:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:40:11 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:28:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:14:22 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:34:32 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:16:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:15:09 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:02:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:01:56 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:39:05 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:40:28 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:48:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:24:35 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:12:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:10:44 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:26:12 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:20:25 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:31:18 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:34:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:04:56 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:15:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:37:55 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:51:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:56:24 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:01:50 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:00:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:00:35 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:09:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:08:26 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:48:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:56:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:32:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:32:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 10:11:37 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:52:32 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:04:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 13:44:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 09:58:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:40:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:50:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:28:05 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:40:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:12:56 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:15:45 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:49:45 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:37:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:23:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:52:18 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:57:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:01:02 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:28:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:21:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:00:26 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:45:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:12:45 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:19:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 10:01:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 16:29:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:39:09 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:04:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:15:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:54:47 - Program Manager
            Source: En3e396wX1.exeBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 11:18:45 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 08:13:43 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:23:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:55:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:15:16 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:58:25 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:07:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:47:12 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:26:30 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:11:24 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:18:09 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:08:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:29:28 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:57:25 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:24:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:06:56 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 09:12:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:16:37 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:49:21 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:10:55 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:12:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:18:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:23:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:26:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 03:19:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:39:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:43:37 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:03:51 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:34:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:09:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:04:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 12:51:44 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:41:43 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:47:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:02:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:43:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:36:30 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:25:11 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 11:45:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:56:31 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:00:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:54:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 11:22:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:29:07 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:06:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:52:38 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:26:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:59:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 12:13:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:32:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:53:46 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 13:53:06 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:32:04 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:38:02 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:08:57 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:59:26 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:45:02 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:35:54 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:53:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.000000000320D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 07:38:08 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:17:45 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:10:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:06:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:41:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 06:46:06 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:01:32 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:09:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:32:15 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:43:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:54:30 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 07:54:15 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:27:06 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4484946830.0000000002F79000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4484946830.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/15 | 03:06:38 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 13:08:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 10:13:38 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:13:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:48:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 16:22:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 13:05:08 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:43:13 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:09:27 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 12:06:55 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:45:42 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:11:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:34:23 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:36:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 08:30:06 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:52:43 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:35:00 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:26:29 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:04:34 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:21:19 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:33:52 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 08:29:10 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:40:35 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 21:14:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:11:08 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:00:56 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:31:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:48:37 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/22 | 12:43:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:23:41 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:45:36 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 07:07:40 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 02:09:14 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:57:18 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:15:44 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 00:25:39 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 01:00:59 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:32:22 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/17 | 11:42:49 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 04:27:43 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:01:33 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 22:12:38 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:55:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 19:38:53 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:35:47 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 23:49:58 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 08:08:03 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 18:33:09 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 17:52:01 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/19 | 20:43:20 - Program Manager
            Source: En3e396wX1.exe, 00000000.00000002.4486143905.0000000003EDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/04/20 | 05:26:05 - Program Manager
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\En3e396wX1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Contains functionality to disable the Task Manager (.Net Source)
            Source: En3e396wX1.exe, -.cs.Net Code: @
            Disables zone checking for all users
            Source: C:\Users\user\Desktop\En3e396wX1.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
            Modifies the windows firewall
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\En3e396wX1.exe" "En3e396wX1.exe" ENABLE
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Users\user\Desktop\En3e396wX1.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\En3e396wX1.exe" "En3e396wX1.exe" ENABLE

            Stealing of Sensitive Information

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: En3e396wX1.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4484946830.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: En3e396wX1.exe PID: 5348, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: En3e396wX1.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.En3e396wX1.exe.8f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4484946830.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: En3e396wX1.exe PID: 5348, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure11
            Replication Through Removable Media            		Windows Management Instrumentation1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
            Process Injection            		2
            Virtualization/Sandbox Evasion            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Disable or Modify Tools            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Access Token Manipulation            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Process Injection            		LSA Secrets1
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            En3e396wX1.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            En3e396wX1.exe79%VirustotalBrowse
            En3e396wX1.exe100%AviraTR/Dropper.Gen
            En3e396wX1.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            2.tcp.eu.ngrok.io12%VirustotalBrowse

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            2.tcp.eu.ngrok.io
            		18.197.239.5
            		truetrueunknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            3.127.138.57
            		unknownUnited States
            		16509AMAZON-02UStrue
            18.156.13.209
            		unknownUnited States
            		16509AMAZON-02UStrue
            18.197.239.5
            		2.tcp.eu.ngrok.ioUnited States
            		16509AMAZON-02UStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1425675
            Start date and time:2024-04-14 06:51:07 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 2s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:En3e396wX1.exe
            renamed because original name is a hash value
            Original Sample Name:F0FF2A2046A4FEFCD2D04C92C812FCF2.exe
            Detection:MAL
            Classification:mal100.spre.phis.troj.evad.winEXE@4/2@4/3
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 116
            • Number of non-executed functions: 3
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            06:52:33API Interceptor619924x Sleep call for process: En3e396wX1.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            3.127.138.57ea1Wv7aq.posh.ps1Get hashmaliciousMetasploitBrowse
              R3ov8eFFFP.exeGet hashmaliciousNjratBrowse
                b8UsrDOVGV.exeGet hashmaliciousNjratBrowse
                  2G8CgDVl3K.exeGet hashmaliciousNjratBrowse
                    tiodtk2cfy.exeGet hashmaliciousNjratBrowse
                      QUuUm3J8x3.exeGet hashmaliciousNjratBrowse
                        RWqHoCWEPI.exeGet hashmaliciousNjratBrowse
                          OUXkIxeP6k.exeGet hashmaliciousNjratBrowse
                            eI43OwXSvq.exeGet hashmaliciousNjratBrowse
                              i9z1c1OtFb.exeGet hashmaliciousNjratBrowse
                                18.156.13.209http://www.sdrclm.cn/vendor/phpdocumentor/P800/P90GT_Invoice_Related_Property_Tax_P800.exeGet hashmaliciousRedLineBrowse
                                • 2.tcp.eu.ngrok.io:17685/
                                18.197.239.5P90GT_Invoice_Related_Property_Tax_P800.exeGet hashmaliciousRedLineBrowse
                                • 2.tcp.eu.ngrok.io:17685/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                2.tcp.eu.ngrok.ioZxocxU01PB.exeGet hashmaliciousNjratBrowse
                                • 18.197.239.5
                                4xKDL5YCfQ.exeGet hashmaliciousNjratBrowse
                                • 18.156.13.209
                                R3ov8eFFFP.exeGet hashmaliciousNjratBrowse
                                • 3.127.138.57
                                Ve0c8i5So2.exeGet hashmaliciousNjratBrowse
                                • 18.157.68.73
                                LMQV4V1d3E.exeGet hashmaliciousNjratBrowse
                                • 18.192.93.86
                                b8UsrDOVGV.exeGet hashmaliciousNjratBrowse
                                • 3.127.138.57
                                2G8CgDVl3K.exeGet hashmaliciousNjratBrowse
                                • 18.197.239.5
                                BHp5Is5Xe7.exeGet hashmaliciousNjratBrowse
                                • 18.192.93.86
                                tiodtk2cfy.exeGet hashmaliciousNjratBrowse
                                • 3.127.138.57
                                QUuUm3J8x3.exeGet hashmaliciousNjratBrowse
                                • 3.127.138.57

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                AMAZON-02UShttp://www2.gerdau.com.br/fornecedoresGet hashmaliciousUnknownBrowse
                                • 54.74.204.68
                                TaNoeG7qKG.elfGet hashmaliciousMiraiBrowse
                                • 52.59.238.42
                                https://iamhemantgauhai.github.io/Task-1-Netflix-Replica-UI/Get hashmaliciousUnknownBrowse
                                • 34.208.213.96
                                https://cloudde-e0e7.samariakurtz.workers.dev/633c62d4-5847-4578-aefc-6b70c4961623Get hashmaliciousHTMLPhisherBrowse
                                • 3.163.125.60
                                https://enjucm-6424.anotudhoeah.workers.dev/8dc0c739-61df-4e9d-9bd9-b5bc957356bfGet hashmaliciousHTMLPhisherBrowse
                                • 3.163.125.15
                                https://szyishikang.com/Get hashmaliciousUnknownBrowse
                                • 54.248.198.108
                                http://validartucuentaaqui.mx.zya.me/login.live.com_login_verify_credentials_outlook.html?i=3Get hashmaliciousUnknownBrowse
                                • 54.67.124.80
                                https://rolexz.b-cdn.net/Wi0n0MntyEr00170887/index.htmlGet hashmaliciousUnknownBrowse
                                • 18.195.235.189
                                gvCeE0lHPK.elfGet hashmaliciousMirai, GafgytBrowse
                                • 34.249.145.219
                                5DRwjDjwst.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 34.249.145.219
                                AMAZON-02UShttp://www2.gerdau.com.br/fornecedoresGet hashmaliciousUnknownBrowse
                                • 54.74.204.68
                                TaNoeG7qKG.elfGet hashmaliciousMiraiBrowse
                                • 52.59.238.42
                                https://iamhemantgauhai.github.io/Task-1-Netflix-Replica-UI/Get hashmaliciousUnknownBrowse
                                • 34.208.213.96
                                https://cloudde-e0e7.samariakurtz.workers.dev/633c62d4-5847-4578-aefc-6b70c4961623Get hashmaliciousHTMLPhisherBrowse
                                • 3.163.125.60
                                https://enjucm-6424.anotudhoeah.workers.dev/8dc0c739-61df-4e9d-9bd9-b5bc957356bfGet hashmaliciousHTMLPhisherBrowse
                                • 3.163.125.15
                                https://szyishikang.com/Get hashmaliciousUnknownBrowse
                                • 54.248.198.108
                                http://validartucuentaaqui.mx.zya.me/login.live.com_login_verify_credentials_outlook.html?i=3Get hashmaliciousUnknownBrowse
                                • 54.67.124.80
                                https://rolexz.b-cdn.net/Wi0n0MntyEr00170887/index.htmlGet hashmaliciousUnknownBrowse
                                • 18.195.235.189
                                gvCeE0lHPK.elfGet hashmaliciousMirai, GafgytBrowse
                                • 34.249.145.219
                                5DRwjDjwst.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 34.249.145.219
                                AMAZON-02UShttp://www2.gerdau.com.br/fornecedoresGet hashmaliciousUnknownBrowse
                                • 54.74.204.68
                                TaNoeG7qKG.elfGet hashmaliciousMiraiBrowse
                                • 52.59.238.42
                                https://iamhemantgauhai.github.io/Task-1-Netflix-Replica-UI/Get hashmaliciousUnknownBrowse
                                • 34.208.213.96
                                https://cloudde-e0e7.samariakurtz.workers.dev/633c62d4-5847-4578-aefc-6b70c4961623Get hashmaliciousHTMLPhisherBrowse
                                • 3.163.125.60
                                https://enjucm-6424.anotudhoeah.workers.dev/8dc0c739-61df-4e9d-9bd9-b5bc957356bfGet hashmaliciousHTMLPhisherBrowse
                                • 3.163.125.15
                                https://szyishikang.com/Get hashmaliciousUnknownBrowse
                                • 54.248.198.108
                                http://validartucuentaaqui.mx.zya.me/login.live.com_login_verify_credentials_outlook.html?i=3Get hashmaliciousUnknownBrowse
                                • 54.67.124.80
                                https://rolexz.b-cdn.net/Wi0n0MntyEr00170887/index.htmlGet hashmaliciousUnknownBrowse
                                • 18.195.235.189
                                gvCeE0lHPK.elfGet hashmaliciousMirai, GafgytBrowse
                                • 34.249.145.219
                                5DRwjDjwst.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 34.249.145.219

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Roaming\app

                                Download File
                                Process:C:\Users\user\Desktop\En3e396wX1.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                Category:dropped
                                Size (bytes):5
                                Entropy (8bit):2.321928094887362
                                Encrypted:false
                                SSDEEP:3:3n:3
                                MD5:8F11404A507CFB98455F89A534077F73
                                SHA1:0716C668F504450353527AFF1A6457B8348CF435
                                SHA-256:F7C301F3FCCE1C2444B540090E5024F0CEA1806AB8AE1D81901ECC3B63334CBB
                                SHA-512:85403DD06DA5851E8C4D727CA8D87CC0E7FF4974942EC22123366684ED0E51B543A29B6D2521E2E65784C69884FDE8D711E5064F104B098293FCD18C44769492
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:.14

                                \Device\ConDrv

                                Download File
                                Process:C:\Windows\SysWOW64\netsh.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):313
                                Entropy (8bit):4.971939296804078
                                Encrypted:false
                                SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                MD5:689E2126A85BF55121488295EE068FA1
                                SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):5.551495374876113
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:En3e396wX1.exe
                                File size:93'184 bytes
                                MD5:f0ff2a2046a4fefcd2d04c92c812fcf2
                                SHA1:d2004f23d6b5a90888395c1f2d72d288b2dea821
                                SHA256:06b314e6e7127b58bdafcd05252a28af38233afe2b188584eb4d27ab372c8762
                                SHA512:6d7767f7228397ba91fb87bb0d320533b1fb8d35a05cccbef58f19f2ad1101a3799bdfb4baacd8e0ccc6899cc2b61685801fe2702b17f3d94652bc323cfcb90c
                                SSDEEP:768:eGZefAM+0uGAfIi+qXuzMywjZdLJakHX+xWvYR4SYzkYFI3tr3/iTnRVOR1MY4qn:YfAl0pUjBjZdL4kHG5mkYQJVR1/LpNv
                                TLSH:2293E84D37E55065E2FE4AF3A870B2400FB9F0471742938D49E1A9761A33AD88F94DBB
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..f.................h..........^.... ........@.. ....................................@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x41865e
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6600185C [Sun Mar 24 12:11:08 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1860c0x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x166640x16800926e9318c320b36a1762b59563d53789False0.3633355034722222data5.584254622217285IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .reloc0x1a0000xc0x200ff06ea9c63404a08dec111ab855065d8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                04/14/24-06:54:11.093222TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971614095192.168.2.518.156.13.209
                                04/14/24-06:53:07.096652TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971414095192.168.2.53.127.138.57
                                04/14/24-06:54:11.400675TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971614095192.168.2.518.156.13.209
                                04/14/24-06:54:14.327523TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4971614095192.168.2.518.156.13.209
                                04/14/24-06:52:08.702264TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4970514095192.168.2.518.197.239.5
                                04/14/24-06:53:07.405791TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971414095192.168.2.53.127.138.57
                                04/14/24-06:55:15.097163TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971714095192.168.2.518.197.239.5
                                04/14/24-06:52:08.702264TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4970514095192.168.2.518.197.239.5
                                04/14/24-06:52:03.604825TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970514095192.168.2.518.197.239.5
                                04/14/24-06:52:03.291445TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970514095192.168.2.518.197.239.5
                                04/14/24-06:54:14.327523TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4971614095192.168.2.518.156.13.209
                                04/14/24-06:55:15.404401TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971714095192.168.2.518.197.239.5

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 14, 2024 06:52:02.909413099 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:52:03.222256899 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:52:03.222475052 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:52:03.291445017 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:52:03.604640007 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:52:03.604825020 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:52:03.917789936 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:52:08.702264071 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:52:09.015352011 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:52:24.237376928 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:52:24.237430096 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:52:39.553397894 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:52:39.553491116 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:52:54.869601965 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:52:54.870095968 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:53:04.615612030 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:53:04.615706921 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:53:06.625715017 CEST4970514095192.168.2.518.197.239.5
                                Apr 14, 2024 06:53:06.785188913 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:53:06.939268112 CEST140954970518.197.239.5192.168.2.5
                                Apr 14, 2024 06:53:07.095134974 CEST14095497143.127.138.57192.168.2.5
                                Apr 14, 2024 06:53:07.095232964 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:53:07.096652031 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:53:07.405733109 CEST14095497143.127.138.57192.168.2.5
                                Apr 14, 2024 06:53:07.405791044 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:53:07.714529991 CEST14095497143.127.138.57192.168.2.5
                                Apr 14, 2024 06:53:22.715188026 CEST14095497143.127.138.57192.168.2.5
                                Apr 14, 2024 06:53:22.715266943 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:53:38.027453899 CEST14095497143.127.138.57192.168.2.5
                                Apr 14, 2024 06:53:38.027632952 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:53:53.343367100 CEST14095497143.127.138.57192.168.2.5
                                Apr 14, 2024 06:53:53.343533993 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:54:08.610907078 CEST14095497143.127.138.57192.168.2.5
                                Apr 14, 2024 06:54:08.611697912 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:54:10.623795986 CEST4971414095192.168.2.53.127.138.57
                                Apr 14, 2024 06:54:10.783406019 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:54:10.932416916 CEST14095497143.127.138.57192.168.2.5
                                Apr 14, 2024 06:54:11.091090918 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:54:11.091217995 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:54:11.093221903 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:54:11.400532007 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:54:11.400675058 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:54:11.708328009 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:54:14.327522993 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:54:14.635154009 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:54:29.716849089 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:54:29.717046976 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:54:45.025136948 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:54:45.025391102 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:55:00.332755089 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:55:00.332817078 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:55:12.614891052 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:55:12.615005016 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:55:14.624006033 CEST4971614095192.168.2.518.156.13.209
                                Apr 14, 2024 06:55:14.786896944 CEST4971714095192.168.2.518.197.239.5
                                Apr 14, 2024 06:55:14.931185007 CEST140954971618.156.13.209192.168.2.5
                                Apr 14, 2024 06:55:15.096182108 CEST140954971718.197.239.5192.168.2.5
                                Apr 14, 2024 06:55:15.096323013 CEST4971714095192.168.2.518.197.239.5
                                Apr 14, 2024 06:55:15.097162962 CEST4971714095192.168.2.518.197.239.5
                                Apr 14, 2024 06:55:15.404283047 CEST140954971718.197.239.5192.168.2.5
                                Apr 14, 2024 06:55:15.404401064 CEST4971714095192.168.2.518.197.239.5
                                Apr 14, 2024 06:55:15.711644888 CEST140954971718.197.239.5192.168.2.5
                                Apr 14, 2024 06:55:30.712021112 CEST140954971718.197.239.5192.168.2.5
                                Apr 14, 2024 06:55:30.712107897 CEST4971714095192.168.2.518.197.239.5
                                Apr 14, 2024 06:55:46.024148941 CEST140954971718.197.239.5192.168.2.5
                                Apr 14, 2024 06:55:46.024267912 CEST4971714095192.168.2.518.197.239.5
                                Apr 14, 2024 06:56:01.348027945 CEST140954971718.197.239.5192.168.2.5
                                Apr 14, 2024 06:56:01.351560116 CEST4971714095192.168.2.518.197.239.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 14, 2024 06:52:02.748292923 CEST6351253192.168.2.51.1.1.1
                                Apr 14, 2024 06:52:02.906595945 CEST53635121.1.1.1192.168.2.5
                                Apr 14, 2024 06:53:06.627624035 CEST6544753192.168.2.51.1.1.1
                                Apr 14, 2024 06:53:06.784053087 CEST53654471.1.1.1192.168.2.5
                                Apr 14, 2024 06:54:10.624919891 CEST5725753192.168.2.51.1.1.1
                                Apr 14, 2024 06:54:10.782660961 CEST53572571.1.1.1192.168.2.5
                                Apr 14, 2024 06:55:14.626933098 CEST5028053192.168.2.51.1.1.1
                                Apr 14, 2024 06:55:14.783973932 CEST53502801.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 14, 2024 06:52:02.748292923 CEST192.168.2.51.1.1.10xa875Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                Apr 14, 2024 06:53:06.627624035 CEST192.168.2.51.1.1.10x2478Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                Apr 14, 2024 06:54:10.624919891 CEST192.168.2.51.1.1.10x2c84Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                Apr 14, 2024 06:55:14.626933098 CEST192.168.2.51.1.1.10xa140Standard query (0)2.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 14, 2024 06:52:02.906595945 CEST1.1.1.1192.168.2.50xa875No error (0)2.tcp.eu.ngrok.io18.197.239.5A (IP address)IN (0x0001)false
                                Apr 14, 2024 06:53:06.784053087 CEST1.1.1.1192.168.2.50x2478No error (0)2.tcp.eu.ngrok.io3.127.138.57A (IP address)IN (0x0001)false
                                Apr 14, 2024 06:54:10.782660961 CEST1.1.1.1192.168.2.50x2c84No error (0)2.tcp.eu.ngrok.io18.156.13.209A (IP address)IN (0x0001)false
                                Apr 14, 2024 06:55:14.783973932 CEST1.1.1.1192.168.2.50xa140No error (0)2.tcp.eu.ngrok.io18.197.239.5A (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:06:51:57
                                Start date:14/04/2024
                                Path:C:\Users\user\Desktop\En3e396wX1.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\En3e396wX1.exe"
                                Imagebase:0x8f0000
                                File size:93'184 bytes
                                MD5 hash:F0FF2A2046A4FEFCD2D04C92C812FCF2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.2029633518.00000000008F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4484946830.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:2
                                Start time:06:51:59
                                Start date:14/04/2024
                                Path:C:\Windows\SysWOW64\netsh.exe
                                Wow64 process (32bit):true
                                Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\En3e396wX1.exe" "En3e396wX1.exe" ENABLE
                                Imagebase:0x1080000
                                File size:82'432 bytes
                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:3
                                Start time:06:51:59
                                Start date:14/04/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:11.5%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:3.3%
                                  Total number of Nodes:92
                                  Total number of Limit Nodes:5
                                  execution_graph 19736 5232726 19738 523275b GetProcessWorkingSetSize 19736->19738 19739 5232787 19738->19739 19740 100a186 19741 100a1f3 19740->19741 19742 100a1bb send 19740->19742 19741->19742 19743 100a1c9 19742->19743 19744 52316aa 19747 52316e5 LoadLibraryA 19744->19747 19746 5231722 19747->19746 19807 5230e6a 19809 5230e9f shutdown 19807->19809 19810 5230ec8 19809->19810 19752 100b40e 19754 100b443 RegSetValueExW 19752->19754 19755 100b48f 19754->19755 19756 5231132 19757 5231167 GetProcessTimes 19756->19757 19759 5231199 19757->19759 19811 5230572 19813 52305aa WSASocketW 19811->19813 19814 52305e6 19813->19814 19760 100aa12 19761 100aa3e SetErrorMode 19760->19761 19763 100aa67 19760->19763 19762 100aa53 19761->19762 19763->19761 19764 100b212 19765 100b24a RegOpenKeyExW 19764->19765 19767 100b2a0 19765->19767 19815 523227a 19817 52322a3 select 19815->19817 19818 52322d8 19817->19818 19768 100b31a 19769 100b34f RegQueryValueExW 19768->19769 19771 100b3a3 19769->19771 19772 100a59a 19773 100a610 19772->19773 19774 100a5d8 DuplicateHandle 19772->19774 19773->19774 19775 100a5e6 19774->19775 19819 52313fe 19821 5231433 WSAConnect 19819->19821 19822 5231452 19821->19822 19823 100a65e 19824 100a6c0 19823->19824 19825 100a68a OleInitialize 19823->19825 19824->19825 19826 100a698 19825->19826 19827 5230bc6 19828 5230bfe MapViewOfFile 19827->19828 19830 5230c4d 19828->19830 19776 100aaa6 19778 100aade CreateFileW 19776->19778 19779 100ab2d 19778->19779 19780 523280a 19782 523283f SetProcessWorkingSetSize 19780->19782 19783 523286b 19782->19783 19831 523264a 19833 523267f GetExitCodeProcess 19831->19833 19834 52326a8 19833->19834 19835 100ac6a 19838 100ac9f GetFileType 19835->19838 19837 100accc 19838->19837 19839 100b06a 19841 100b0a2 CreateMutexW 19839->19841 19842 100b0e5 19841->19842 19843 52324ce 19844 52324fd AdjustTokenPrivileges 19843->19844 19846 523251f 19844->19846 19847 5231fce 19848 5232006 RegCreateKeyExW 19847->19848 19850 5232078 19848->19850 19784 100aeae 19787 100aee3 ReadFile 19784->19787 19786 100af15 19787->19786 19788 100a72e 19789 100a77e OleGetClipboard 19788->19789 19790 100a78c 19789->19790 19791 5230a16 19793 5230a4e ConvertStringSecurityDescriptorToSecurityDescriptorW 19791->19793 19794 5230a8f 19793->19794 19854 100b4f6 19856 100b531 SendMessageTimeoutA 19854->19856 19857 100b579 19856->19857 19795 523219e 19797 52321d3 ioctlsocket 19795->19797 19798 52321ff 19797->19798 19799 523121e 19801 5231259 getaddrinfo 19799->19801 19802 52312cb 19801->19802 19803 100abbe 19804 100ac29 19803->19804 19805 100abea FindCloseChangeNotification 19803->19805 19804->19805 19806 100abf8 19805->19806

                                  Executed Functions

                                  Function 050C4298 Relevance: 3.2, Strings: 1, Instructions: 1950COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 50c4298-50c42c9 3 50c42cf-50c4350 0->3 4 50c4352-50c435a 0->4 3->4 32 50c435c 3->32 5 50c4366-50c437a 4->5 6 50c452f-50c467d 5->6 7 50c4380-50c43bc 5->7 45 50c480d-50c4821 6->45 46 50c4683-50c47d2 6->46 18 50c43ed-50c44ef 7->18 19 50c43be-50c43e6 7->19 18->6 19->18 32->5 47 50c496f-50c4983 45->47 48 50c4827-50c4934 45->48 46->45 50 50c4985-50c498b call 50c4210 47->50 51 50c49d6-50c49ea 47->51 48->47 61 50c4990-50c499b 50->61 53 50c49ec-50c49f7 51->53 54 50c4a32-50c4a46 51->54 53->54 59 50c4a4c-50c4b59 54->59 60 50c4b94-50c4ba8 54->60 59->60 62 50c4bae-50c4bc2 60->62 63 50c4cd4-50c4ce8 60->63 61->51 68 50c4bc4-50c4bcb 62->68 69 50c4bd0-50c4be4 62->69 72 50c4cee-50c4f2d 63->72 73 50c4f74-50c4f88 63->73 75 50c4c48-50c4c5c 68->75 76 50c4bef-50c4c03 69->76 77 50c4be6-50c4bed 69->77 72->73 78 50c4f8a-50c4f9b 73->78 79 50c4fe2-50c4ff6 73->79 83 50c4c5e-50c4c74 75->83 84 50c4c76-50c4c82 75->84 88 50c4c0e-50c4c22 76->88 89 50c4c05-50c4c0c 76->89 77->75 78->79 80 50c4ff8-50c4ffe 79->80 81 50c5045-50c5059 79->81 80->81 94 50c505b 81->94 95 50c50a2-50c50b6 81->95 93 50c4c8d 83->93 84->93 90 50c4c2d-50c4c41 88->90 91 50c4c24-50c4c2b 88->91 89->75 90->75 101 50c4c43-50c4c45 90->101 91->75 93->63 94->95 104 50c512d-50c5141 95->104 105 50c50b8-50c50e1 95->105 101->75 107 50c53b4-50c53c8 104->107 108 50c5147-50c5363 104->108 105->104 110 50c549e-50c54b2 107->110 111 50c53ce-50c5457 107->111 492 50c5365 108->492 493 50c5367 108->493 119 50c566f-50c5683 110->119 120 50c54b8-50c5628 110->120 111->110 122 50c5689-50c579f 119->122 123 50c57e6-50c57fa 119->123 120->119 122->123 132 50c595d-50c5971 123->132 133 50c5800-50c5916 123->133 141 50c5ad4-50c5ae8 132->141 142 50c5977-50c5a8d 132->142 133->132 147 50c5aee-50c5c04 141->147 148 50c5c4b-50c5c5f 141->148 142->141 147->148 155 50c5c65-50c5d7b 148->155 156 50c5dc2-50c5dd6 148->156 155->156 161 50c5ddc-50c5ef2 156->161 162 50c5f39-50c5f4d 156->162 161->162 168 50c60b0-50c60c4 162->168 169 50c5f53-50c6069 162->169 177 50c60ca-50c61e0 168->177 178 50c6227-50c623b 168->178 169->168 177->178 184 50c639e-50c63b2 178->184 185 50c6241-50c6357 178->185 194 50c63b8-50c63fd call 50c4278 184->194 195 50c6536-50c654a 184->195 185->184 327 50c64bd-50c64df 194->327 207 50c668d-50c66a1 195->207 208 50c6550-50c656f 195->208 221 50c67ee-50c6802 207->221 222 50c66a7-50c67a7 207->222 243 50c6614-50c6636 208->243 228 50c694f-50c6963 221->228 229 50c6808-50c6908 221->229 222->221 241 50c6969-50c6a69 228->241 242 50c6ab0-50c6ada 228->242 229->228 241->242 263 50c6b9a-50c6bae 242->263 264 50c6ae0-50c6b53 242->264 255 50c663c 243->255 256 50c6574-50c6583 243->256 255->207 266 50c663e 256->266 267 50c6589-50c65bc 256->267 278 50c6c8b-50c6c9f 263->278 279 50c6bb4-50c6c44 263->279 264->263 285 50c6643-50c668b 266->285 357 50c65be-50c65f8 267->357 358 50c6603-50c660c 267->358 287 50c6de5-50c6df9 278->287 288 50c6ca5-50c6d9e 278->288 279->278 285->207 298 50c705c-50c7070 287->298 299 50c6dff-50c6e4f 287->299 288->287 307 50c7158-50c715f 298->307 308 50c7076-50c7111 call 50c4278 * 2 298->308 419 50c6ebd-50c6ee8 299->419 420 50c6e51-50c6e77 299->420 308->307 341 50c64e5 327->341 342 50c6402-50c6411 327->342 341->195 354 50c64e7 342->354 355 50c6417-50c64b5 342->355 379 50c64ec-50c6534 354->379 355->379 491 50c64b7 355->491 357->358 358->285 360 50c660e 358->360 360->243 379->195 489 50c6eee-50c6fc1 419->489 490 50c6fc6-50c7057 419->490 495 50c6eb8 420->495 496 50c6e79-50c6e99 420->496 489->298 490->298 491->327 498 50c536d 492->498 493->498 495->298 496->495 498->107
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: b9f673c4b4b88062d61f4415dbb97266696fd1b2df4fabd35d67c44607590728
                                  • Instruction ID: 3d8800e49d414ed44fec263b6c8ce0be987b1970d18c1f466ad9283dd35ef90a
                                  • Opcode Fuzzy Hash: b9f673c4b4b88062d61f4415dbb97266696fd1b2df4fabd35d67c44607590728
                                  • Instruction Fuzzy Hash: 36235A74A11228CFDB65EF35D864BADB7B2BB89304F0041E9D909673A5DB359E82CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C4287 Relevance: 3.0, Strings: 1, Instructions: 1752COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 556 50c4287-50c4290 557 50c42c4-50c42c9 556->557 558 50c4292-50c42c2 556->558 560 50c42cf-50c4350 557->560 561 50c4352-50c435a 557->561 558->557 560->561 590 50c435c 560->590 562 50c4366-50c437a 561->562 564 50c452f-50c467d 562->564 565 50c4380-50c43bc 562->565 603 50c480d-50c4821 564->603 604 50c4683-50c47d2 564->604 576 50c43ed-50c44ef 565->576 577 50c43be-50c43e6 565->577 576->564 577->576 590->562 605 50c496f-50c4983 603->605 606 50c4827-50c4934 603->606 604->603 608 50c4985-50c498b call 50c4210 605->608 609 50c49d6-50c49ea 605->609 606->605 619 50c4990-50c499b 608->619 611 50c49ec-50c49f7 609->611 612 50c4a32-50c4a46 609->612 611->612 617 50c4a4c-50c4b59 612->617 618 50c4b94-50c4ba8 612->618 617->618 620 50c4bae-50c4bc2 618->620 621 50c4cd4-50c4ce8 618->621 619->609 626 50c4bc4-50c4bcb 620->626 627 50c4bd0-50c4be4 620->627 630 50c4cee-50c4f2d 621->630 631 50c4f74-50c4f88 621->631 633 50c4c48-50c4c5c 626->633 634 50c4bef-50c4c03 627->634 635 50c4be6-50c4bed 627->635 630->631 636 50c4f8a-50c4f9b 631->636 637 50c4fe2-50c4ff6 631->637 641 50c4c5e-50c4c74 633->641 642 50c4c76-50c4c82 633->642 646 50c4c0e-50c4c22 634->646 647 50c4c05-50c4c0c 634->647 635->633 636->637 638 50c4ff8-50c4ffe 637->638 639 50c5045-50c5059 637->639 638->639 652 50c505b 639->652 653 50c50a2-50c50b6 639->653 651 50c4c8d 641->651 642->651 648 50c4c2d-50c4c41 646->648 649 50c4c24-50c4c2b 646->649 647->633 648->633 659 50c4c43-50c4c45 648->659 649->633 651->621 652->653 662 50c512d-50c5141 653->662 663 50c50b8-50c50e1 653->663 659->633 665 50c53b4-50c53c8 662->665 666 50c5147-50c5363 662->666 663->662 668 50c549e-50c54b2 665->668 669 50c53ce-50c5457 665->669 1050 50c5365 666->1050 1051 50c5367 666->1051 677 50c566f-50c5683 668->677 678 50c54b8-50c5628 668->678 669->668 680 50c5689-50c579f 677->680 681 50c57e6-50c57fa 677->681 678->677 680->681 690 50c595d-50c5971 681->690 691 50c5800-50c5916 681->691 699 50c5ad4-50c5ae8 690->699 700 50c5977-50c5a8d 690->700 691->690 705 50c5aee-50c5c04 699->705 706 50c5c4b-50c5c5f 699->706 700->699 705->706 713 50c5c65-50c5d7b 706->713 714 50c5dc2-50c5dd6 706->714 713->714 719 50c5ddc-50c5ef2 714->719 720 50c5f39-50c5f4d 714->720 719->720 726 50c60b0-50c60c4 720->726 727 50c5f53-50c6069 720->727 735 50c60ca-50c61e0 726->735 736 50c6227-50c623b 726->736 727->726 735->736 742 50c639e-50c63b2 736->742 743 50c6241-50c6357 736->743 752 50c63b8-50c63fd call 50c4278 742->752 753 50c6536-50c654a 742->753 743->742 885 50c64bd-50c64df 752->885 765 50c668d-50c66a1 753->765 766 50c6550-50c656f 753->766 779 50c67ee-50c6802 765->779 780 50c66a7-50c67a7 765->780 801 50c6614-50c6636 766->801 786 50c694f-50c6963 779->786 787 50c6808-50c6908 779->787 780->779 799 50c6969-50c6a69 786->799 800 50c6ab0-50c6ada 786->800 787->786 799->800 821 50c6b9a-50c6bae 800->821 822 50c6ae0-50c6b53 800->822 813 50c663c 801->813 814 50c6574-50c6583 801->814 813->765 824 50c663e 814->824 825 50c6589-50c65bc 814->825 836 50c6c8b-50c6c9f 821->836 837 50c6bb4-50c6c44 821->837 822->821 843 50c6643-50c668b 824->843 915 50c65be-50c65f8 825->915 916 50c6603-50c660c 825->916 845 50c6de5-50c6df9 836->845 846 50c6ca5-50c6d9e 836->846 837->836 843->765 856 50c705c-50c7070 845->856 857 50c6dff-50c6e4f 845->857 846->845 865 50c7158-50c715f 856->865 866 50c7076-50c7111 call 50c4278 * 2 856->866 977 50c6ebd-50c6ee8 857->977 978 50c6e51-50c6e77 857->978 866->865 899 50c64e5 885->899 900 50c6402-50c6411 885->900 899->753 912 50c64e7 900->912 913 50c6417-50c64b5 900->913 937 50c64ec-50c6534 912->937 913->937 1049 50c64b7 913->1049 915->916 916->843 918 50c660e 916->918 918->801 937->753 1047 50c6eee-50c6fc1 977->1047 1048 50c6fc6-50c7057 977->1048 1053 50c6eb8 978->1053 1054 50c6e79-50c6e99 978->1054 1047->856 1048->856 1049->885 1056 50c536d 1050->1056 1051->1056 1053->856 1054->1053 1056->665
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 4146991a82013bac03f84b2c869279bf12ef74ef477f272f505d0096efb0d8a0
                                  • Instruction ID: a2381670c72c81dd57db9a8cbfa26d42d66008af892831aee1927c4b359f59b2
                                  • Opcode Fuzzy Hash: 4146991a82013bac03f84b2c869279bf12ef74ef477f272f505d0096efb0d8a0
                                  • Instruction Fuzzy Hash: 89132A74A11228CFDB25EF35D864BADB7B2BB89304F1042E9D909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C44F1 Relevance: 2.9, Strings: 1, Instructions: 1624COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1114 50c44f1-50c467d 1135 50c480d-50c4821 1114->1135 1136 50c4683-50c47d2 1114->1136 1137 50c496f-50c4983 1135->1137 1138 50c4827-50c4934 1135->1138 1136->1135 1140 50c4985-50c498b call 50c4210 1137->1140 1141 50c49d6-50c49ea 1137->1141 1138->1137 1149 50c4990-50c499b 1140->1149 1142 50c49ec-50c49f7 1141->1142 1143 50c4a32-50c4a46 1141->1143 1142->1143 1147 50c4a4c-50c4b59 1143->1147 1148 50c4b94-50c4ba8 1143->1148 1147->1148 1150 50c4bae-50c4bc2 1148->1150 1151 50c4cd4-50c4ce8 1148->1151 1149->1141 1155 50c4bc4-50c4bcb 1150->1155 1156 50c4bd0-50c4be4 1150->1156 1159 50c4cee-50c4f2d 1151->1159 1160 50c4f74-50c4f88 1151->1160 1162 50c4c48-50c4c5c 1155->1162 1163 50c4bef-50c4c03 1156->1163 1164 50c4be6-50c4bed 1156->1164 1159->1160 1165 50c4f8a-50c4f9b 1160->1165 1166 50c4fe2-50c4ff6 1160->1166 1169 50c4c5e-50c4c74 1162->1169 1170 50c4c76-50c4c82 1162->1170 1174 50c4c0e-50c4c22 1163->1174 1175 50c4c05-50c4c0c 1163->1175 1164->1162 1165->1166 1167 50c4ff8-50c4ffe 1166->1167 1168 50c5045-50c5059 1166->1168 1167->1168 1180 50c505b 1168->1180 1181 50c50a2-50c50b6 1168->1181 1179 50c4c8d 1169->1179 1170->1179 1176 50c4c2d-50c4c41 1174->1176 1177 50c4c24-50c4c2b 1174->1177 1175->1162 1176->1162 1187 50c4c43-50c4c45 1176->1187 1177->1162 1179->1151 1180->1181 1189 50c512d-50c5141 1181->1189 1190 50c50b8-50c50e1 1181->1190 1187->1162 1192 50c53b4-50c53c8 1189->1192 1193 50c5147-50c5363 1189->1193 1190->1189 1195 50c549e-50c54b2 1192->1195 1196 50c53ce-50c5457 1192->1196 1574 50c5365 1193->1574 1575 50c5367 1193->1575 1203 50c566f-50c5683 1195->1203 1204 50c54b8-50c5628 1195->1204 1196->1195 1206 50c5689-50c579f 1203->1206 1207 50c57e6-50c57fa 1203->1207 1204->1203 1206->1207 1215 50c595d-50c5971 1207->1215 1216 50c5800-50c5916 1207->1216 1223 50c5ad4-50c5ae8 1215->1223 1224 50c5977-50c5a8d 1215->1224 1216->1215 1229 50c5aee-50c5c04 1223->1229 1230 50c5c4b-50c5c5f 1223->1230 1224->1223 1229->1230 1237 50c5c65-50c5d7b 1230->1237 1238 50c5dc2-50c5dd6 1230->1238 1237->1238 1243 50c5ddc-50c5ef2 1238->1243 1244 50c5f39-50c5f4d 1238->1244 1243->1244 1250 50c60b0-50c60c4 1244->1250 1251 50c5f53-50c6069 1244->1251 1259 50c60ca-50c61e0 1250->1259 1260 50c6227-50c623b 1250->1260 1251->1250 1259->1260 1266 50c639e-50c63b2 1260->1266 1267 50c6241-50c6357 1260->1267 1276 50c63b8-50c63fd call 50c4278 1266->1276 1277 50c6536-50c654a 1266->1277 1267->1266 1409 50c64bd-50c64df 1276->1409 1289 50c668d-50c66a1 1277->1289 1290 50c6550-50c656f 1277->1290 1303 50c67ee-50c6802 1289->1303 1304 50c66a7-50c67a7 1289->1304 1325 50c6614-50c6636 1290->1325 1310 50c694f-50c6963 1303->1310 1311 50c6808-50c6908 1303->1311 1304->1303 1323 50c6969-50c6a69 1310->1323 1324 50c6ab0-50c6ada 1310->1324 1311->1310 1323->1324 1345 50c6b9a-50c6bae 1324->1345 1346 50c6ae0-50c6b53 1324->1346 1337 50c663c 1325->1337 1338 50c6574-50c6583 1325->1338 1337->1289 1348 50c663e 1338->1348 1349 50c6589-50c65bc 1338->1349 1360 50c6c8b-50c6c9f 1345->1360 1361 50c6bb4-50c6c44 1345->1361 1346->1345 1367 50c6643-50c668b 1348->1367 1439 50c65be-50c65f8 1349->1439 1440 50c6603-50c660c 1349->1440 1369 50c6de5-50c6df9 1360->1369 1370 50c6ca5-50c6d9e 1360->1370 1361->1360 1367->1289 1380 50c705c-50c7070 1369->1380 1381 50c6dff-50c6e4f 1369->1381 1370->1369 1389 50c7158-50c715f 1380->1389 1390 50c7076-50c7111 call 50c4278 * 2 1380->1390 1501 50c6ebd-50c6ee8 1381->1501 1502 50c6e51-50c6e77 1381->1502 1390->1389 1423 50c64e5 1409->1423 1424 50c6402-50c6411 1409->1424 1423->1277 1436 50c64e7 1424->1436 1437 50c6417-50c64b5 1424->1437 1461 50c64ec-50c6534 1436->1461 1437->1461 1573 50c64b7 1437->1573 1439->1440 1440->1367 1442 50c660e 1440->1442 1442->1325 1461->1277 1571 50c6eee-50c6fc1 1501->1571 1572 50c6fc6-50c7057 1501->1572 1577 50c6eb8 1502->1577 1578 50c6e79-50c6e99 1502->1578 1571->1380 1572->1380 1573->1409 1580 50c536d 1574->1580 1575->1580 1577->1380 1578->1577 1580->1192
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: e9c2e22f6a22e869856a139721a590b377f76cca67291c467d9f62dddafe8d2a
                                  • Instruction ID: e3d335b51d7a431ebad5fda77f9ba333da9e5d968c94d6b5b8f01ac51e238c2a
                                  • Opcode Fuzzy Hash: e9c2e22f6a22e869856a139721a590b377f76cca67291c467d9f62dddafe8d2a
                                  • Instruction Fuzzy Hash: C9033B74A11228CFDB25EB35D864BADB7B2FB89304F1042E9D909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C4544 Relevance: 2.9, Strings: 1, Instructions: 1618COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1638 50c4544-50c467d 1656 50c480d-50c4821 1638->1656 1657 50c4683-50c47d2 1638->1657 1658 50c496f-50c4983 1656->1658 1659 50c4827-50c4934 1656->1659 1657->1656 1661 50c4985-50c498b call 50c4210 1658->1661 1662 50c49d6-50c49ea 1658->1662 1659->1658 1670 50c4990-50c499b 1661->1670 1663 50c49ec-50c49f7 1662->1663 1664 50c4a32-50c4a46 1662->1664 1663->1664 1668 50c4a4c-50c4b59 1664->1668 1669 50c4b94-50c4ba8 1664->1669 1668->1669 1671 50c4bae-50c4bc2 1669->1671 1672 50c4cd4-50c4ce8 1669->1672 1670->1662 1676 50c4bc4-50c4bcb 1671->1676 1677 50c4bd0-50c4be4 1671->1677 1680 50c4cee-50c4f2d 1672->1680 1681 50c4f74-50c4f88 1672->1681 1683 50c4c48-50c4c5c 1676->1683 1684 50c4bef-50c4c03 1677->1684 1685 50c4be6-50c4bed 1677->1685 1680->1681 1686 50c4f8a-50c4f9b 1681->1686 1687 50c4fe2-50c4ff6 1681->1687 1690 50c4c5e-50c4c74 1683->1690 1691 50c4c76-50c4c82 1683->1691 1695 50c4c0e-50c4c22 1684->1695 1696 50c4c05-50c4c0c 1684->1696 1685->1683 1686->1687 1688 50c4ff8-50c4ffe 1687->1688 1689 50c5045-50c5059 1687->1689 1688->1689 1701 50c505b 1689->1701 1702 50c50a2-50c50b6 1689->1702 1700 50c4c8d 1690->1700 1691->1700 1697 50c4c2d-50c4c41 1695->1697 1698 50c4c24-50c4c2b 1695->1698 1696->1683 1697->1683 1708 50c4c43-50c4c45 1697->1708 1698->1683 1700->1672 1701->1702 1710 50c512d-50c5141 1702->1710 1711 50c50b8-50c50e1 1702->1711 1708->1683 1713 50c53b4-50c53c8 1710->1713 1714 50c5147-50c5363 1710->1714 1711->1710 1716 50c549e-50c54b2 1713->1716 1717 50c53ce-50c5457 1713->1717 2095 50c5365 1714->2095 2096 50c5367 1714->2096 1724 50c566f-50c5683 1716->1724 1725 50c54b8-50c5628 1716->1725 1717->1716 1727 50c5689-50c579f 1724->1727 1728 50c57e6-50c57fa 1724->1728 1725->1724 1727->1728 1736 50c595d-50c5971 1728->1736 1737 50c5800-50c5916 1728->1737 1744 50c5ad4-50c5ae8 1736->1744 1745 50c5977-50c5a8d 1736->1745 1737->1736 1750 50c5aee-50c5c04 1744->1750 1751 50c5c4b-50c5c5f 1744->1751 1745->1744 1750->1751 1758 50c5c65-50c5d7b 1751->1758 1759 50c5dc2-50c5dd6 1751->1759 1758->1759 1764 50c5ddc-50c5ef2 1759->1764 1765 50c5f39-50c5f4d 1759->1765 1764->1765 1771 50c60b0-50c60c4 1765->1771 1772 50c5f53-50c6069 1765->1772 1780 50c60ca-50c61e0 1771->1780 1781 50c6227-50c623b 1771->1781 1772->1771 1780->1781 1787 50c639e-50c63b2 1781->1787 1788 50c6241-50c6357 1781->1788 1797 50c63b8-50c63fd call 50c4278 1787->1797 1798 50c6536-50c654a 1787->1798 1788->1787 1930 50c64bd-50c64df 1797->1930 1810 50c668d-50c66a1 1798->1810 1811 50c6550-50c656f 1798->1811 1824 50c67ee-50c6802 1810->1824 1825 50c66a7-50c67a7 1810->1825 1846 50c6614-50c6636 1811->1846 1831 50c694f-50c6963 1824->1831 1832 50c6808-50c6908 1824->1832 1825->1824 1844 50c6969-50c6a69 1831->1844 1845 50c6ab0-50c6ada 1831->1845 1832->1831 1844->1845 1866 50c6b9a-50c6bae 1845->1866 1867 50c6ae0-50c6b53 1845->1867 1858 50c663c 1846->1858 1859 50c6574-50c6583 1846->1859 1858->1810 1869 50c663e 1859->1869 1870 50c6589-50c65bc 1859->1870 1881 50c6c8b-50c6c9f 1866->1881 1882 50c6bb4-50c6c44 1866->1882 1867->1866 1888 50c6643-50c668b 1869->1888 1960 50c65be-50c65f8 1870->1960 1961 50c6603-50c660c 1870->1961 1890 50c6de5-50c6df9 1881->1890 1891 50c6ca5-50c6d9e 1881->1891 1882->1881 1888->1810 1901 50c705c-50c7070 1890->1901 1902 50c6dff-50c6e4f 1890->1902 1891->1890 1910 50c7158-50c715f 1901->1910 1911 50c7076-50c7111 call 50c4278 * 2 1901->1911 2022 50c6ebd-50c6ee8 1902->2022 2023 50c6e51-50c6e77 1902->2023 1911->1910 1944 50c64e5 1930->1944 1945 50c6402-50c6411 1930->1945 1944->1798 1957 50c64e7 1945->1957 1958 50c6417-50c64b5 1945->1958 1982 50c64ec-50c6534 1957->1982 1958->1982 2094 50c64b7 1958->2094 1960->1961 1961->1888 1963 50c660e 1961->1963 1963->1846 1982->1798 2092 50c6eee-50c6fc1 2022->2092 2093 50c6fc6-50c7057 2022->2093 2098 50c6eb8 2023->2098 2099 50c6e79-50c6e99 2023->2099 2092->1901 2093->1901 2094->1930 2101 50c536d 2095->2101 2096->2101 2098->1901 2099->2098 2101->1713
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 5b2ad6d8a6b62ea780302cce48cfaa10e639e084ad1a5d75867dc62e6f7f9eef
                                  • Instruction ID: 891dc077a05694a8f9c805a2dbd1a3301393b7b20d1816ef1147977ba8d9b723
                                  • Opcode Fuzzy Hash: 5b2ad6d8a6b62ea780302cce48cfaa10e639e084ad1a5d75867dc62e6f7f9eef
                                  • Instruction Fuzzy Hash: 02033B74A11228CFDB25EF35D864BADB7B2BB89304F1042E9D909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C4630 Relevance: 2.8, Strings: 1, Instructions: 1579COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2159 50c4630-50c467d 2166 50c480d-50c4821 2159->2166 2167 50c4683-50c47d2 2159->2167 2168 50c496f-50c4983 2166->2168 2169 50c4827-50c4934 2166->2169 2167->2166 2171 50c4985-50c498b call 50c4210 2168->2171 2172 50c49d6-50c49ea 2168->2172 2169->2168 2180 50c4990-50c499b 2171->2180 2173 50c49ec-50c49f7 2172->2173 2174 50c4a32-50c4a46 2172->2174 2173->2174 2178 50c4a4c-50c4b59 2174->2178 2179 50c4b94-50c4ba8 2174->2179 2178->2179 2181 50c4bae-50c4bc2 2179->2181 2182 50c4cd4-50c4ce8 2179->2182 2180->2172 2186 50c4bc4-50c4bcb 2181->2186 2187 50c4bd0-50c4be4 2181->2187 2190 50c4cee-50c4f2d 2182->2190 2191 50c4f74-50c4f88 2182->2191 2193 50c4c48-50c4c5c 2186->2193 2194 50c4bef-50c4c03 2187->2194 2195 50c4be6-50c4bed 2187->2195 2190->2191 2196 50c4f8a-50c4f9b 2191->2196 2197 50c4fe2-50c4ff6 2191->2197 2200 50c4c5e-50c4c74 2193->2200 2201 50c4c76-50c4c82 2193->2201 2205 50c4c0e-50c4c22 2194->2205 2206 50c4c05-50c4c0c 2194->2206 2195->2193 2196->2197 2198 50c4ff8-50c4ffe 2197->2198 2199 50c5045-50c5059 2197->2199 2198->2199 2211 50c505b 2199->2211 2212 50c50a2-50c50b6 2199->2212 2210 50c4c8d 2200->2210 2201->2210 2207 50c4c2d-50c4c41 2205->2207 2208 50c4c24-50c4c2b 2205->2208 2206->2193 2207->2193 2218 50c4c43-50c4c45 2207->2218 2208->2193 2210->2182 2211->2212 2220 50c512d-50c5141 2212->2220 2221 50c50b8-50c50e1 2212->2221 2218->2193 2223 50c53b4-50c53c8 2220->2223 2224 50c5147-50c5363 2220->2224 2221->2220 2226 50c549e-50c54b2 2223->2226 2227 50c53ce-50c5457 2223->2227 2605 50c5365 2224->2605 2606 50c5367 2224->2606 2234 50c566f-50c5683 2226->2234 2235 50c54b8-50c5628 2226->2235 2227->2226 2237 50c5689-50c579f 2234->2237 2238 50c57e6-50c57fa 2234->2238 2235->2234 2237->2238 2246 50c595d-50c5971 2238->2246 2247 50c5800-50c5916 2238->2247 2254 50c5ad4-50c5ae8 2246->2254 2255 50c5977-50c5a8d 2246->2255 2247->2246 2260 50c5aee-50c5c04 2254->2260 2261 50c5c4b-50c5c5f 2254->2261 2255->2254 2260->2261 2268 50c5c65-50c5d7b 2261->2268 2269 50c5dc2-50c5dd6 2261->2269 2268->2269 2274 50c5ddc-50c5ef2 2269->2274 2275 50c5f39-50c5f4d 2269->2275 2274->2275 2281 50c60b0-50c60c4 2275->2281 2282 50c5f53-50c6069 2275->2282 2290 50c60ca-50c61e0 2281->2290 2291 50c6227-50c623b 2281->2291 2282->2281 2290->2291 2297 50c639e-50c63b2 2291->2297 2298 50c6241-50c6357 2291->2298 2307 50c63b8-50c63fd call 50c4278 2297->2307 2308 50c6536-50c654a 2297->2308 2298->2297 2440 50c64bd-50c64df 2307->2440 2320 50c668d-50c66a1 2308->2320 2321 50c6550-50c656f 2308->2321 2334 50c67ee-50c6802 2320->2334 2335 50c66a7-50c67a7 2320->2335 2356 50c6614-50c6636 2321->2356 2341 50c694f-50c6963 2334->2341 2342 50c6808-50c6908 2334->2342 2335->2334 2354 50c6969-50c6a69 2341->2354 2355 50c6ab0-50c6ada 2341->2355 2342->2341 2354->2355 2376 50c6b9a-50c6bae 2355->2376 2377 50c6ae0-50c6b53 2355->2377 2368 50c663c 2356->2368 2369 50c6574-50c6583 2356->2369 2368->2320 2379 50c663e 2369->2379 2380 50c6589-50c65bc 2369->2380 2391 50c6c8b-50c6c9f 2376->2391 2392 50c6bb4-50c6c44 2376->2392 2377->2376 2398 50c6643-50c668b 2379->2398 2470 50c65be-50c65f8 2380->2470 2471 50c6603-50c660c 2380->2471 2400 50c6de5-50c6df9 2391->2400 2401 50c6ca5-50c6d9e 2391->2401 2392->2391 2398->2320 2411 50c705c-50c7070 2400->2411 2412 50c6dff-50c6e4f 2400->2412 2401->2400 2420 50c7158-50c715f 2411->2420 2421 50c7076-50c7111 call 50c4278 * 2 2411->2421 2532 50c6ebd-50c6ee8 2412->2532 2533 50c6e51-50c6e77 2412->2533 2421->2420 2454 50c64e5 2440->2454 2455 50c6402-50c6411 2440->2455 2454->2308 2467 50c64e7 2455->2467 2468 50c6417-50c64b5 2455->2468 2492 50c64ec-50c6534 2467->2492 2468->2492 2604 50c64b7 2468->2604 2470->2471 2471->2398 2473 50c660e 2471->2473 2473->2356 2492->2308 2602 50c6eee-50c6fc1 2532->2602 2603 50c6fc6-50c7057 2532->2603 2608 50c6eb8 2533->2608 2609 50c6e79-50c6e99 2533->2609 2602->2411 2603->2411 2604->2440 2611 50c536d 2605->2611 2606->2611 2608->2411 2609->2608 2611->2223
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: cecb47df08a257da3f976ac1c9b0a9cd07a5a3c6963a6bc71c440b212f2347ab
                                  • Instruction ID: ecf54508afa0e4051e53d53626a8ba90e08e2739c7fd2041e7886bc8a6fcbc29
                                  • Opcode Fuzzy Hash: cecb47df08a257da3f976ac1c9b0a9cd07a5a3c6963a6bc71c440b212f2347ab
                                  • Instruction Fuzzy Hash: 8C033A74A11228CFDB25EF35D864BADB7B1BB89304F1042EAD909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C470F Relevance: 2.8, Strings: 1, Instructions: 1544COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2669 50c470f-50c4821 2683 50c496f-50c4983 2669->2683 2684 50c4827-50c4934 2669->2684 2685 50c4985-50c498b call 50c4210 2683->2685 2686 50c49d6-50c49ea 2683->2686 2684->2683 2693 50c4990-50c499b 2685->2693 2687 50c49ec-50c49f7 2686->2687 2688 50c4a32-50c4a46 2686->2688 2687->2688 2691 50c4a4c-50c4b59 2688->2691 2692 50c4b94-50c4ba8 2688->2692 2691->2692 2694 50c4bae-50c4bc2 2692->2694 2695 50c4cd4-50c4ce8 2692->2695 2693->2686 2699 50c4bc4-50c4bcb 2694->2699 2700 50c4bd0-50c4be4 2694->2700 2702 50c4cee-50c4f2d 2695->2702 2703 50c4f74-50c4f88 2695->2703 2705 50c4c48-50c4c5c 2699->2705 2706 50c4bef-50c4c03 2700->2706 2707 50c4be6-50c4bed 2700->2707 2702->2703 2708 50c4f8a-50c4f9b 2703->2708 2709 50c4fe2-50c4ff6 2703->2709 2712 50c4c5e-50c4c74 2705->2712 2713 50c4c76-50c4c82 2705->2713 2716 50c4c0e-50c4c22 2706->2716 2717 50c4c05-50c4c0c 2706->2717 2707->2705 2708->2709 2710 50c4ff8-50c4ffe 2709->2710 2711 50c5045-50c5059 2709->2711 2710->2711 2722 50c505b 2711->2722 2723 50c50a2-50c50b6 2711->2723 2721 50c4c8d 2712->2721 2713->2721 2718 50c4c2d-50c4c41 2716->2718 2719 50c4c24-50c4c2b 2716->2719 2717->2705 2718->2705 2725 50c4c43-50c4c45 2718->2725 2719->2705 2721->2695 2722->2723 2727 50c512d-50c5141 2723->2727 2728 50c50b8-50c50e1 2723->2728 2725->2705 2732 50c53b4-50c53c8 2727->2732 2733 50c5147-50c5363 2727->2733 2728->2727 2737 50c549e-50c54b2 2732->2737 2738 50c53ce-50c5457 2732->2738 3107 50c5365 2733->3107 3108 50c5367 2733->3108 2743 50c566f-50c5683 2737->2743 2744 50c54b8-50c5628 2737->2744 2738->2737 2746 50c5689-50c579f 2743->2746 2747 50c57e6-50c57fa 2743->2747 2744->2743 2746->2747 2754 50c595d-50c5971 2747->2754 2755 50c5800-50c5916 2747->2755 2761 50c5ad4-50c5ae8 2754->2761 2762 50c5977-50c5a8d 2754->2762 2755->2754 2766 50c5aee-50c5c04 2761->2766 2767 50c5c4b-50c5c5f 2761->2767 2762->2761 2766->2767 2773 50c5c65-50c5d7b 2767->2773 2774 50c5dc2-50c5dd6 2767->2774 2773->2774 2777 50c5ddc-50c5ef2 2774->2777 2778 50c5f39-50c5f4d 2774->2778 2777->2778 2786 50c60b0-50c60c4 2778->2786 2787 50c5f53-50c6069 2778->2787 2795 50c60ca-50c61e0 2786->2795 2796 50c6227-50c623b 2786->2796 2787->2786 2795->2796 2801 50c639e-50c63b2 2796->2801 2802 50c6241-50c6357 2796->2802 2811 50c63b8-50c63fd call 50c4278 2801->2811 2812 50c6536-50c654a 2801->2812 2802->2801 2942 50c64bd-50c64df 2811->2942 2823 50c668d-50c66a1 2812->2823 2824 50c6550-50c656f 2812->2824 2836 50c67ee-50c6802 2823->2836 2837 50c66a7-50c67a7 2823->2837 2858 50c6614-50c6636 2824->2858 2843 50c694f-50c6963 2836->2843 2844 50c6808-50c6908 2836->2844 2837->2836 2856 50c6969-50c6a69 2843->2856 2857 50c6ab0-50c6ada 2843->2857 2844->2843 2856->2857 2878 50c6b9a-50c6bae 2857->2878 2879 50c6ae0-50c6b53 2857->2879 2870 50c663c 2858->2870 2871 50c6574-50c6583 2858->2871 2870->2823 2881 50c663e 2871->2881 2882 50c6589-50c65bc 2871->2882 2893 50c6c8b-50c6c9f 2878->2893 2894 50c6bb4-50c6c44 2878->2894 2879->2878 2900 50c6643-50c668b 2881->2900 2972 50c65be-50c65f8 2882->2972 2973 50c6603-50c660c 2882->2973 2902 50c6de5-50c6df9 2893->2902 2903 50c6ca5-50c6d9e 2893->2903 2894->2893 2900->2823 2913 50c705c-50c7070 2902->2913 2914 50c6dff-50c6e4f 2902->2914 2903->2902 2922 50c7158-50c715f 2913->2922 2923 50c7076-50c7111 call 50c4278 * 2 2913->2923 3034 50c6ebd-50c6ee8 2914->3034 3035 50c6e51-50c6e77 2914->3035 2923->2922 2956 50c64e5 2942->2956 2957 50c6402-50c6411 2942->2957 2956->2812 2969 50c64e7 2957->2969 2970 50c6417-50c64b5 2957->2970 2994 50c64ec-50c6534 2969->2994 2970->2994 3106 50c64b7 2970->3106 2972->2973 2973->2900 2975 50c660e 2973->2975 2975->2858 2994->2812 3104 50c6eee-50c6fc1 3034->3104 3105 50c6fc6-50c7057 3034->3105 3110 50c6eb8 3035->3110 3111 50c6e79-50c6e99 3035->3111 3104->2913 3105->2913 3106->2942 3113 50c536d 3107->3113 3108->3113 3110->2913 3111->3110 3113->2732
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: adc294e01d1282735f12e2e854fcb7333a26101a3e543d707b2d8d6b5a4212e2
                                  • Instruction ID: c42e18cc0b40660d091387fb3ee1ec788a1adbf84ef5fa12c7ec6bb899bb02a6
                                  • Opcode Fuzzy Hash: adc294e01d1282735f12e2e854fcb7333a26101a3e543d707b2d8d6b5a4212e2
                                  • Instruction Fuzzy Hash: FFF23A74A11228CFDB25EF35D864BADB7B1BB89304F1042EAD909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C47D4 Relevance: 2.8, Strings: 1, Instructions: 1513COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3171 50c47d4-50c4821 3178 50c496f-50c4983 3171->3178 3179 50c4827-50c4934 3171->3179 3180 50c4985-50c498b call 50c4210 3178->3180 3181 50c49d6-50c49ea 3178->3181 3179->3178 3188 50c4990-50c499b 3180->3188 3182 50c49ec-50c49f7 3181->3182 3183 50c4a32-50c4a46 3181->3183 3182->3183 3186 50c4a4c-50c4b59 3183->3186 3187 50c4b94-50c4ba8 3183->3187 3186->3187 3189 50c4bae-50c4bc2 3187->3189 3190 50c4cd4-50c4ce8 3187->3190 3188->3181 3194 50c4bc4-50c4bcb 3189->3194 3195 50c4bd0-50c4be4 3189->3195 3197 50c4cee-50c4f2d 3190->3197 3198 50c4f74-50c4f88 3190->3198 3200 50c4c48-50c4c5c 3194->3200 3201 50c4bef-50c4c03 3195->3201 3202 50c4be6-50c4bed 3195->3202 3197->3198 3203 50c4f8a-50c4f9b 3198->3203 3204 50c4fe2-50c4ff6 3198->3204 3207 50c4c5e-50c4c74 3200->3207 3208 50c4c76-50c4c82 3200->3208 3211 50c4c0e-50c4c22 3201->3211 3212 50c4c05-50c4c0c 3201->3212 3202->3200 3203->3204 3205 50c4ff8-50c4ffe 3204->3205 3206 50c5045-50c5059 3204->3206 3205->3206 3217 50c505b 3206->3217 3218 50c50a2-50c50b6 3206->3218 3216 50c4c8d 3207->3216 3208->3216 3213 50c4c2d-50c4c41 3211->3213 3214 50c4c24-50c4c2b 3211->3214 3212->3200 3213->3200 3220 50c4c43-50c4c45 3213->3220 3214->3200 3216->3190 3217->3218 3222 50c512d-50c5141 3218->3222 3223 50c50b8-50c50e1 3218->3223 3220->3200 3227 50c53b4-50c53c8 3222->3227 3228 50c5147-50c5363 3222->3228 3223->3222 3232 50c549e-50c54b2 3227->3232 3233 50c53ce-50c5457 3227->3233 3602 50c5365 3228->3602 3603 50c5367 3228->3603 3238 50c566f-50c5683 3232->3238 3239 50c54b8-50c5628 3232->3239 3233->3232 3241 50c5689-50c579f 3238->3241 3242 50c57e6-50c57fa 3238->3242 3239->3238 3241->3242 3249 50c595d-50c5971 3242->3249 3250 50c5800-50c5916 3242->3250 3256 50c5ad4-50c5ae8 3249->3256 3257 50c5977-50c5a8d 3249->3257 3250->3249 3261 50c5aee-50c5c04 3256->3261 3262 50c5c4b-50c5c5f 3256->3262 3257->3256 3261->3262 3268 50c5c65-50c5d7b 3262->3268 3269 50c5dc2-50c5dd6 3262->3269 3268->3269 3272 50c5ddc-50c5ef2 3269->3272 3273 50c5f39-50c5f4d 3269->3273 3272->3273 3281 50c60b0-50c60c4 3273->3281 3282 50c5f53-50c6069 3273->3282 3290 50c60ca-50c61e0 3281->3290 3291 50c6227-50c623b 3281->3291 3282->3281 3290->3291 3296 50c639e-50c63b2 3291->3296 3297 50c6241-50c6357 3291->3297 3306 50c63b8-50c63fd call 50c4278 3296->3306 3307 50c6536-50c654a 3296->3307 3297->3296 3437 50c64bd-50c64df 3306->3437 3318 50c668d-50c66a1 3307->3318 3319 50c6550-50c656f 3307->3319 3331 50c67ee-50c6802 3318->3331 3332 50c66a7-50c67a7 3318->3332 3353 50c6614-50c6636 3319->3353 3338 50c694f-50c6963 3331->3338 3339 50c6808-50c6908 3331->3339 3332->3331 3351 50c6969-50c6a69 3338->3351 3352 50c6ab0-50c6ada 3338->3352 3339->3338 3351->3352 3373 50c6b9a-50c6bae 3352->3373 3374 50c6ae0-50c6b53 3352->3374 3365 50c663c 3353->3365 3366 50c6574-50c6583 3353->3366 3365->3318 3376 50c663e 3366->3376 3377 50c6589-50c65bc 3366->3377 3388 50c6c8b-50c6c9f 3373->3388 3389 50c6bb4-50c6c44 3373->3389 3374->3373 3395 50c6643-50c668b 3376->3395 3467 50c65be-50c65f8 3377->3467 3468 50c6603-50c660c 3377->3468 3397 50c6de5-50c6df9 3388->3397 3398 50c6ca5-50c6d9e 3388->3398 3389->3388 3395->3318 3408 50c705c-50c7070 3397->3408 3409 50c6dff-50c6e4f 3397->3409 3398->3397 3417 50c7158-50c715f 3408->3417 3418 50c7076-50c7111 call 50c4278 * 2 3408->3418 3529 50c6ebd-50c6ee8 3409->3529 3530 50c6e51-50c6e77 3409->3530 3418->3417 3451 50c64e5 3437->3451 3452 50c6402-50c6411 3437->3452 3451->3307 3464 50c64e7 3452->3464 3465 50c6417-50c64b5 3452->3465 3489 50c64ec-50c6534 3464->3489 3465->3489 3601 50c64b7 3465->3601 3467->3468 3468->3395 3470 50c660e 3468->3470 3470->3353 3489->3307 3599 50c6eee-50c6fc1 3529->3599 3600 50c6fc6-50c7057 3529->3600 3605 50c6eb8 3530->3605 3606 50c6e79-50c6e99 3530->3606 3599->3408 3600->3408 3601->3437 3608 50c536d 3602->3608 3603->3608 3605->3408 3606->3605 3608->3227
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 9bdba4688c32581bab708038503fd529a62a5cb198e3b1885de102da56ea88a7
                                  • Instruction ID: d178bfe20ecf5fc84c95b6d68649aada23d80fa224f99efb5781ad518c43dae2
                                  • Opcode Fuzzy Hash: 9bdba4688c32581bab708038503fd529a62a5cb198e3b1885de102da56ea88a7
                                  • Instruction Fuzzy Hash: 34F24B74A11228CFDB25EF35D864BADB7B1BB89304F1042EAD909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C4936 Relevance: 2.7, Strings: 1, Instructions: 1456COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3666 50c4936-50c4983 3673 50c4985-50c498b call 50c4210 3666->3673 3674 50c49d6-50c49ea 3666->3674 3680 50c4990-50c499b 3673->3680 3675 50c49ec-50c49f7 3674->3675 3676 50c4a32-50c4a46 3674->3676 3675->3676 3678 50c4a4c-50c4b59 3676->3678 3679 50c4b94-50c4ba8 3676->3679 3678->3679 3681 50c4bae-50c4bc2 3679->3681 3682 50c4cd4-50c4ce8 3679->3682 3680->3674 3685 50c4bc4-50c4bcb 3681->3685 3686 50c4bd0-50c4be4 3681->3686 3688 50c4cee-50c4f2d 3682->3688 3689 50c4f74-50c4f88 3682->3689 3690 50c4c48-50c4c5c 3685->3690 3691 50c4bef-50c4c03 3686->3691 3692 50c4be6-50c4bed 3686->3692 3688->3689 3693 50c4f8a-50c4f9b 3689->3693 3694 50c4fe2-50c4ff6 3689->3694 3697 50c4c5e-50c4c74 3690->3697 3698 50c4c76-50c4c82 3690->3698 3701 50c4c0e-50c4c22 3691->3701 3702 50c4c05-50c4c0c 3691->3702 3692->3690 3693->3694 3695 50c4ff8-50c4ffe 3694->3695 3696 50c5045-50c5059 3694->3696 3695->3696 3706 50c505b 3696->3706 3707 50c50a2-50c50b6 3696->3707 3705 50c4c8d 3697->3705 3698->3705 3703 50c4c2d-50c4c41 3701->3703 3704 50c4c24-50c4c2b 3701->3704 3702->3690 3703->3690 3709 50c4c43-50c4c45 3703->3709 3704->3690 3705->3682 3706->3707 3711 50c512d-50c5141 3707->3711 3712 50c50b8-50c50e1 3707->3712 3709->3690 3716 50c53b4-50c53c8 3711->3716 3717 50c5147-50c5363 3711->3717 3712->3711 3720 50c549e-50c54b2 3716->3720 3721 50c53ce-50c5457 3716->3721 4081 50c5365 3717->4081 4082 50c5367 3717->4082 3725 50c566f-50c5683 3720->3725 3726 50c54b8-50c5628 3720->3726 3721->3720 3728 50c5689-50c579f 3725->3728 3729 50c57e6-50c57fa 3725->3729 3726->3725 3728->3729 3735 50c595d-50c5971 3729->3735 3736 50c5800-50c5916 3729->3736 3742 50c5ad4-50c5ae8 3735->3742 3743 50c5977-50c5a8d 3735->3743 3736->3735 3746 50c5aee-50c5c04 3742->3746 3747 50c5c4b-50c5c5f 3742->3747 3743->3742 3746->3747 3753 50c5c65-50c5d7b 3747->3753 3754 50c5dc2-50c5dd6 3747->3754 3753->3754 3757 50c5ddc-50c5ef2 3754->3757 3758 50c5f39-50c5f4d 3754->3758 3757->3758 3764 50c60b0-50c60c4 3758->3764 3765 50c5f53-50c6069 3758->3765 3773 50c60ca-50c61e0 3764->3773 3774 50c6227-50c623b 3764->3774 3765->3764 3773->3774 3779 50c639e-50c63b2 3774->3779 3780 50c6241-50c6357 3774->3780 3789 50c63b8-50c63fd call 50c4278 3779->3789 3790 50c6536-50c654a 3779->3790 3780->3779 3916 50c64bd-50c64df 3789->3916 3800 50c668d-50c66a1 3790->3800 3801 50c6550-50c656f 3790->3801 3812 50c67ee-50c6802 3800->3812 3813 50c66a7-50c67a7 3800->3813 3833 50c6614-50c6636 3801->3833 3818 50c694f-50c6963 3812->3818 3819 50c6808-50c6908 3812->3819 3813->3812 3831 50c6969-50c6a69 3818->3831 3832 50c6ab0-50c6ada 3818->3832 3819->3818 3831->3832 3852 50c6b9a-50c6bae 3832->3852 3853 50c6ae0-50c6b53 3832->3853 3844 50c663c 3833->3844 3845 50c6574-50c6583 3833->3845 3844->3800 3855 50c663e 3845->3855 3856 50c6589-50c65bc 3845->3856 3867 50c6c8b-50c6c9f 3852->3867 3868 50c6bb4-50c6c44 3852->3868 3853->3852 3874 50c6643-50c668b 3855->3874 3946 50c65be-50c65f8 3856->3946 3947 50c6603-50c660c 3856->3947 3876 50c6de5-50c6df9 3867->3876 3877 50c6ca5-50c6d9e 3867->3877 3868->3867 3874->3800 3887 50c705c-50c7070 3876->3887 3888 50c6dff-50c6e4f 3876->3888 3877->3876 3896 50c7158-50c715f 3887->3896 3897 50c7076-50c7111 call 50c4278 * 2 3887->3897 4008 50c6ebd-50c6ee8 3888->4008 4009 50c6e51-50c6e77 3888->4009 3897->3896 3930 50c64e5 3916->3930 3931 50c6402-50c6411 3916->3931 3930->3790 3943 50c64e7 3931->3943 3944 50c6417-50c64b5 3931->3944 3968 50c64ec-50c6534 3943->3968 3944->3968 4080 50c64b7 3944->4080 3946->3947 3947->3874 3949 50c660e 3947->3949 3949->3833 3968->3790 4078 50c6eee-50c6fc1 4008->4078 4079 50c6fc6-50c7057 4008->4079 4084 50c6eb8 4009->4084 4085 50c6e79-50c6e99 4009->4085 4078->3887 4079->3887 4080->3916 4087 50c536d 4081->4087 4082->4087 4084->3887 4085->4084 4087->3716
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: ce5ebe08c588295e7e9457f747ca36523e4b147b8ae1d868cd5ec184492488ba
                                  • Instruction ID: 4775368d85e9fbb4e0e846e8f49ad46073dea62924dfba7e7459dedaa16eb746
                                  • Opcode Fuzzy Hash: ce5ebe08c588295e7e9457f747ca36523e4b147b8ae1d868cd5ec184492488ba
                                  • Instruction Fuzzy Hash: 60F24B74A11228CFDB25EF35D864BADB7B1BB89304F1042EAD909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05232497 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05232517
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: d4f0b004fca9dced54d99527c43bd7fa17b2a5c27b9c0302a44ead478fd6662e
                                  • Instruction ID: cacdc575984cace7a3469e320c52907310c6098f1d40175c334f2b6f6732887d
                                  • Opcode Fuzzy Hash: d4f0b004fca9dced54d99527c43bd7fa17b2a5c27b9c0302a44ead478fd6662e
                                  • Instruction Fuzzy Hash: AB21BFB55093809FDB128F25DC41B62BFB8FF06310F08849AE9898B563D230E908CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052324CE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05232517
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: 22126f2ab41dfc951f475edfdcb8a9ee8ef5ebd63e5f37e86c89861d3c90fc39
                                  • Instruction ID: de4e764382be48cd7ecba3052cc16660ac0e6f2951e4c8c40b01fe4e3f4afc8c
                                  • Opcode Fuzzy Hash: 22126f2ab41dfc951f475edfdcb8a9ee8ef5ebd63e5f37e86c89861d3c90fc39
                                  • Instruction Fuzzy Hash: 5111A075510200DFDB20CF15D885B62FBE9FF14320F08C8AAED4A8B652D375E518CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05231F6E Relevance: 1.6, APIs: 1, Instructions: 130registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4145 5231f6e-5232026 4149 523202b-5232037 4145->4149 4150 5232028 4145->4150 4151 5232039 4149->4151 4152 523203c-5232045 4149->4152 4150->4149 4151->4152 4153 5232047 4152->4153 4154 523204a-5232061 4152->4154 4153->4154 4156 52320a3-52320a8 4154->4156 4157 5232063-5232076 RegCreateKeyExW 4154->4157 4156->4157 4158 52320aa-52320af 4157->4158 4159 5232078-52320a0 4157->4159 4158->4159
                                  APIs
                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05232069
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 0a231a27d12294c820d9d47e73a8228ab191054284639a07d011a1d1aa7e5b34
                                  • Instruction ID: 4dabc1f05d143d469afcef2cbe0c56c561a44c610c4d1ccf65db717cd4ce2717
                                  • Opcode Fuzzy Hash: 0a231a27d12294c820d9d47e73a8228ab191054284639a07d011a1d1aa7e5b34
                                  • Instruction Fuzzy Hash: 7C417C75109380AFE7238B218C50BA6BFB8EF16214F0985DAE985CB563D224E80DCB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523045F Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4164 523045f-523047f 4165 52304a1-52304d3 4164->4165 4166 5230481-52304a0 4164->4166 4170 52304d6-523052e RegQueryValueExW 4165->4170 4166->4165 4172 5230534-523054a 4170->4172
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05230526
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 6f56130b72c48d5d84726536d5482578a08bfc6108e7f7c6dc9ca431ff725929
                                  • Instruction ID: 89567d1812704b61b6c608721b37af8e6b8ef07104001cfd0cf3d04a2fdb54b8
                                  • Opcode Fuzzy Hash: 6f56130b72c48d5d84726536d5482578a08bfc6108e7f7c6dc9ca431ff725929
                                  • Instruction Fuzzy Hash: 63318D6510E3C06FD3138B258C65A61BFB4EF47610B0E85CBD8C48B6A3D219A909C7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B1E6 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4173 100b1e6-100b1e8 4174 100b1f2-100b26d 4173->4174 4175 100b1ea-100b1f1 4173->4175 4179 100b272-100b289 4174->4179 4180 100b26f 4174->4180 4175->4174 4182 100b2cb-100b2d0 4179->4182 4183 100b28b-100b29e RegOpenKeyExW 4179->4183 4180->4179 4182->4183 4184 100b2a0-100b2c8 4183->4184 4185 100b2d2-100b2d7 4183->4185 4185->4184
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0100B291
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: a92078c7e9e14b19400d6092f55667884579b3b486e0ee56503f543faee2cc96
                                  • Instruction ID: 7ddbfc1823f6f3ab1f6ea708363f1366aa832d24f2dc977cad940929c78a6396
                                  • Opcode Fuzzy Hash: a92078c7e9e14b19400d6092f55667884579b3b486e0ee56503f543faee2cc96
                                  • Instruction Fuzzy Hash: 32316F71409384AFE7238B65CC45FAABFF8EF16210F08849AE9849B593D224E409C761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052311FC Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4190 52311fc-52312bb 4196 523130d-5231312 4190->4196 4197 52312bd-52312c5 getaddrinfo 4190->4197 4196->4197 4198 52312cb-52312dd 4197->4198 4200 5231314-5231319 4198->4200 4201 52312df-523130a 4198->4201 4200->4201
                                  APIs
                                  • getaddrinfo.WS2_32(?,00000E24), ref: 052312C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: getaddrinfo
                                  • String ID:
                                  • API String ID: 300660673-0
                                  • Opcode ID: 7778d489526b32ba2b846724251e413ce3de04827a23b82ca65ca7e15625a639
                                  • Instruction ID: 465136fdd3ca8f86767f07d0206ea37d74aa19f630c0cdc7236edd6bd9bc89f5
                                  • Opcode Fuzzy Hash: 7778d489526b32ba2b846724251e413ce3de04827a23b82ca65ca7e15625a639
                                  • Instruction Fuzzy Hash: 8131B1B1504344AFE721DB61CC44FA6FBACEF05314F04889AFA489B682D374E949CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4205 100aa75-100aafe 4209 100ab00 4205->4209 4210 100ab03-100ab0f 4205->4210 4209->4210 4211 100ab11 4210->4211 4212 100ab14-100ab1d 4210->4212 4211->4212 4213 100ab6e-100ab73 4212->4213 4214 100ab1f-100ab43 CreateFileW 4212->4214 4213->4214 4217 100ab75-100ab7a 4214->4217 4218 100ab45-100ab6b 4214->4218 4217->4218
                                  APIs
                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0100AB25
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: aec6d1ff832cddf0cadf8f7057d386de1edfda228d1a7f10cc21cc6ffcc1d496
                                  • Instruction ID: c4f496fc337a6508cb191c3888bc73e644b76cb160b51c79942517654ee427b4
                                  • Opcode Fuzzy Hash: aec6d1ff832cddf0cadf8f7057d386de1edfda228d1a7f10cc21cc6ffcc1d496
                                  • Instruction Fuzzy Hash: CF317071509780AFE722CF25CC44F56BFF8EF06214F08889AE9858B692D365E809CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052310F4 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4221 52310f4-5231189 4227 52311d6-52311db 4221->4227 4228 523118b-5231193 GetProcessTimes 4221->4228 4227->4228 4229 5231199-52311ab 4228->4229 4231 52311dd-52311e2 4229->4231 4232 52311ad-52311d3 4229->4232 4231->4232
                                  APIs
                                  • GetProcessTimes.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 05231191
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ProcessTimes
                                  • String ID:
                                  • API String ID: 1995159646-0
                                  • Opcode ID: 72835368bf577b4ca19ef8d10ad1b4a11165ee19a1d764f847fc2967c83a9b59
                                  • Instruction ID: 12688118f09fab221b28eff2903a534f6a21c0a71d73115f5932f5a01c3c74ab
                                  • Opcode Fuzzy Hash: 72835368bf577b4ca19ef8d10ad1b4a11165ee19a1d764f847fc2967c83a9b59
                                  • Instruction Fuzzy Hash: 7D31C5B25097816FD7228F21DC45FA6BFB8EF16324F0884DBE8848F193D265A519C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4235 100b036-100b0b9 4239 100b0bb 4235->4239 4240 100b0be-100b0c7 4235->4240 4239->4240 4241 100b0c9 4240->4241 4242 100b0cc-100b0d5 4240->4242 4241->4242 4243 100b126-100b12b 4242->4243 4244 100b0d7-100b0fb CreateMutexW 4242->4244 4243->4244 4247 100b12d-100b132 4244->4247 4248 100b0fd-100b123 4244->4248 4247->4248
                                  APIs
                                  • CreateMutexW.KERNELBASE(?,?), ref: 0100B0DD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: 4cb3b2d65c583132adf9439274a766c178d63637c646e8e42678b61e9eb703a3
                                  • Instruction ID: 21f3ad36e56ae1929d38897b3d5b92e604bd3a50a9523da3a8d17e3c04af0331
                                  • Opcode Fuzzy Hash: 4cb3b2d65c583132adf9439274a766c178d63637c646e8e42678b61e9eb703a3
                                  • Instruction Fuzzy Hash: 453173755093805FE712CB25DC45B96BFF8EF06214F08849AE984CB293D375E909C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B2D9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0100B394
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 1f6a4cb02c0141fddeaf38542244db9f3fe671b2f39dfb3a9995421387a64dfc
                                  • Instruction ID: 92570ed1d1f644d2fccb0af0e1e350c71a2fd6d9eb0eebc88b41ce232f21d4f4
                                  • Opcode Fuzzy Hash: 1f6a4cb02c0141fddeaf38542244db9f3fe671b2f39dfb3a9995421387a64dfc
                                  • Instruction Fuzzy Hash: 5D31B175509380AFE722CB65CC44FA6BFF8EF06214F18C4DAE985CB293D260E509CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052309F0 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05230A87
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: DescriptorSecurity$ConvertString
                                  • String ID:
                                  • API String ID: 3907675253-0
                                  • Opcode ID: 9a8aba143c715f58ab2de48e14dc61d589e3bc1d33e018765701fb501b2c0a08
                                  • Instruction ID: d749752220d6e1a68fb4af6967b97ffd752c6b677883622e3611bd7dad358800
                                  • Opcode Fuzzy Hash: 9a8aba143c715f58ab2de48e14dc61d589e3bc1d33e018765701fb501b2c0a08
                                  • Instruction Fuzzy Hash: 5131B171505345AFE721CB65DC45FA7BBE8EF05210F08849AE944DB652D324E808CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05231FCE Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 05232069
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 2ba76fbfbe744946b45be42d4c4b27b26263c5c4adbffcd617b15184e6b8f085
                                  • Instruction ID: f60977740494330999cccc2cdcb07e988ec53e1ce5ac85e2dfad61b57b087dcd
                                  • Opcode Fuzzy Hash: 2ba76fbfbe744946b45be42d4c4b27b26263c5c4adbffcd617b15184e6b8f085
                                  • Instruction Fuzzy Hash: BE21A0B6510204EFE721DF15CC45FA7BBECEF28614F04885AE94AD7651D724E40CCB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0100A77E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Clipboard
                                  • String ID:
                                  • API String ID: 220874293-0
                                  • Opcode ID: 87100a3c256a0e1af7fa7319fa7d112b33d075dde0438e865a9183216c3a6e26
                                  • Instruction ID: 6ea7d78456dc15dc50df7725d31a41b59010944841e7daef709690a7a47edb9b
                                  • Opcode Fuzzy Hash: 87100a3c256a0e1af7fa7319fa7d112b33d075dde0438e865a9183216c3a6e26
                                  • Instruction Fuzzy Hash: 1931717504E3C06FD3138B259C61B61BFB4EF87610F0A80CBE884CB5A3D2256919D772
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523121E Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • getaddrinfo.WS2_32(?,00000E24), ref: 052312C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: getaddrinfo
                                  • String ID:
                                  • API String ID: 300660673-0
                                  • Opcode ID: cd54ae29fe48029befc4545f37bbdbc0245245c95ba01fc0a87c995091a90fe5
                                  • Instruction ID: c738857e64143cbd19b1503a1a7f7873f78e0dc075ce70b69f71d79abbeaa0d1
                                  • Opcode Fuzzy Hash: cd54ae29fe48029befc4545f37bbdbc0245245c95ba01fc0a87c995091a90fe5
                                  • Instruction Fuzzy Hash: F221DEB1500204AFEB21DB61CD85FAAF7ECEF14714F04885AFA48DA681D3B4E549CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 0100B571
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: MessageSendTimeout
                                  • String ID:
                                  • API String ID: 1599653421-0
                                  • Opcode ID: b5b86b006c6da0c042c56b3a430320b0d8d05b263aa123b975f82d569746596f
                                  • Instruction ID: 827da6a42ef76d5cca9056ce92216bb2814c11e1039a40d9a443d0f79ea0ae54
                                  • Opcode Fuzzy Hash: b5b86b006c6da0c042c56b3a430320b0d8d05b263aa123b975f82d569746596f
                                  • Instruction Fuzzy Hash: 9E21A571505340AFE7228F61DC44FA6FFB8EF46314F08849AE9859B592D375A409CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05232241 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: select
                                  • String ID:
                                  • API String ID: 1274211008-0
                                  • Opcode ID: 00684a2d19953f044d72a507191aa78ead7aaabd5d30642aab9cc8d2e759777b
                                  • Instruction ID: bd3081006ac8ccee60b3f9176c63492ce9679adb70aa11e2894a3c409275ad75
                                  • Opcode Fuzzy Hash: 00684a2d19953f044d72a507191aa78ead7aaabd5d30642aab9cc8d2e759777b
                                  • Instruction Fuzzy Hash: E1215CB55093859FDB12CF25DC44A62BFF8FF06214B08849AE989CB162D264A908CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05232619 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 052326A0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: CodeExitProcess
                                  • String ID:
                                  • API String ID: 3861947596-0
                                  • Opcode ID: 17aa05247777a16bf67ed05d39be3b0713655204186d3637cdfbcf5b8c88cf05
                                  • Instruction ID: d24e74e68803fb9e6a314f0736260ed2ce6eabc2b4a295d32e8845d4f71753bc
                                  • Opcode Fuzzy Hash: 17aa05247777a16bf67ed05d39be3b0713655204186d3637cdfbcf5b8c88cf05
                                  • Instruction Fuzzy Hash: 1321A1715093846FE712CB25DC45FA6BFA8EF42714F0884EAE944DF193D264E909CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100AE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0100AF0D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 28d6e1214cccd97db525c943dac9f91aa972930d6fbf32feafa8af6360135388
                                  • Instruction ID: 5a5af357e3c20ba9d2c19e9d89d1a986ebddd0f204bccb2e194a02819b551ae9
                                  • Opcode Fuzzy Hash: 28d6e1214cccd97db525c943dac9f91aa972930d6fbf32feafa8af6360135388
                                  • Instruction Fuzzy Hash: 0F21A3B2509380AFE722CB61DC44F96BFB8EF56314F0884DAE9849B193D265A509CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExW.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0100B480
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: f338f83b774ed337a7d1c39a70593eef3dcc92f3deead857836f3a67d84a1a8c
                                  • Instruction ID: c4f0137901430e097bc73f14aedb399051fc23e4ec767d9a66f66399d883d15f
                                  • Opcode Fuzzy Hash: f338f83b774ed337a7d1c39a70593eef3dcc92f3deead857836f3a67d84a1a8c
                                  • Instruction Fuzzy Hash: 9221AE76504780AFE7228B15CC44FA7BFF8EF46210F08849AE985DB292D264E908C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05230552 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 052305DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Socket
                                  • String ID:
                                  • API String ID: 38366605-0
                                  • Opcode ID: c7e174242ea35cdc276c3aa41c0a89f89de5e950bd125c15723ef64e7efbe397
                                  • Instruction ID: b5d509451eda51d8e1a02c6a9ca95078e40f632165d11d821910c480302c7a1d
                                  • Opcode Fuzzy Hash: c7e174242ea35cdc276c3aa41c0a89f89de5e950bd125c15723ef64e7efbe397
                                  • Instruction Fuzzy Hash: A4217E71509380AFD722CF61DC45FA6FFB8EF09224F08889EE9858B652D375A409CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05230BA6 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: b62958ae1073a6f8c681e077d475213eb377fc82065eb18a25b4977c5b41d0ce
                                  • Instruction ID: 9b38215cdabe188d7216243f4d38793b6c38e49f0c90f2d369c37308eefae267
                                  • Opcode Fuzzy Hash: b62958ae1073a6f8c681e077d475213eb377fc82065eb18a25b4977c5b41d0ce
                                  • Instruction Fuzzy Hash: 6B21B171405340AFE722CB15CC45F96FBF8EF19224F04889EE9848B652D365E509CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0100AB25
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: e62ad24f2e814b9f430e383b2a69a5ce976a4a72e2ce8cdd9f5599d9c4848bad
                                  • Instruction ID: a852d5f356bcad68d464114e3133603863f7c48351034230a5cf308a3c4e0741
                                  • Opcode Fuzzy Hash: e62ad24f2e814b9f430e383b2a69a5ce976a4a72e2ce8cdd9f5599d9c4848bad
                                  • Instruction Fuzzy Hash: 2621B271604700AFE721CF25CC44F66FBE8EF18314F048869E9858B692D375E408CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05230A16 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 05230A87
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: DescriptorSecurity$ConvertString
                                  • String ID:
                                  • API String ID: 3907675253-0
                                  • Opcode ID: eeb438a7d746aad080474105d976ff9b57731ad586f98cce43d7b2f9aa670a91
                                  • Instruction ID: ed39fd4eccbb3c320ead40d2ee55fa23afe39f8e1373c66ce69c5661f1a29efc
                                  • Opcode Fuzzy Hash: eeb438a7d746aad080474105d976ff9b57731ad586f98cce43d7b2f9aa670a91
                                  • Instruction Fuzzy Hash: 1A21D4B2501205AFEB20DF25DC45FABBBECEF14614F04846AEE45DB641D774E4088BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052308FE Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0523099C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 050a81be002b27e6c8ff3f0222ff36ca521f2e376b49673219879b5faa32e8f7
                                  • Instruction ID: 3f52d523914e7a567243a00d509d89c050cbf8db2d609c0e2fd94c5047127fa3
                                  • Opcode Fuzzy Hash: 050a81be002b27e6c8ff3f0222ff36ca521f2e376b49673219879b5faa32e8f7
                                  • Instruction Fuzzy Hash: 702192B2509740AFE722CB11CC85F67BFF8EF55710F08889AE9459B692D325E908CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0100B291
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 4a891cab6e9aaf03e88377822857f32b2754026c9210178821eedcfa3054a315
                                  • Instruction ID: cf22f9d49ab2c424a0b37ee6a8f23ec9fb0de9dc447e5614dd7f51b7b8e5b31d
                                  • Opcode Fuzzy Hash: 4a891cab6e9aaf03e88377822857f32b2754026c9210178821eedcfa3054a315
                                  • Instruction Fuzzy Hash: FE21A176500204AFE722DF55CC44FABFBECEF14714F04885AEA458BA92D724E5098BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0100ACBD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: 0219b2c6528962485b2b00b6a30cd683ed8bc1c0d576d87160635f6ee06c0f04
                                  • Instruction ID: 68cca1f01baf13d3a7381fd839bbe37a60523b98018d7b127ee7606fd9dbf625
                                  • Opcode Fuzzy Hash: 0219b2c6528962485b2b00b6a30cd683ed8bc1c0d576d87160635f6ee06c0f04
                                  • Instruction Fuzzy Hash: 582105B54083806FE7138B11DC40BA6BFB8EF53314F08C0DAE9848B293C264A909C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(?), ref: 0100AA44
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: f1107081fe5035980806b8ffe6537b40849eab828833472f901b9d03094a5fc2
                                  • Instruction ID: 80f54db0f2ff8792d3fd3f82bdf13a3798a19e7f9b650a6046050ab47e1900aa
                                  • Opcode Fuzzy Hash: f1107081fe5035980806b8ffe6537b40849eab828833472f901b9d03094a5fc2
                                  • Instruction Fuzzy Hash: 3121486550E3C09FD7138B258C64A51BFB4EF53624F0E84DBD9C48F5A3C2689848CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05232703 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0523277F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ProcessSizeWorking
                                  • String ID:
                                  • API String ID: 3584180929-0
                                  • Opcode ID: 0c4ccb3d50334351dbcc863d9a4a0e9b1162ed120b7c46d190e80dd5c11ab73c
                                  • Instruction ID: af6342c866ffcc77ed414c1dbed9a8c166e1f8b39a1b03504befea126766d50b
                                  • Opcode Fuzzy Hash: 0c4ccb3d50334351dbcc863d9a4a0e9b1162ed120b7c46d190e80dd5c11ab73c
                                  • Instruction Fuzzy Hash: 7E21C271509380AFE712CB21CC49FAABFA8EF46214F08C89AE945CB192D364E508CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052327E7 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 05232863
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ProcessSizeWorking
                                  • String ID:
                                  • API String ID: 3584180929-0
                                  • Opcode ID: 0c4ccb3d50334351dbcc863d9a4a0e9b1162ed120b7c46d190e80dd5c11ab73c
                                  • Instruction ID: 1453ab16806d9912c8d4866e3111e4238abe4a2188d45af610bf8908cd10f35c
                                  • Opcode Fuzzy Hash: 0c4ccb3d50334351dbcc863d9a4a0e9b1162ed120b7c46d190e80dd5c11ab73c
                                  • Instruction Fuzzy Hash: 4F21D471509380AFD712CB21DC45FABBFA8EF46214F08C89AE944DB152D374E508CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNELBASE(?,?), ref: 0100B0DD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: d98e6ae33f010c48a3e5e188c0e819082ad250da11d1d9ba8d545594b98b68b0
                                  • Instruction ID: a582dad9a7760ec47d32a6827d2bac6e0ec81af498fc48e388601c2a40220c11
                                  • Opcode Fuzzy Hash: d98e6ae33f010c48a3e5e188c0e819082ad250da11d1d9ba8d545594b98b68b0
                                  • Instruction Fuzzy Hash: FA2180756042009FF721DB25DC45BA6FBE8EF15224F0488A9E9498B682D775E408CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05230E3D Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • shutdown.WS2_32(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 05230EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: shutdown
                                  • String ID:
                                  • API String ID: 2510479042-0
                                  • Opcode ID: a17d1e04132df933339ccd99448cbe8f31edffda048b561b3733d94e0f09af06
                                  • Instruction ID: f1a143cdc052a0287b2e2fa0f47d2a11856735a77a1fc11c50101bc23b0b6630
                                  • Opcode Fuzzy Hash: a17d1e04132df933339ccd99448cbe8f31edffda048b561b3733d94e0f09af06
                                  • Instruction Fuzzy Hash: BE2192B1509384AFD712CB15CC45FA6BFB8EF46224F0884DAE9449F252C369A549CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A140 Relevance: 1.6, APIs: 1, Instructions: 71networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: 259165c4f4a1d85fde82e55b6931e11b0a256082cc428c6483d5df8a124a84ce
                                  • Instruction ID: 84f4ce18317ad39a970f29d23e7cc04d8395202979a73e2f216b6f397ca2b67c
                                  • Opcode Fuzzy Hash: 259165c4f4a1d85fde82e55b6931e11b0a256082cc428c6483d5df8a124a84ce
                                  • Instruction Fuzzy Hash: D3219A7190D3C09FDB138B258C54A52BFB4AF07210F0988DBD9848F5A3D265A809C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0100B394
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 6f7e4dd3fd33aa3ecd258c08d1694a7a4f883d0aed6e7d545ca0001bc23d6b6d
                                  • Instruction ID: 943ca2b18c13d3bb782b887440242cf6ca405113e1b7606197bc7b827fe213ea
                                  • Opcode Fuzzy Hash: 6f7e4dd3fd33aa3ecd258c08d1694a7a4f883d0aed6e7d545ca0001bc23d6b6d
                                  • Instruction Fuzzy Hash: DC21C075600200AFE722CF15CC44FA6BBECEF14610F18C49AED85DB692D760E408CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523217B Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 052321F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: e4365839a0f6ea0dbc20ceacd056c96a6f1154bc018bde47588a8d02b8567b7f
                                  • Instruction ID: bbc63265477e180271d8ab4839b60c1d9396f791981c77f981783bce66846f1a
                                  • Opcode Fuzzy Hash: e4365839a0f6ea0dbc20ceacd056c96a6f1154bc018bde47588a8d02b8567b7f
                                  • Instruction Fuzzy Hash: F721C371409384AFD722CF51CC44FA6BFB8EF56214F08C89AE9489B152C374E508C7B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05230572 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 052305DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Socket
                                  • String ID:
                                  • API String ID: 38366605-0
                                  • Opcode ID: d8d148c4d918ed0a55de29ddd2fc0593914cb3a5071152dd230db555b2550771
                                  • Instruction ID: d829b030006f679546ed256d0738da6f23c589b516bdd1c085380edeebbeacbc
                                  • Opcode Fuzzy Hash: d8d148c4d918ed0a55de29ddd2fc0593914cb3a5071152dd230db555b2550771
                                  • Instruction Fuzzy Hash: 7421F0B1500200AFEB21DF65DC45FA6FBE8EF19324F04886EE9498B652D375E409CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05230BC6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: e092a02ce6b45604e17ff2aadfa72b3395ed872c158f972f1da52602995566dc
                                  • Instruction ID: 40709918073395dcfe9cda6d516e13fab3f65efb92e79e37e746ab4287f36cd5
                                  • Opcode Fuzzy Hash: e092a02ce6b45604e17ff2aadfa72b3395ed872c158f972f1da52602995566dc
                                  • Instruction Fuzzy Hash: FD21C0B2500204AFE721DF15CD49FA6FBE8EF29324F048859E9498B651D375F509CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052313CE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0523144A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Connect
                                  • String ID:
                                  • API String ID: 3144859779-0
                                  • Opcode ID: 21b1f0be33109d44914a4696f0c6096841ef477749552df4590d26c614231ba1
                                  • Instruction ID: 5033959381d65bb0fd18d90cd6bf8f982a0e4cdc5701bddc6d4ddc2a0bd37b09
                                  • Opcode Fuzzy Hash: 21b1f0be33109d44914a4696f0c6096841ef477749552df4590d26c614231ba1
                                  • Instruction Fuzzy Hash: A0215075508384AFDB228F55DC44B62BFF4EF06210F08899AE9898B563D375A418DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 0100B571
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: MessageSendTimeout
                                  • String ID:
                                  • API String ID: 1599653421-0
                                  • Opcode ID: 17c0f10f14b1579533d87d1a69d14be4b0b7c1fbc422a0cbd70d78bf31c25f43
                                  • Instruction ID: a7e663cdf551e9a2cb7393821fdf21dc4063580b8a9d30cb203fb365edf8b6a5
                                  • Opcode Fuzzy Hash: 17c0f10f14b1579533d87d1a69d14be4b0b7c1fbc422a0cbd70d78bf31c25f43
                                  • Instruction Fuzzy Hash: EA219D76500200AFEB22DF51DC41FA6FBA8EF14714F14889AEE859A692D375E5088BA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523168A Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 05231713
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 15016df024da56804d0f63c163a84e1bcb37875896f9f2bfa703aef80b7a2fdc
                                  • Instruction ID: 0b3417595dc8d76caa6ffc355ae939aafc55ac92e56c44d5275fa7c9c1a68413
                                  • Opcode Fuzzy Hash: 15016df024da56804d0f63c163a84e1bcb37875896f9f2bfa703aef80b7a2fdc
                                  • Instruction Fuzzy Hash: 3111D371505340AFE721CB11DC85FA6FFB8EF46720F08849AF9489B692D364A948CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100B40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExW.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0100B480
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: 4df865826ae13a7467ba22bddc9281f48a0829de337fd3dba9d1b119e82e7c23
                                  • Instruction ID: 533a574d0b502a0dd532134de6ecd04bb843441b98554b712e530cee5ca2ee0e
                                  • Opcode Fuzzy Hash: 4df865826ae13a7467ba22bddc9281f48a0829de337fd3dba9d1b119e82e7c23
                                  • Instruction Fuzzy Hash: DC118176500604AFE722CE15DC44FABFBECEF14614F04C45AEE859B692D774E5088A71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523092A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0523099C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 711df9cfcaa9bb980acd1ef5fea4a94f72f5acec0e74a654df875b20a5a8524a
                                  • Instruction ID: 004a37c54fba45dfd82f260ed710006c9ec3d1b82f4804e6d72304a29000542c
                                  • Opcode Fuzzy Hash: 711df9cfcaa9bb980acd1ef5fea4a94f72f5acec0e74a654df875b20a5a8524a
                                  • Instruction Fuzzy Hash: 7311B1B2510200AFE721CF11CC85FA7F7ECEF14A10F08C85AE9458B652E364E408CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100AB7C Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0100ABF0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 24dddb20b583749ee2a0687b6ef0246917e7533fcbbb28703b1ca218025d368d
                                  • Instruction ID: f8190a68921cceddf66279fa9041fa5748359da3b02492a0e3d1a7e96f2c7d1a
                                  • Opcode Fuzzy Hash: 24dddb20b583749ee2a0687b6ef0246917e7533fcbbb28703b1ca218025d368d
                                  • Instruction Fuzzy Hash: 7721C3759097849FD712CB29EC55792BFA8EF02320F0984DBEC858B593D234A908C761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05231132 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessTimes.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 05231191
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ProcessTimes
                                  • String ID:
                                  • API String ID: 1995159646-0
                                  • Opcode ID: c9e7ca2fc45e1ba6fefe613cd6ab522598dbe4c2d70ab849be8e085aea0b5d96
                                  • Instruction ID: ff0548f4ed54bfa579f487e3c38c931fc665f784431e5dca12009e3c1a15cd0a
                                  • Opcode Fuzzy Hash: c9e7ca2fc45e1ba6fefe613cd6ab522598dbe4c2d70ab849be8e085aea0b5d96
                                  • Instruction Fuzzy Hash: 7E119072500204AFEB21CF55DC45FAABBA8EF15724F04C86AED458B651D375E418CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A61E Relevance: 1.6, APIs: 1, Instructions: 63comCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 20f1477e834abe40b78ad33cdb01c54feed8252e9328c18e330119d5c99af864
                                  • Instruction ID: e20197d3736b843ea8d0bd5271f33f1fb999ef51489d0b41cb5a1ed74c1163c7
                                  • Opcode Fuzzy Hash: 20f1477e834abe40b78ad33cdb01c54feed8252e9328c18e330119d5c99af864
                                  • Instruction Fuzzy Hash: 042158719093C09FDB52CB25DC94752BFB4EF47220F0984DAED849F1A3D2659908CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05232726 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0523277F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ProcessSizeWorking
                                  • String ID:
                                  • API String ID: 3584180929-0
                                  • Opcode ID: 8b4012e87117ba50a51772964b3d37469a7b2638e0e291e00325687a27027f45
                                  • Instruction ID: 279532bd15bcf61b304e35965691491f33205fb6c7fc5f2116b8f169c168a884
                                  • Opcode Fuzzy Hash: 8b4012e87117ba50a51772964b3d37469a7b2638e0e291e00325687a27027f45
                                  • Instruction Fuzzy Hash: 1111C1B5500200AFEB21CF25DC45FAABBA8EF15724F08C86AED09CB641D374E4088BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523280A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 05232863
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ProcessSizeWorking
                                  • String ID:
                                  • API String ID: 3584180929-0
                                  • Opcode ID: 8b4012e87117ba50a51772964b3d37469a7b2638e0e291e00325687a27027f45
                                  • Instruction ID: 58dad7d194cff7a6a96ab5c9e69c916c5cbcf5adbdd8ed11bd6f7124cd0dde09
                                  • Opcode Fuzzy Hash: 8b4012e87117ba50a51772964b3d37469a7b2638e0e291e00325687a27027f45
                                  • Instruction Fuzzy Hash: 6411C1B5500200AFEB21CF15DC45FAABBACEF65324F18C86AED09DB641D774E5088BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100A5DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: ae854cf0509626cbe5194f98d3e63a2016e01b760ced8e5e0e037b461e6744d9
                                  • Instruction ID: 458fd0ffe54b8fcdff8d3fac883071e060c7cdb4d7a7a82af4cf86999bfc8f13
                                  • Opcode Fuzzy Hash: ae854cf0509626cbe5194f98d3e63a2016e01b760ced8e5e0e037b461e6744d9
                                  • Instruction Fuzzy Hash: 05117F71509380AFDB228F55DC44A62FFF8EF4A310F0888DAED858B563C275A418DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523264A Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 052326A0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: CodeExitProcess
                                  • String ID:
                                  • API String ID: 3861947596-0
                                  • Opcode ID: 75f16521d27fd8acb3543032d8cea8e974ccc710513f8ff60710c80f57c4096d
                                  • Instruction ID: 9f7c2d342bb99cc73c924dfe10d77dd712ed8aec383970bb3ae920c9b5a2dd68
                                  • Opcode Fuzzy Hash: 75f16521d27fd8acb3543032d8cea8e974ccc710513f8ff60710c80f57c4096d
                                  • Instruction Fuzzy Hash: 1511E3B5500200AFEB20CB15DC45BAABBECEF15624F04C46AED05CB641D774E9088BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0100AF0D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 7a8e5115764533e03852c01e660b2dc533a1531b0ee05312eddc63fcd38ab3ac
                                  • Instruction ID: a2f4d74e4418f0c0b32c683e86ce07152021d1d7a2b6e0cf7ba48048408749ef
                                  • Opcode Fuzzy Hash: 7a8e5115764533e03852c01e660b2dc533a1531b0ee05312eddc63fcd38ab3ac
                                  • Instruction Fuzzy Hash: BB119071500200AFEB22CF55DC44FAABBE8EF14714F04C89AEA459B692C375E4088BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523219E Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 052321F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: 7dcd88bb966b5bcfc7389fc2cd5ce315118f11e7825b6132d7191bdbe3a5514c
                                  • Instruction ID: 8465d4c62f8210db6fa88c92173ea470ee17ddc45ef39f7663085cfa09fc8a16
                                  • Opcode Fuzzy Hash: 7dcd88bb966b5bcfc7389fc2cd5ce315118f11e7825b6132d7191bdbe3a5514c
                                  • Instruction Fuzzy Hash: 4A11E775900200AFE721CF51CC45FAAFBA8EF14714F04C45AEE058B641C374E5098BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05230E6A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • shutdown.WS2_32(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 05230EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: shutdown
                                  • String ID:
                                  • API String ID: 2510479042-0
                                  • Opcode ID: 642ae0fb2641e6fe017605e011e604d12cff934f5ca36ff9c25286e23a89d2d7
                                  • Instruction ID: b78d59f9ba75212db3fcbdb30fba405e3e8cfb18e20630fb7b899422a42ad8f1
                                  • Opcode Fuzzy Hash: 642ae0fb2641e6fe017605e011e604d12cff934f5ca36ff9c25286e23a89d2d7
                                  • Instruction Fuzzy Hash: 991102B1504200AFEB20CF15CC89FAABBE8EF14724F08C85AED089B641D374E5088BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052316AA Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 05231713
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 5b2bef62e6048948ecd4a3341c5f058cfdd537374bb69ae5a1c8b5151fc4c286
                                  • Instruction ID: 2ae8f61b7938f7ae3e8bfc68c2054cca69137e41cbe803072705673874dc77d1
                                  • Opcode Fuzzy Hash: 5b2bef62e6048948ecd4a3341c5f058cfdd537374bb69ae5a1c8b5151fc4c286
                                  • Instruction Fuzzy Hash: 0211E571510200AFE720DB11DC86FB6FBA8DF15724F18C459ED089B781D3B4E549CAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0523227A Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: select
                                  • String ID:
                                  • API String ID: 1274211008-0
                                  • Opcode ID: 3e4e2bdb94159474e0bc1e3aaf0caf99be40e8cf2ad001fa03b74792fc2a0fb8
                                  • Instruction ID: 1d2b82257d9586c1f909dbabf9ff511f160808b63d283d90d68da6586d92e065
                                  • Opcode Fuzzy Hash: 3e4e2bdb94159474e0bc1e3aaf0caf99be40e8cf2ad001fa03b74792fc2a0fb8
                                  • Instruction Fuzzy Hash: 861128B9A14205DFDB20CF65D885F66FBE8EF14610F0888AADD4ACB652D374E448CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNELBASE(?,00000E24,57FC754B,00000000,00000000,00000000,00000000), ref: 0100ACBD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: ed7bddd0650d85a225ace4093563bf81c800bde59be56230cb99470837797d41
                                  • Instruction ID: ba26864fd7ea9a02a70205279e57f75c270d5b020c16e2f1316a7e09cf23106f
                                  • Opcode Fuzzy Hash: ed7bddd0650d85a225ace4093563bf81c800bde59be56230cb99470837797d41
                                  • Instruction Fuzzy Hash: 8B01C471504304AFE721CB05DC85FAAB7D8DF65624F08C496ED449B782D374E5088AB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052313FE Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0523144A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Connect
                                  • String ID:
                                  • API String ID: 3144859779-0
                                  • Opcode ID: 3508787bdf1c47264261378377a9f77e37ea071d1249c208598ed8c447c6693a
                                  • Instruction ID: 7e96a9074940d2fe3ae8836cab521d97e212e7838a88061b95246e4ca706983a
                                  • Opcode Fuzzy Hash: 3508787bdf1c47264261378377a9f77e37ea071d1249c208598ed8c447c6693a
                                  • Instruction Fuzzy Hash: 76118E715142459FDB20CF55D845B62FBE5FF08320F08C8AAEE498B622D375E428CF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100A5DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: b1bff02d631cf31be66d82a3acaf70c65a1dff3d72e159c4eb149118f1213d05
                                  • Instruction ID: f2848cc3578bfac8e063944fc8491cbffbab18e265428437b9a3c6adeb7dca3a
                                  • Opcode Fuzzy Hash: b1bff02d631cf31be66d82a3acaf70c65a1dff3d72e159c4eb149118f1213d05
                                  • Instruction Fuzzy Hash: F2013C71904700DFDB618F55D844B56FFE4EF48210F08889ADE894B652C376E414DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0100A77E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Clipboard
                                  • String ID:
                                  • API String ID: 220874293-0
                                  • Opcode ID: 06f06e1cda283f62801e5af27db0bba103db73489ddc67e78249845218a50022
                                  • Instruction ID: 0bebad0c4971fad50bd52e3a0fc16af7412ea2c965a47f05199879009a340136
                                  • Opcode Fuzzy Hash: 06f06e1cda283f62801e5af27db0bba103db73489ddc67e78249845218a50022
                                  • Instruction Fuzzy Hash: 77016271600600ABD310DF16DC46B66FBE8FB88A20F148159ED089BB41D775F916CBE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0100ABF0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 53a03c2581a83936f81318f12d2aa8b33dce4682df6e7a19a459a4202b9d7d80
                                  • Instruction ID: 685f1525b3b2ff1c1207ecf08d05ccd0d7a03ca5457c5d6a6837e2dffdac62b6
                                  • Opcode Fuzzy Hash: 53a03c2581a83936f81318f12d2aa8b33dce4682df6e7a19a459a4202b9d7d80
                                  • Instruction Fuzzy Hash: C5018471A04344CFEB51CF15D885B66FBD4DF05224F08C8AADD498B692D275E404CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 052304D6 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 05230526
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488255696.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5230000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 4298b930d39b26da9ae1f3745affdc0a22833d9ff236687ff5c45024d2bc5f59
                                  • Instruction ID: ce77b5f25cbfe006b483d9548056b998057f6c4d88aa94e5984696bec46bfcfb
                                  • Opcode Fuzzy Hash: 4298b930d39b26da9ae1f3745affdc0a22833d9ff236687ff5c45024d2bc5f59
                                  • Instruction Fuzzy Hash: 52016271600600ABD310DF16DC46B66FBE8FB88A20F14815AED089BB41D771F916CBE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: 45ee194b6e235c5ee5a42b4057643f0253eefe86f97126c4607dd6038f63f831
                                  • Instruction ID: edea64c5a1a9366152ae5297dda3d4683065446b70a0fca43533ad18252b94f0
                                  • Opcode Fuzzy Hash: 45ee194b6e235c5ee5a42b4057643f0253eefe86f97126c4607dd6038f63f831
                                  • Instruction Fuzzy Hash: 0E019E31904340DFEB61CF55D844BA6FBE4EF15320F08C8AADD898B652C375E408CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: fe195d4a9de8f8eaf84810778733f527afa96040f25a15feb993e7db4973d43b
                                  • Instruction ID: f14995ac34ee22ac2d0f6d7314266e7032ce3fba8109876b81ee72ad643dcadc
                                  • Opcode Fuzzy Hash: fe195d4a9de8f8eaf84810778733f527afa96040f25a15feb993e7db4973d43b
                                  • Instruction Fuzzy Hash: B901A271A04340CFEB51CF55D884766FBE4DF55224F08C8AADD898F652D379E404CEA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0100AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(?), ref: 0100AA44
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484471353.000000000100A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_100a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: e16b70dc1e745837768e6e89dc4ddc427ae1e631a8a3dc2519004e596bc53df5
                                  • Instruction ID: 285963c6ed9dad47a9a284e0965c4e406a1de669e4b9793ce634348c76f60002
                                  • Opcode Fuzzy Hash: e16b70dc1e745837768e6e89dc4ddc427ae1e631a8a3dc2519004e596bc53df5
                                  • Instruction Fuzzy Hash: 53F0FF35A00340CFEB21CF05D984B65FBE4EF06224F08C49ADD884B792C378E548CEA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C75C9 Relevance: 1.2, Instructions: 1242COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4395adf5fd8ecffc10742f84967d6e17573cdb965c38b99fc564cc802822d1d
                                  • Instruction ID: 9705e4279bab5dc8ac15f879abf60f0c9db2e8b0a4ad8ef711153b9370ebe175
                                  • Opcode Fuzzy Hash: f4395adf5fd8ecffc10742f84967d6e17573cdb965c38b99fc564cc802822d1d
                                  • Instruction Fuzzy Hash: 7DB2AC34B10264CFDB119B26E8117BD7BF2FB99304F1082AA984597789CB7ACD46DF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C7644 Relevance: 1.1, Instructions: 1079COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 668c6481851f1f3a795477fddd0a95cf220edf5f18c7cf71e1705fa5bb2973d1
                                  • Instruction ID: 98b0d75d538901b3a4113f0c9bc3279096612da1383d4eb6584ac1bb5c429963
                                  • Opcode Fuzzy Hash: 668c6481851f1f3a795477fddd0a95cf220edf5f18c7cf71e1705fa5bb2973d1
                                  • Instruction Fuzzy Hash: E792F5307101608BDF159B26E8117BD3BF7BBA9304F1485AE9446A3789CB7ACD4ADF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C767E Relevance: 1.1, Instructions: 1076COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8253dc3c2c097357432d1e4c1b8886b20f48fc898b7df5e65f2e1250765439be
                                  • Instruction ID: 79de8672eb7982a563104608f8c482c8cdac6ae841dd18b26863299f3a76d59a
                                  • Opcode Fuzzy Hash: 8253dc3c2c097357432d1e4c1b8886b20f48fc898b7df5e65f2e1250765439be
                                  • Instruction Fuzzy Hash: 0292F6307101608BDF159B26E8117BD3BF7BBA9304F1445AE9446A3789CB7ACD4ADF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C76AD Relevance: 1.1, Instructions: 1075COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7cbc005487a6c1332de7299fbcf31b1fd3998dc96fb5b722862a10fee4029283
                                  • Instruction ID: 8d3c0af93607e12b240c5e74a0dd547281f6fb3c5218bb9feea159b6c9235a5c
                                  • Opcode Fuzzy Hash: 7cbc005487a6c1332de7299fbcf31b1fd3998dc96fb5b722862a10fee4029283
                                  • Instruction Fuzzy Hash: 3892F6307102608BDF159B26E8117BD3BF7BBA9304F1445AE9446A3789CB7ACD4ADF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C3802 Relevance: .5, Instructions: 499COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9650c8ff796737ec4a1c260fcff94e6bb744846ad271f04baad98249abb740f3
                                  • Instruction ID: 85d96082000f5ff8c4258a19aa69a57111ac21d004872cc28fb09ee28980aa66
                                  • Opcode Fuzzy Hash: 9650c8ff796737ec4a1c260fcff94e6bb744846ad271f04baad98249abb740f3
                                  • Instruction Fuzzy Hash: 0F323830A102688FDB14EF75D855BEDB7B2BF89308F1045A9D509AB3A9DB399D81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C8BF0 Relevance: .3, Instructions: 335COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 692723e6b96986559b0c13f0ce3729f6fd34aa7d4faa8058727a625dc929213e
                                  • Instruction ID: bcbe6fb89697289f0e28702fc1ced276fd523d2e03e3ae942a654e0e85becf10
                                  • Opcode Fuzzy Hash: 692723e6b96986559b0c13f0ce3729f6fd34aa7d4faa8058727a625dc929213e
                                  • Instruction Fuzzy Hash: 06D14C31A10215DFDB09EFB6F45159D77B2BF89344B108939E812A73A9DF39AC06CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C7190 Relevance: .3, Instructions: 287COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff31ec927ddcf01adbc4e5f717a986b4ab886d610b3c5b01c4fde518dad3b006
                                  • Instruction ID: 84572c17345bbbb13ebfd1e5f0114204439e7f61046ea8399d105e6a17ca4821
                                  • Opcode Fuzzy Hash: ff31ec927ddcf01adbc4e5f717a986b4ab886d610b3c5b01c4fde518dad3b006
                                  • Instruction Fuzzy Hash: 74A1D1306042118BDB25EB35E845BAD3AE2FF86314F1446BCE812AB3D5DB35DC06CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C8BDF Relevance: .3, Instructions: 269COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d7dfb22a74f625cdc158bc4352b1ed9e4692cc3a2b404890d30e5641f468af2
                                  • Instruction ID: 3efc784829659953e0e80994c44640c692c6d1183518aa2d31fd48c9eec09365
                                  • Opcode Fuzzy Hash: 5d7dfb22a74f625cdc158bc4352b1ed9e4692cc3a2b404890d30e5641f468af2
                                  • Instruction Fuzzy Hash: 25A14A31A10215DFCB09EB76F45166D77B2BF89348B508639E816A73A9DF39AC02CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C8CF5 Relevance: .2, Instructions: 232COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f071b2ed50f3f14d1dd969d1dfacf692b4ea39867d17c3c73c892bb6a25d8d0d
                                  • Instruction ID: 217135cf175851f7ccd3e7746ae1937026404b1211deb8c457e3b27caeb14ab4
                                  • Opcode Fuzzy Hash: f071b2ed50f3f14d1dd969d1dfacf692b4ea39867d17c3c73c892bb6a25d8d0d
                                  • Instruction Fuzzy Hash: E5912B31A10215DFDB09EBB6E45166D77B2BF89348B108579E812A73A9DF39A812CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C8D53 Relevance: .2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55bcf659fcefd9d5dc964e53d727d86e7af4245bf823996033517d7ebb0e066f
                                  • Instruction ID: 3335d08e46a86b4f0d7f26bcba326d77738570edcbb16ef97b2f0dfb2407ad87
                                  • Opcode Fuzzy Hash: 55bcf659fcefd9d5dc964e53d727d86e7af4245bf823996033517d7ebb0e066f
                                  • Instruction Fuzzy Hash: 67913D30A10215DFDB0AEB76E45165D77B2BF89348B508579E811A73A9DF39AC12CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C8DA3 Relevance: .2, Instructions: 214COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14d3beb681836dc088cd23b73565346d66c9af4d42bbbd1a03c3f04331b212c4
                                  • Instruction ID: aecfc962320dd905d4a52d77ef198f5c16e76ccb741259e6c302f10808e9cce9
                                  • Opcode Fuzzy Hash: 14d3beb681836dc088cd23b73565346d66c9af4d42bbbd1a03c3f04331b212c4
                                  • Instruction Fuzzy Hash: BF814D30B10215DFDB0AEB76E45166D77B2BF89308B508679E811A73A9DF39AC12CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C8E25 Relevance: .2, Instructions: 193COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a257d1c8f7154269cad79ad5da91d6742a696c7d64324a51f481f70ae4acaade
                                  • Instruction ID: 29332ea6485aa7a136be18e8d8d2a304dea660da093b88bd1b38e9dd6c82b38c
                                  • Opcode Fuzzy Hash: a257d1c8f7154269cad79ad5da91d6742a696c7d64324a51f481f70ae4acaade
                                  • Instruction Fuzzy Hash: 9C714E30B10214DFDB0AAB76E45166D77B2BF89318B50867AE811973A9DF39EC12CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C3DCC Relevance: .2, Instructions: 193COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 113db835f9838f9789bd0f8c1afd47e16bc4b0567c33b4ebe9ce6c712ad9a1f2
                                  • Instruction ID: f06d385d2db0c67f8f424c06f79b689bdd88ddf2ed8bea2ae42c4069f194d648
                                  • Opcode Fuzzy Hash: 113db835f9838f9789bd0f8c1afd47e16bc4b0567c33b4ebe9ce6c712ad9a1f2
                                  • Instruction Fuzzy Hash: ACA1F534A10228CFDB25EF75D955AECB7B2FB49304F1046A9D809A7369DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C39BF Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5137309b57ac27fdd45599db24fe9178a57e3798b75c05f8538d186857a4514c
                                  • Instruction ID: cb971170bd1382a593f2036297c7dff047cbab5b9b41ecfd0881d0f7081237d1
                                  • Opcode Fuzzy Hash: 5137309b57ac27fdd45599db24fe9178a57e3798b75c05f8538d186857a4514c
                                  • Instruction Fuzzy Hash: E0819F30A00268CFDB14EFB4D851BEDB7B2BF85308F0085A9D509AB2A9DB799D45CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C717B Relevance: .2, Instructions: 153COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e0bf9491117cc7638d05f0eae0fa1094f73285a34208c3a4561dbd621b7d8b67
                                  • Instruction ID: e2cf3f55e3f6dc7b6743f027a26ef6ffe357ed476f245ec032a91ce44906cdb1
                                  • Opcode Fuzzy Hash: e0bf9491117cc7638d05f0eae0fa1094f73285a34208c3a4561dbd621b7d8b67
                                  • Instruction Fuzzy Hash: E651E4306043518BDB25DB36A8047AD3BE2FB46314F5882ADE452EB2D6DB39D946CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C8F15 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32e75ba814b1bb9c94a6bcc3b4a2fec81938d35d12bfabac4e6e0aa59ab8fafa
                                  • Instruction ID: f5d50dcedb9f40ddb4a6acae1e54061a3dfaa3bc10a8d66313a78435ef71b683
                                  • Opcode Fuzzy Hash: 32e75ba814b1bb9c94a6bcc3b4a2fec81938d35d12bfabac4e6e0aa59ab8fafa
                                  • Instruction Fuzzy Hash: D351A330B102159FDB19EB76F45166D77A2BF98358F108939E815A73A9DF39EC02CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C756E Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7ce90357e94927c287466567175847a108ba8074ada2ab44bc0caaf0ef93587
                                  • Instruction ID: 68d00401080a38563d5f52aa9ba97c32b0e2fdc0883bd32fb61c5a8fa1116c5d
                                  • Opcode Fuzzy Hash: a7ce90357e94927c287466567175847a108ba8074ada2ab44bc0caaf0ef93587
                                  • Instruction Fuzzy Hash: EA41C5306042118BEB25DF36A8017AD3AE2FF46354F5886ADE452EB2D5DF39D906CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C3B18 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53ff4d8c6766d8287a31e3d2e15646cc69feff1a94b93df0f712bb21058254ed
                                  • Instruction ID: 3b4c708788eac92918df695be68450ada7406e92171d2df8a426011c27b51019
                                  • Opcode Fuzzy Hash: 53ff4d8c6766d8287a31e3d2e15646cc69feff1a94b93df0f712bb21058254ed
                                  • Instruction Fuzzy Hash: 72417A30A002688FDB14EFB5D955BECB7F2BF49308F0045AAD009AB2A5DB799E44CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C0958 Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8698732feee1f0841c1c682677e5ff97f24e07508f275ac87deb36e7290be3d
                                  • Instruction ID: ee288a9f4acf3fbfba0f05b56f5d2e5fabdc3e12d0eae57a803e8efdfeda7563
                                  • Opcode Fuzzy Hash: b8698732feee1f0841c1c682677e5ff97f24e07508f275ac87deb36e7290be3d
                                  • Instruction Fuzzy Hash: 1331D3317112118FDB04BB76D8267BE36A6EB98208F1144399405D77A9EF79CC16CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C94F0 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 17a1cb60e36bca081aaacfe94a3f1647be50d94cce7ca66176546582d8d6f45c
                                  • Instruction ID: 5034bb83061a53f307b48e3272b59d688f0d3df19c08ba7a1733d3a3688a234f
                                  • Opcode Fuzzy Hash: 17a1cb60e36bca081aaacfe94a3f1647be50d94cce7ca66176546582d8d6f45c
                                  • Instruction Fuzzy Hash: 7131DC30B002059FDB04DB75E854BAEBBE6BF8A314F1485B9E405EB3A1DF70A8058B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C00B8 Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb03a19ecd8471b8e6ebfa58b1eb7712395c8491d6aec91861a5a8aabf3c3e0d
                                  • Instruction ID: bd42a4da46ec0afa50bc28db4a219aef41ac26309dd8ccbc6bb47243406cd5d7
                                  • Opcode Fuzzy Hash: fb03a19ecd8471b8e6ebfa58b1eb7712395c8491d6aec91861a5a8aabf3c3e0d
                                  • Instruction Fuzzy Hash: C43138327043509FD706E77598117AE3BA7AF93218F1484AAD041CF296DF7E9C068391
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C0118 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b607acf49705d6b89aca45287bf458b0c98f23ae6be3580265d64a34e457ba0
                                  • Instruction ID: 501c9071195da406a2773647187e757e6bad9f5a8db2381ba54b12cb8b26e8f6
                                  • Opcode Fuzzy Hash: 8b607acf49705d6b89aca45287bf458b0c98f23ae6be3580265d64a34e457ba0
                                  • Instruction Fuzzy Hash: 5A11E9327003518FD706E77AA4517AD379BABE72187544869D041CF366CF6EDC0687A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 058D1F4C Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488794732.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_58d0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec51142f1f857550a4fbdd2681d4c34769067744c1b63a395ef598de0a9c3343
                                  • Instruction ID: c3c0853a40411a70a8ef89b24e8d56a007ed81354cb11299c1af189a05eea1a5
                                  • Opcode Fuzzy Hash: ec51142f1f857550a4fbdd2681d4c34769067744c1b63a395ef598de0a9c3343
                                  • Instruction Fuzzy Hash: 1811BAB5908341AFD340CF19D840A5BFBE4FB98664F048D5EF998D7311D235E9148FA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00EB0814 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484372135.0000000000EB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_eb0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e58c7b66eb9c7e50c96d4a63bc5e73c2d407a6c615ecbd2807e875577f53f3b
                                  • Instruction ID: f1d47c4a1b4c7d19fae12a39a6af693ef3d2ffc042030a1224837e914cc235bc
                                  • Opcode Fuzzy Hash: 0e58c7b66eb9c7e50c96d4a63bc5e73c2d407a6c615ecbd2807e875577f53f3b
                                  • Instruction Fuzzy Hash: 5011E4306042809FC719CB10D540FA7B7A5AB9970CF24C9ACE4492BB43C77BE952CA81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C0006 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86d26bf89df4fca765c3a6c719ae09cc3a8ae52fcf58508feff9c2a22813475a
                                  • Instruction ID: ef1d7414323c1151e4246e0e20c9c83c198a71d616f6434b74864c5bb76328a0
                                  • Opcode Fuzzy Hash: 86d26bf89df4fca765c3a6c719ae09cc3a8ae52fcf58508feff9c2a22813475a
                                  • Instruction Fuzzy Hash: 88117E7144E3C18FCB039BB498686803FB0AF67218B0B55D7C080CF1A7D6AC591AEB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C9210 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ef4f0e6b8f1c059aea10ed6183fdfe9a54184ca4509835777016dae5aa2177e
                                  • Instruction ID: c7f5b8e2bbef57547d8a878fce8a6e320801c161ae21fa9e6c264e8d02491551
                                  • Opcode Fuzzy Hash: 4ef4f0e6b8f1c059aea10ed6183fdfe9a54184ca4509835777016dae5aa2177e
                                  • Instruction Fuzzy Hash: EC110231F002198FCF84EBB898001ADB7F6EF89388B100179C805E7365EB319D46CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00EB07DE Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484372135.0000000000EB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_eb0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14f8a642eef8f5e4d665e3b9add3d579c06d3efd286faed72ee6f7b993c24e0e
                                  • Instruction ID: 78612ff5e2566f5f2c83f2dabd54af51b418460ecdf21d10a1cb600ca24e7f51
                                  • Opcode Fuzzy Hash: 14f8a642eef8f5e4d665e3b9add3d579c06d3efd286faed72ee6f7b993c24e0e
                                  • Instruction Fuzzy Hash: 59219F315093C08FC707CB24D950B52BFB1AF4B318F1986DAD4885BAA3C73A9906CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0101B0B4 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484518849.000000000101A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_101a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d926ad7d3387aa583c9cfffcc5acd1c445e683c60d5a33ca386e276b1eb6a5fa
                                  • Instruction ID: db1394d7fcab9d26fc722a4e485e030e75ffcce9b34025d1a1c6ce12289117e5
                                  • Opcode Fuzzy Hash: d926ad7d3387aa583c9cfffcc5acd1c445e683c60d5a33ca386e276b1eb6a5fa
                                  • Instruction Fuzzy Hash: D911A8B5908301AFD350CF09D841A5BFBE8EB98660F048D1EF95997311D275E9088BA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 058D1DF0 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488794732.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_58d0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1ef9d858df6c18d7185988e09e92d247a1394f0712f01299733961244478523
                                  • Instruction ID: f31a9d1c5caaf3a0d4163e99e7464adf657cd478d77afefe0df0f0b4c1139892
                                  • Opcode Fuzzy Hash: f1ef9d858df6c18d7185988e09e92d247a1394f0712f01299733961244478523
                                  • Instruction Fuzzy Hash: 4811BAB5908301AFD750CF09DC81E5BFBE8EB98660F048D1EF95997311D275E9088FA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00EB05E0 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484372135.0000000000EB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_eb0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0425f10f2736490670b6a841b463077e53293098e5f427c182dcde8d5ba7d5d7
                                  • Instruction ID: 4801dbb71e9f2eec15099d93f5992f3aa351e22fc730dd745851b22bf38ef4ac
                                  • Opcode Fuzzy Hash: 0425f10f2736490670b6a841b463077e53293098e5f427c182dcde8d5ba7d5d7
                                  • Instruction Fuzzy Hash: B201F9B65093806FD701CF069C40863FFECDF86620B08C4AFFD498B652D225A808CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C0878 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c42647d010d1f3082ef24c2550e9dfeda6cf22db998a941b5fdc254dce0d643
                                  • Instruction ID: ab9f32e283cea897305396ed22aae745667f8cb549d7fd6915a3532ca77d10cf
                                  • Opcode Fuzzy Hash: 3c42647d010d1f3082ef24c2550e9dfeda6cf22db998a941b5fdc254dce0d643
                                  • Instruction Fuzzy Hash: 400139346163828FD701FB74D55849D7BE1EFD5208B00882CE4C5CB35AEB788815CB42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C00A8 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c9237dc5d9a1d5c0eee3eb36f42859c1d6a8dfc5acabf93915b7678e8ca3abb
                                  • Instruction ID: cfa432145d8adf73bb3eaaf7f160517d2a8a0bc368917b9fcf4f4d6ffb94b847
                                  • Opcode Fuzzy Hash: 0c9237dc5d9a1d5c0eee3eb36f42859c1d6a8dfc5acabf93915b7678e8ca3abb
                                  • Instruction Fuzzy Hash: 1FF0FC31A40304AFEB04DB70C8127EE7BB2EF82714F1085BED545DB1D5DA354942CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00EB08D0 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484372135.0000000000EB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_eb0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b458bdb37eee74dda7414f63ab3821ab480e09a946024a3a034b09db3e5cf66
                                  • Instruction ID: 01b87e6718582f0b0a03999500d6e033509ae10870c6d5c09603f56039f1bb67
                                  • Opcode Fuzzy Hash: 5b458bdb37eee74dda7414f63ab3821ab480e09a946024a3a034b09db3e5cf66
                                  • Instruction Fuzzy Hash: 96F01D35104644DFC715CF04D580B56FBA2EB89718F24CAADE94917B52C737E913DB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00EB0606 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484372135.0000000000EB0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_eb0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c63db333d1b49a44a7f82e522e525e19a6d6175679ac1e03d23373753d6fb50
                                  • Instruction ID: 6c782b781885c4551402b9c3078abb81056c0c990c52c3929bb0f3230cb22ceb
                                  • Opcode Fuzzy Hash: 8c63db333d1b49a44a7f82e522e525e19a6d6175679ac1e03d23373753d6fb50
                                  • Instruction Fuzzy Hash: B9E092B6A046008BD750CF0BEC41462F7D8EF88630708C47FDC0D8B711D235B508CAA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0101B103 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484518849.000000000101A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_101a000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eca679b85f092445d297455603c44cd7609105b2c9d8b3786e4f821255ada9e1
                                  • Instruction ID: f6dbc8292ba19374db6653026de61de0b4fdf57b055951d25f10d3d9be0936ca
                                  • Opcode Fuzzy Hash: eca679b85f092445d297455603c44cd7609105b2c9d8b3786e4f821255ada9e1
                                  • Instruction Fuzzy Hash: 58E0DFB29402046BD210CF06AC46F62FB9CDB50A30F08C96BEE08AB712E172B504CAF1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 058D1FB7 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488794732.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_58d0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a86adfcd03e4613793e751b87ecb31ce8ff955259cf7d0d80bf03d8d674041a8
                                  • Instruction ID: d7c886a38029d70b5af4a3ba1d2637672bb7d3a2d001392262d78ad441284039
                                  • Opcode Fuzzy Hash: a86adfcd03e4613793e751b87ecb31ce8ff955259cf7d0d80bf03d8d674041a8
                                  • Instruction Fuzzy Hash: 79E0DFB29403006BD310CF06AC46F62FB9CDB94A30F08C86BFD085B742E172B5188AF1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 058D1E3F Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488794732.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_58d0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6bae1006726f300917c856e608b74f81ec313e69eaf5df5c1ea0854f6678d39
                                  • Instruction ID: b2c5b5e22490de3cccafd62c4cff77dc9f3673d22bc30db06a4b371bea7ab7c2
                                  • Opcode Fuzzy Hash: b6bae1006726f300917c856e608b74f81ec313e69eaf5df5c1ea0854f6678d39
                                  • Instruction Fuzzy Hash: BEE0DFB29003046BD250DF06AC86F63FB9CDB50A30F08C96BFE085B712E172B5048AF1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 058D1863 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488794732.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_58d0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c02321a2863e1edf1d80b269f5fb10bd0903ab8b9fca3def52d7bb6546d0156
                                  • Instruction ID: da98278eefb4408df892ffffeb06b83ae64a05705cea61aea918d841fe4379e8
                                  • Opcode Fuzzy Hash: 4c02321a2863e1edf1d80b269f5fb10bd0903ab8b9fca3def52d7bb6546d0156
                                  • Instruction Fuzzy Hash: 1EE0D8B290020067D210DF069C46F63FB9CDB50930F08C857FD085B712D172B514C9F1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C4200 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 632a482aac1680524d024f022a09a948393e938808ddeb7b3f11c07bd120d8d4
                                  • Instruction ID: 079d6ee02ffd030645d0e9fe89dbe9be9b7008f4796b623f6e3fe2093b12b946
                                  • Opcode Fuzzy Hash: 632a482aac1680524d024f022a09a948393e938808ddeb7b3f11c07bd120d8d4
                                  • Instruction Fuzzy Hash: 23E0CD7191A348DFC705DF78CD118987BB4DB16318B0100EBD444C7261FA365E05CB53
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C36A8 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3066809665a9be945193d2f636a7b8ac006e4edece48e7db3e8de8b463ee0f4b
                                  • Instruction ID: f84b3d4c7e22177e36890ffef67bf37ea00b2bcc5954885b1fd9a5fc3cf29d1c
                                  • Opcode Fuzzy Hash: 3066809665a9be945193d2f636a7b8ac006e4edece48e7db3e8de8b463ee0f4b
                                  • Instruction Fuzzy Hash: A6E0EC71156344CFCB262B3890185983775EB567093D104FEC4958B66AEA7B9C83CB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C9389 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec5604e2824bcc20dd178a5de4199f4beab53dfa3d1220b2c17c4ead8a632cc0
                                  • Instruction ID: 81014aa1777d439e6051b390d64e8589377fa7eff802c15470912dd0a50d1e4c
                                  • Opcode Fuzzy Hash: ec5604e2824bcc20dd178a5de4199f4beab53dfa3d1220b2c17c4ead8a632cc0
                                  • Instruction Fuzzy Hash: 38E0C2311083508FC3426B38D4148967BF8EF0A224B5244EAE084CB123EA328C048BE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C94AF Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a0b5c5df195fcdb5b27c3e57a2a169e5da73c6a23f844593b5d8d8ed200a278
                                  • Instruction ID: dc87dc8064ba974081b0da2376fa1c62f76da67a9eb4514e9f1cb9574a4cdd08
                                  • Opcode Fuzzy Hash: 9a0b5c5df195fcdb5b27c3e57a2a169e5da73c6a23f844593b5d8d8ed200a278
                                  • Instruction Fuzzy Hash: 02E0127070938C9FCB529BB1D9150DC7FB49A03211B1004EED845D7162EA692E14CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010023F4 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484456446.0000000001002000.00000040.00000800.00020000.00000000.sdmp, Offset: 01002000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1002000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a0581e23ebaf4d906993f6ff3fcecc4e1e081f0f33c0bd88bd85d1024229788
                                  • Instruction ID: 67bc7d6b5aac60202fcaa9ff6ad5443d12257056cae1b6c88495717845a8b138
                                  • Opcode Fuzzy Hash: 7a0581e23ebaf4d906993f6ff3fcecc4e1e081f0f33c0bd88bd85d1024229788
                                  • Instruction Fuzzy Hash: EBD05E792056C14FF3179A1CC2A8B963BE4AB61714F4B44F9AC408B7A3CB69D5D1D600
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C4210 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa997279d710a549293d22b382cda429538b5569c50984ed00e75609c768312c
                                  • Instruction ID: 7856ee3713dbc82a895368e56696e72bdf5dfe1f26de99890b7f0a473fddc9a2
                                  • Opcode Fuzzy Hash: aa997279d710a549293d22b382cda429538b5569c50984ed00e75609c768312c
                                  • Instruction Fuzzy Hash: E1D0C971A15208EF8744DFA8D91189DB7F9EB49319B1041AAA809D3750EF365E04DB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010023BC Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4484456446.0000000001002000.00000040.00000800.00020000.00000000.sdmp, Offset: 01002000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1002000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a8fd56ce3d2630f59f8a5630fcceebb86541f3e5b823d123f921c54b432d5ba1
                                  • Instruction ID: 5b1a5af6696390059e70470a0cf48ebe68bfc245e1f2dbbd2ba99d462c4c6ce9
                                  • Opcode Fuzzy Hash: a8fd56ce3d2630f59f8a5630fcceebb86541f3e5b823d123f921c54b432d5ba1
                                  • Instruction Fuzzy Hash: 03D05E342002814BEB16DA0CD6D9F597BD8AB50B14F0684E8AC508B7A2C7B4D8C0CA00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C9398 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 324bd9ba8aec4fcdf2c5b4dbaaef0413ba3e70bf3f160ccef13586056dcf9e4e
                                  • Instruction ID: 8a8d55cd919ad0e085ddd06def72360fb96378ecdcef78ba2ce6399ab841d3f5
                                  • Opcode Fuzzy Hash: 324bd9ba8aec4fcdf2c5b4dbaaef0413ba3e70bf3f160ccef13586056dcf9e4e
                                  • Instruction Fuzzy Hash: 4AC08C322001148BC610AB7CE004D96B7ECEF4D124B1144BAE248C7321CE72AC0047E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 050C499D Relevance: 2.7, Strings: 1, Instructions: 1447COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 5e06fbf8fadcc749bf0e908c43f53da284d6de3c8ecfb92f266a8951f5143cc0
                                  • Instruction ID: 7a3ff1b5894be63a154285de26859c9bccd042da655d22d87b4a44872b3652af
                                  • Opcode Fuzzy Hash: 5e06fbf8fadcc749bf0e908c43f53da284d6de3c8ecfb92f266a8951f5143cc0
                                  • Instruction Fuzzy Hash: 31F24B74A11228CFDB25EF35D864BADB7B1BB89304F1042EAD909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C49F9 Relevance: 2.7, Strings: 1, Instructions: 1440COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 3f647cf5fd01dada271aebbdd161e16ede22b15fc708f9238b07a30cd4b36474
                                  • Instruction ID: a503cb1de6141f7539ea92dc9f701fd41b5357c7fd07f8b4716288335bc3251c
                                  • Opcode Fuzzy Hash: 3f647cf5fd01dada271aebbdd161e16ede22b15fc708f9238b07a30cd4b36474
                                  • Instruction Fuzzy Hash: F7F24B74A11228CFDB25EF35D864BADB7B1BB89304F1042EAD909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 050C4B5B Relevance: 2.6, Strings: 1, Instructions: 1383COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4488068949.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_50c0000_En3e396wX1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: ed45c0b4785caaa3247a84865346f7b9076e802f3c5be11c306443e402cb1c83
                                  • Instruction ID: 51e86ce3214656cef336fb9790fa6075f6a201f3a6d19909f6f12f16f6682cf2
                                  • Opcode Fuzzy Hash: ed45c0b4785caaa3247a84865346f7b9076e802f3c5be11c306443e402cb1c83
                                  • Instruction Fuzzy Hash: 14E24C74A11228CFDB25EF35D864BADB7B1BB89304F1042EAD909673A5DB359E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%