Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe

Overview

General Information

Sample Name:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
Analysis ID:553248
MD5:70aca878bfaac1eaf7019eddd97fc877
SHA1:4997c055b582c71cbb3863c9523986b51a339797
SHA256:72ca3e2f8479a075c8e089f543f79c4f1cf868d66d3272b2e6b0f0fded1bdb60
Tags:exenjratRAT
Infos:

Most interesting Screenshot:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Drops fake system file at system root drive
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Modifies the windows firewall
Creates autorun.inf (USB autostart)
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe" MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
    • System.exe (PID: 5628 cmdline: "C:\Users\user\AppData\Roaming\System.exe" MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
      • netsh.exe (PID: 2976 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • System.exe (PID: 6172 cmdline: "C:\Users\user\AppData\Roaming\System.exe" .. MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
  • System.exe (PID: 6964 cmdline: "C:\Users\user\AppData\Roaming\System.exe" .. MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
  • System.exe (PID: 5224 cmdline: "C:\Users\user\AppData\Roaming\System.exe" .. MD5: 70ACA878BFAAC1EAF7019EDDD97FC877)
  • cleanup

Malware Configuration

Threatname: Njrat

{"Host": "System.exe", "Port": "13467", "Mutex": "9156ea52d892a71a5c604fdd4141de82", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "HacKed", "Version": "im523", "Network Seprator": "|'|'|"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeJoeSecurity_NjratYara detected NjratJoe Security
    72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x80de:$a1: netsh firewall add allowedprogram
    • 0x82d8:$b1: [TAP]
    • 0x827e:$b2: & exit
    • 0x824a:$c1: md.exe /k ping 0 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\svchost.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\svchost.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x80de:$a1: netsh firewall add allowedprogram
      • 0x82d8:$b1: [TAP]
      • 0x827e:$b2: & exit
      • 0x824a:$c1: md.exe /k ping 0 & del
      C:\Users\user\AppData\Roaming\System.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Users\user\AppData\Roaming\System.exenjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x80de:$a1: netsh firewall add allowedprogram
        • 0x82d8:$b1: [TAP]
        • 0x827e:$b2: & exit
        • 0x824a:$c1: md.exe /k ping 0 & del
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJoeSecurity_NjratYara detected NjratJoe Security
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x7ede:$a1: netsh firewall add allowedprogram
            • 0x80d8:$b1: [TAP]
            • 0x807e:$b2: & exit
            • 0x804a:$c1: md.exe /k ping 0 & del
            0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
              0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
              • 0x7ede:$a1: netsh firewall add allowedprogram
              • 0x80d8:$b1: [TAP]
              • 0x807e:$b2: & exit
              • 0x804a:$c1: md.exe /k ping 0 & del
              0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
                Click to see the 26 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                4.0.System.exe.c70000.1.unpackJoeSecurity_NjratYara detected NjratJoe Security
                  4.0.System.exe.c70000.1.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
                  • 0x80de:$a1: netsh firewall add allowedprogram
                  • 0x82d8:$b1: [TAP]
                  • 0x827e:$b2: & exit
                  • 0x824a:$c1: md.exe /k ping 0 & del
                  9.2.System.exe.f50000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                    9.2.System.exe.f50000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
                    • 0x80de:$a1: netsh firewall add allowedprogram
                    • 0x82d8:$b1: [TAP]
                    • 0x827e:$b2: & exit
                    • 0x824a:$c1: md.exe /k ping 0 & del
                    4.0.System.exe.c70000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                      Click to see the 21 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Netsh Port or Application AllowedShow sources
                      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE, CommandLine: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\System.exe" , ParentImage: C:\Users\user\AppData\Roaming\System.exe, ParentProcessId: 5628, ProcessCommandLine: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE, ProcessId: 2976

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Sigma detected: Drops fake system file at system root driveShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\System.exe, ProcessId: 5628, TargetFilename: C:\svchost.exe

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpackMalware Configuration Extractor: Njrat {"Host": "System.exe", "Port": "13467", "Mutex": "9156ea52d892a71a5c604fdd4141de82", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Campaign ID": "HacKed", "Version": "im523", "Network Seprator": "|'|'|"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeVirustotal: Detection: 77%Perma Link
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeMetadefender: Detection: 85%Perma Link
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeReversingLabs: Detection: 95%
                      Yara detected NjratShow sources
                      Source: Yara matchFile source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
                      Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeAvira: detected
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: 0.tcp.ngrok.ioVirustotal: Detection: 13%Perma Link
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Source: C:\svchost.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeVirustotal: Detection: 77%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeMetadefender: Detection: 85%Perma Link
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeReversingLabs: Detection: 95%
                      Source: C:\Users\user\AppData\Roaming\System.exeVirustotal: Detection: 77%Perma Link
                      Source: C:\Users\user\AppData\Roaming\System.exeMetadefender: Detection: 85%Perma Link
                      Source: C:\Users\user\AppData\Roaming\System.exeReversingLabs: Detection: 95%
                      Source: C:\svchost.exeVirustotal: Detection: 77%Perma Link
                      Source: C:\svchost.exeMetadefender: Detection: 85%Perma Link
                      Source: C:\svchost.exeReversingLabs: Detection: 95%
                      Machine Learning detection for sampleShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJoe Sandbox ML: detected
                      Source: C:\svchost.exeJoe Sandbox ML: detected
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 9.0.System.exe.f50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.0.System.exe.c70000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.2.System.exe.c70000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.0.System.exe.c70000.2.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.0.System.exe.c70000.3.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 12.0.System.exe.510000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 4.0.System.exe.c70000.1.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 11.0.System.exe.50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 12.2.System.exe.510000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 11.2.System.exe.50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 9.2.System.exe.f50000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Spreading:

                      barindex
                      Creates autorun.inf (USB autostart)Show sources
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\autorun.infJump to behavior
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeBinary or memory string: [autorun]
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeBinary or memory string: autorun.inf
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319591229.0000000002DE4000.00000004.00000001.sdmpBinary or memory string: [autorun]
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: autorun.inf
                      Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: autorun.inf
                      Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: autorun.inf
                      Source: System.exeBinary or memory string: [autorun]
                      Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: System.exeBinary or memory string: autorun.inf
                      Source: System.exeBinary or memory string: [autorun]
                      Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmpBinary or memory string: autorun.inf
                      Source: System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmpBinary or memory string: [autorun]
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeBinary or memory string: autorun.inf
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeBinary or memory string: [autorun]
                      Source: System.exe.0.drBinary or memory string: autorun.inf
                      Source: System.exe.0.drBinary or memory string: [autorun]
                      Source: autorun.inf.4.drBinary or memory string: [autorun]
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.drBinary or memory string: autorun.inf
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.drBinary or memory string: [autorun]
                      Source: svchost.exe.4.drBinary or memory string: autorun.inf
                      Source: svchost.exe.4.drBinary or memory string: [autorun]

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49753 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49754 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49755 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49758 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49759 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49760 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49761 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49762 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49763 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49765 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49767 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49770 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49771 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49773 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49778 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49799 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49803 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49813 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49816 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49818 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49819 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49820 -> 3.17.7.232:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49821 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49822 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49823 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49825 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49826 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49840 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49851 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49852 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49857 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49858 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49859 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49860 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49861 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49862 -> 3.14.182.203:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49864 -> 3.134.125.175:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49865 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49866 -> 3.22.30.40:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49867 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49868 -> 3.13.191.225:13467
                      Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.3:49869 -> 3.22.30.40:13467
                      Connects to many ports of the same IP (likely port scanning)Show sources
                      Source: global trafficTCP traffic: 3.134.125.175 ports 1,3,4,6,7,13467
                      Source: global trafficTCP traffic: 3.17.7.232 ports 1,3,4,6,7,13467
                      Source: global trafficTCP traffic: 3.22.30.40 ports 1,3,4,6,7,13467
                      Source: global trafficTCP traffic: 3.14.182.203 ports 1,3,4,6,7,13467
                      Source: global trafficTCP traffic: 3.13.191.225 ports 1,3,4,6,7,13467
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: System.exe
                      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                      Source: Joe Sandbox ViewIP Address: 3.134.125.175 3.134.125.175
                      Source: Joe Sandbox ViewIP Address: 3.17.7.232 3.17.7.232
                      Source: global trafficTCP traffic: 192.168.2.3:49753 -> 3.17.7.232:13467
                      Source: global trafficTCP traffic: 192.168.2.3:49759 -> 3.14.182.203:13467
                      Source: global trafficTCP traffic: 192.168.2.3:49760 -> 3.13.191.225:13467
                      Source: global trafficTCP traffic: 192.168.2.3:49765 -> 3.22.30.40:13467
                      Source: global trafficTCP traffic: 192.168.2.3:49818 -> 3.134.125.175:13467
                      Source: System.exe, System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, System.exe.0.dr, 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, svchost.exe.4.drString found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
                      Source: unknownDNS traffic detected: queries for: 0.tcp.ngrok.io

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Contains functionality to log keystrokes (.Net Source)Show sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.cs.Net Code: VKCodeToUnicode
                      Source: System.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.cs.Net Code: VKCodeToUnicode
                      Source: svchost.exe.4.dr, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.0.System.exe.c70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.2.System.exe.c70000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.0.System.exe.c70000.2.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.0.System.exe.c70000.3.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 4.0.System.exe.c70000.1.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 9.0.System.exe.f50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 9.2.System.exe.f50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 11.0.System.exe.50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 11.2.System.exe.50000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 12.0.System.exe.510000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 12.2.System.exe.510000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319389313.0000000000E8B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected NjratShow sources
                      Source: Yara matchFile source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
                      Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED

                      Operating System Destruction:

                      barindex
                      Protects its processes via BreakOnTermination flagShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary:

                      barindex
                      Malicious sample detected (through community Yara rule)Show sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: C:\svchost.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: C:\svchost.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeCode function: 0_2_00846B5E0_2_00846B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_00C76B5E4_2_00C76B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 9_2_00F56B5E9_2_00F56B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 11_2_00056B5E11_2_00056B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 12_2_00516B5E12_2_00516B5E
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_057E026A NtQuerySystemInformation,4_2_057E026A
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_057E0032 NtSetInformationProcess,4_2_057E0032
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_057E022F NtQuerySystemInformation,4_2_057E022F
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 4_2_057E0007 NtSetInformationProcess,4_2_057E0007
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, 00000000.00000002.319389313.0000000000E8B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeVirustotal: Detection: 77%
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeMetadefender: Detection: 85%
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeReversingLabs: Detection: 95%
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile read: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeJump to behavior
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe "C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe"
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe"
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
                      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" ..
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLEJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile created: C:\Users\user\AppData\Roaming\System.exeJump to behavior
                      Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winEXE@9/10@42/6
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_01
                      Source: C:\Users\user\AppData\Roaming\System.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: System.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: svchost.exe.4.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.System.exe.c70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.System.exe.c70000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.System.exe.c70000.2.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.System.exe.c70000.3.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.System.exe.c70000.1.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.0.System.exe.f50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 9.2.System.exe.f50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 11.0.System.exe.50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 11.2.System.exe.50000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.0.System.exe.510000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.2.System.exe.510000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 9_2_016126B0 push edi; ret 9_2_016126C2
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 11_2_009226B0 push edi; ret 11_2_009226C2
                      Source: C:\Users\user\AppData\Roaming\System.exeCode function: 12_2_00E126B0 push edi; ret 12_2_00E126C2

                      Persistence and Installation Behavior:

                      barindex
                      Drops PE files with benign system namesShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\svchost.exeJump to dropped file
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeFile created: C:\Users\user\AppData\Roaming\System.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\svchost.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJump to dropped file
                      Creates autostart registry keys with suspicious namesShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82Jump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe TID: 7004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exe TID: 4192Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exe TID: 5528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exe TID: 404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeWindow / User API: threadDelayed 4306Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: System.exe, 00000004.00000002.572270023.00000000012DC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                      Source: netsh.exe, 00000006.00000002.342892015.0000000000CC8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      .NET source code references suspicious native API functionsShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: System.exe.0.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: System.exe.0.dr, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: svchost.exe.4.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: svchost.exe.4.dr, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.0.System.exe.c70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.0.System.exe.c70000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.2.System.exe.c70000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.2.System.exe.c70000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.0.System.exe.c70000.2.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.0.System.exe.c70000.2.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.0.System.exe.c70000.3.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.0.System.exe.c70000.3.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 4.0.System.exe.c70000.1.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 4.0.System.exe.c70000.1.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 9.0.System.exe.f50000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 9.0.System.exe.f50000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 9.2.System.exe.f50000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 9.2.System.exe.f50000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 11.0.System.exe.50000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 11.0.System.exe.50000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 11.2.System.exe.50000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 11.2.System.exe.50000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 12.0.System.exe.510000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 12.0.System.exe.510000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: 12.2.System.exe.510000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                      Source: 12.2.System.exe.510000.0.unpack, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                      Source: C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeProcess created: C:\Users\user\AppData\Roaming\System.exe "C:\Users\user\AppData\Roaming\System.exe" Jump to behavior
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp, System.exe, 00000004.00000002.574069298.0000000003691000.00000004.00000001.sdmpBinary or memory string: program managerH
                      Source: System.exe, 00000004.00000002.572270023.00000000012DC000.00000004.00000020.sdmpBinary or memory string: RhProgram Manager
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmp, System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmp, System.exe, 00000004.00000002.574069298.0000000003691000.00000004.00000001.sdmpBinary or memory string: Program Manager
                      Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: Program Managerraq(
                      Source: System.exe, 00000004.00000002.573050015.0000000001AF0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: Program Manager|9
                      Source: System.exe, 00000004.00000002.573266269.0000000003431000.00000004.00000001.sdmpBinary or memory string: Program Manager<
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Uses netsh to modify the Windows network and firewall settingsShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
                      Modifies the windows firewallShow sources
                      Source: C:\Users\user\AppData\Roaming\System.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected NjratShow sources
                      Source: Yara matchFile source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
                      Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED

                      Remote Access Functionality:

                      barindex
                      Detected njRatShow sources
                      Source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, OK.cs.Net Code: njRat config detected
                      Source: System.exe.0.dr, OK.cs.Net Code: njRat config detected
                      Source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, OK.cs.Net Code: njRat config detected
                      Source: svchost.exe.4.dr, OK.cs.Net Code: njRat config detected
                      Source: 4.0.System.exe.c70000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 4.2.System.exe.c70000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 4.0.System.exe.c70000.2.unpack, OK.cs.Net Code: njRat config detected
                      Source: 4.0.System.exe.c70000.3.unpack, OK.cs.Net Code: njRat config detected
                      Source: 4.0.System.exe.c70000.1.unpack, OK.cs.Net Code: njRat config detected
                      Source: 9.0.System.exe.f50000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 9.2.System.exe.f50000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 11.0.System.exe.50000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 11.2.System.exe.50000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 12.0.System.exe.510000.0.unpack, OK.cs.Net Code: njRat config detected
                      Source: 12.2.System.exe.510000.0.unpack, OK.cs.Net Code: njRat config detected
                      Yara detected NjratShow sources
                      Source: Yara matchFile source: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.System.exe.c70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.System.exe.c70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.System.exe.510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.System.exe.f50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.System.exe.50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5628, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6172, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 6964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: System.exe PID: 5224, type: MEMORYSTR
                      Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Replication Through Removable Media11Native API1Registry Run Keys / Startup Folder221Process Injection12Masquerading11Input Capture11Security Software Discovery11Replication Through Removable Media11Input Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder221Disable or Modify Tools21LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsPeripheral Device Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553248 Sample: 72CA3E2F8479A075C8E089F543F... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 41 0.tcp.ngrok.io 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 15 other signatures 2->55 9 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe 1 6 2->9         started        12 System.exe 3 2->12         started        14 System.exe 2 2->14         started        16 System.exe 2 2->16         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\System.exe, PE32 9->35 dropped 37 C:\Users\user\...\System.exe:Zone.Identifier, ASCII 9->37 dropped 39 72CA3E2F8479A075C8...F868D66D327.exe.log, ASCII 9->39 dropped 18 System.exe 2 11 9->18         started        process6 dnsIp7 43 3.13.191.225, 13467, 49760, 49859 AMAZON-02US United States 18->43 45 3.134.125.175, 13467, 49818, 49823 AMAZON-02US United States 18->45 47 4 other IPs or domains 18->47 27 C:\svchost.exe, PE32 18->27 dropped 29 C:\...\9156ea52d892a71a5c604fdd4141de82.exe, PE32 18->29 dropped 31 C:\svchost.exe:Zone.Identifier, ASCII 18->31 dropped 33 2 other malicious files 18->33 dropped 57 Antivirus detection for dropped file 18->57 59 Multi AV Scanner detection for dropped file 18->59 61 Protects its processes via BreakOnTermination flag 18->61 63 7 other signatures 18->63 23 netsh.exe 1 3 18->23         started        file8 signatures9 process10 process11 25 conhost.exe 23->25         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe77%VirustotalBrowse
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe86%MetadefenderBrowse
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe100%AviraTR/ATRAPS.Gen
                      72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\System.exe100%AviraTR/ATRAPS.Gen
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe100%AviraTR/ATRAPS.Gen
                      C:\svchost.exe100%AviraTR/ATRAPS.Gen
                      C:\Users\user\AppData\Roaming\System.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe100%Joe Sandbox ML
                      C:\svchost.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe77%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe86%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                      C:\Users\user\AppData\Roaming\System.exe77%VirustotalBrowse
                      C:\Users\user\AppData\Roaming\System.exe86%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\System.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                      C:\svchost.exe77%VirustotalBrowse
                      C:\svchost.exe86%MetadefenderBrowse
                      C:\svchost.exe95%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.0.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      9.0.System.exe.f50000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.0.System.exe.c70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.2.System.exe.c70000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.0.System.exe.c70000.2.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.0.System.exe.c70000.3.unpack100%AviraTR/ATRAPS.GenDownload File
                      12.0.System.exe.510000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      0.2.72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.840000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      4.0.System.exe.c70000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                      11.0.System.exe.50000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      12.2.System.exe.510000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      11.2.System.exe.50000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      9.2.System.exe.f50000.0.unpack100%AviraTR/ATRAPS.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      0.tcp.ngrok.io14%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      System.exe0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      0.tcp.ngrok.io
                      		3.17.7.232
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      System.exetrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0System.exe, System.exe, 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, System.exe.0.dr, 9156ea52d892a71a5c604fdd4141de82.exe.4.dr, svchost.exe.4.drfalse
                        		high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        3.134.125.175
                        		unknownUnited States
                        		16509AMAZON-02UStrue
                        3.17.7.232
                        		0.tcp.ngrok.ioUnited States
                        		16509AMAZON-02UStrue
                        3.22.30.40
                        		unknownUnited States
                        		16509AMAZON-02UStrue
                        3.14.182.203
                        		unknownUnited States
                        		16509AMAZON-02UStrue
                        3.13.191.225
                        		unknownUnited States
                        		16509AMAZON-02UStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:553248
                        Start date:14.01.2022
                        Start time:14:54:23
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 52s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:27
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.spre.troj.adwa.spyw.evad.winEXE@9/10@42/6
                        EGA Information:
                        • Successful, ratio: 80%
                        HDC Information:
                        • Successful, ratio: 11.8% (good quality ratio 7.7%)
                        • Quality average: 46.8%
                        • Quality standard deviation: 38.4%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 160
                        • Number of non-executed functions: 1
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Execution Graph export aborted for target 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe, PID 6756 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:55:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 "C:\Users\user\AppData\Roaming\System.exe" ..
                        14:55:51AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 "C:\Users\user\AppData\Roaming\System.exe" ..
                        14:55:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9156ea52d892a71a5c604fdd4141de82 "C:\Users\user\AppData\Roaming\System.exe" ..
                        14:56:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        3.134.125.175PO specification dt.18-11-21.png.exeGet hashmaliciousBrowse
                        • 0.tcp.ngrok.io:10655/
                        s1qMnxSMaD.exeGet hashmaliciousBrowse
                        • 50818b0363ba.ngrok.io/status
                        3.17.7.232d4.exeGet hashmaliciousBrowse
                        • mafube45655731.ngrok.io/web/upload.php
                        PO specification dt.22-11-21.png.exeGet hashmaliciousBrowse
                        • 0.tcp.ngrok.io:10655/
                        PO specification dt.18-11-21.png.exeGet hashmaliciousBrowse
                        • 0.tcp.ngrok.io:10655/
                        PO specification dt.18-11-21.png.exeGet hashmaliciousBrowse
                        • 0.tcp.ngrok.io:10655/

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        0.tcp.ngrok.iodnF2IAYI2P.exeGet hashmaliciousBrowse
                        • 3.13.191.225
                        OAch7032Uv.exeGet hashmaliciousBrowse
                        • 3.22.30.40
                        esMesv3r4q.exeGet hashmaliciousBrowse
                        • 3.14.182.203
                        qV6xGz74wg.exeGet hashmaliciousBrowse
                        • 3.13.191.225
                        67C8BC7C24E8E2345721F06EF96834E45A3E0F149083B.exeGet hashmaliciousBrowse
                        • 3.22.30.40
                        0QbOEq42SL.exeGet hashmaliciousBrowse
                        • 3.14.182.203
                        B1A1E14BC010B33F4AAF307745F56EBB6FC7AA2F156C1.exeGet hashmaliciousBrowse
                        • 3.134.39.220
                        FB5CC233422DAB904074E1777E28631912A88B3046A68.exeGet hashmaliciousBrowse
                        • 3.14.182.203
                        PO specification dt.22-11-21.png.exeGet hashmaliciousBrowse
                        • 3.17.7.232
                        1E4E74D129F6E69BCFF84E1731C359B9827C61CD3EB13.exeGet hashmaliciousBrowse
                        • 3.134.125.175
                        PO specification dt.18-11-21.png.exeGet hashmaliciousBrowse
                        • 3.14.182.203
                        PO specification dt.18-11-21.png.exeGet hashmaliciousBrowse
                        • 3.14.182.203
                        772CA61D127BE3C8992D2537BCA4E0DF6F77B68718D08.exeGet hashmaliciousBrowse
                        • 3.22.30.40
                        8z7dfDVjml.exeGet hashmaliciousBrowse
                        • 3.134.125.175
                        fDT3e2btvr.exeGet hashmaliciousBrowse
                        • 3.14.182.203
                        376C8EDBAFB727E3C48081AC3C6751DD6B73E73462C2A.exeGet hashmaliciousBrowse
                        • 3.17.7.232
                        E4438FE55AD506189992ED8BFA402449106E5C7D0AE3A.exeGet hashmaliciousBrowse
                        • 3.134.39.220
                        Xr47SGSv.exeGet hashmaliciousBrowse
                        • 3.14.182.203
                        pshSLz6Nqa.exeGet hashmaliciousBrowse
                        • 3.134.125.175
                        S8DOE9SWv6.exeGet hashmaliciousBrowse
                        • 3.17.7.232

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        AMAZON-02UShWLlYv2MAXGet hashmaliciousBrowse
                        • 52.78.77.106
                        03B8CA0BE4A43FB9CDCC8DC6898F93A71B25412C97107.exeGet hashmaliciousBrowse
                        • 52.14.18.129
                        EART4pT44dGet hashmaliciousBrowse
                        • 54.171.230.55
                        4M7eKBXgmPGet hashmaliciousBrowse
                        • 54.171.230.55
                        CK8BFmrJs3Get hashmaliciousBrowse
                        • 13.53.138.107
                        vEnkH2eeB8Get hashmaliciousBrowse
                        • 184.169.138.24
                        DH-1642092507.xllGet hashmaliciousBrowse
                        • 13.224.92.74
                        DHLExpress.xlsxGet hashmaliciousBrowse
                        • 3.64.163.50
                        PYD04k22Hf.exeGet hashmaliciousBrowse
                        • 52.216.137.204
                        3RBkU4iBFD.exeGet hashmaliciousBrowse
                        • 54.171.240.157
                        wq1sIhh7DtGet hashmaliciousBrowse
                        • 34.249.145.219
                        X09rGb7LRvGet hashmaliciousBrowse
                        • 54.171.230.55
                        xULLXvPPb1Get hashmaliciousBrowse
                        • 54.171.230.55
                        cs.exeGet hashmaliciousBrowse
                        • 54.245.214.72
                        nhIcNtIylJGet hashmaliciousBrowse
                        • 54.171.230.55
                        uIzFj6o3kPGet hashmaliciousBrowse
                        • 34.249.145.219
                        5n6d6C1fOMGet hashmaliciousBrowse
                        • 34.249.145.219
                        ebj1OBzGQnGet hashmaliciousBrowse
                        • 34.249.145.219
                        8ZQaYZo2k3.xllGet hashmaliciousBrowse
                        • 13.224.92.74
                        ISyoQsetoyGet hashmaliciousBrowse
                        • 34.249.145.219
                        AMAZON-02UShWLlYv2MAXGet hashmaliciousBrowse
                        • 52.78.77.106
                        03B8CA0BE4A43FB9CDCC8DC6898F93A71B25412C97107.exeGet hashmaliciousBrowse
                        • 52.14.18.129
                        EART4pT44dGet hashmaliciousBrowse
                        • 54.171.230.55
                        4M7eKBXgmPGet hashmaliciousBrowse
                        • 54.171.230.55
                        CK8BFmrJs3Get hashmaliciousBrowse
                        • 13.53.138.107
                        vEnkH2eeB8Get hashmaliciousBrowse
                        • 184.169.138.24
                        DH-1642092507.xllGet hashmaliciousBrowse
                        • 13.224.92.74
                        DHLExpress.xlsxGet hashmaliciousBrowse
                        • 3.64.163.50
                        PYD04k22Hf.exeGet hashmaliciousBrowse
                        • 52.216.137.204
                        3RBkU4iBFD.exeGet hashmaliciousBrowse
                        • 54.171.240.157
                        wq1sIhh7DtGet hashmaliciousBrowse
                        • 34.249.145.219
                        X09rGb7LRvGet hashmaliciousBrowse
                        • 54.171.230.55
                        xULLXvPPb1Get hashmaliciousBrowse
                        • 54.171.230.55
                        cs.exeGet hashmaliciousBrowse
                        • 54.245.214.72
                        nhIcNtIylJGet hashmaliciousBrowse
                        • 54.171.230.55
                        uIzFj6o3kPGet hashmaliciousBrowse
                        • 34.249.145.219
                        5n6d6C1fOMGet hashmaliciousBrowse
                        • 34.249.145.219
                        ebj1OBzGQnGet hashmaliciousBrowse
                        • 34.249.145.219
                        8ZQaYZo2k3.xllGet hashmaliciousBrowse
                        • 13.224.92.74
                        ISyoQsetoyGet hashmaliciousBrowse
                        • 34.249.145.219
                        AMAZON-02UShWLlYv2MAXGet hashmaliciousBrowse
                        • 52.78.77.106
                        03B8CA0BE4A43FB9CDCC8DC6898F93A71B25412C97107.exeGet hashmaliciousBrowse
                        • 52.14.18.129
                        EART4pT44dGet hashmaliciousBrowse
                        • 54.171.230.55
                        4M7eKBXgmPGet hashmaliciousBrowse
                        • 54.171.230.55
                        CK8BFmrJs3Get hashmaliciousBrowse
                        • 13.53.138.107
                        vEnkH2eeB8Get hashmaliciousBrowse
                        • 184.169.138.24
                        DH-1642092507.xllGet hashmaliciousBrowse
                        • 13.224.92.74
                        DHLExpress.xlsxGet hashmaliciousBrowse
                        • 3.64.163.50
                        PYD04k22Hf.exeGet hashmaliciousBrowse
                        • 52.216.137.204
                        3RBkU4iBFD.exeGet hashmaliciousBrowse
                        • 54.171.240.157
                        wq1sIhh7DtGet hashmaliciousBrowse
                        • 34.249.145.219
                        X09rGb7LRvGet hashmaliciousBrowse
                        • 54.171.230.55
                        xULLXvPPb1Get hashmaliciousBrowse
                        • 54.171.230.55
                        cs.exeGet hashmaliciousBrowse
                        • 54.245.214.72
                        nhIcNtIylJGet hashmaliciousBrowse
                        • 54.171.230.55
                        uIzFj6o3kPGet hashmaliciousBrowse
                        • 34.249.145.219
                        5n6d6C1fOMGet hashmaliciousBrowse
                        • 34.249.145.219
                        ebj1OBzGQnGet hashmaliciousBrowse
                        • 34.249.145.219
                        8ZQaYZo2k3.xllGet hashmaliciousBrowse
                        • 13.224.92.74
                        ISyoQsetoyGet hashmaliciousBrowse
                        • 34.249.145.219

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe.log
                        Process:C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):525
                        Entropy (8bit):5.2874233355119316
                        Encrypted:false
                        SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                        MD5:80EFBEC081D7836D240503C4C9465FEC
                        SHA1:6AF398E08A359457083727BAF296445030A55AC3
                        SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                        SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                        Malicious:true
                        Reputation:moderate, very likely benign file
                        Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\System.exe.log
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):525
                        Entropy (8bit):5.2874233355119316
                        Encrypted:false
                        SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                        MD5:80EFBEC081D7836D240503C4C9465FEC
                        SHA1:6AF398E08A359457083727BAF296445030A55AC3
                        SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                        SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):5.575659694964963
                        Encrypted:false
                        SSDEEP:384:3IhqBkiyrnDNGRn5IyUv6IzfDhW/6wFbbrAF+rMRTyN/0L+EcoinblneHQM3epz3:If5M5jUvPzQCw1rM+rMRa8Nu1pt
                        MD5:70ACA878BFAAC1EAF7019EDDD97FC877
                        SHA1:4997C055B582C71CBB3863C9523986B51A339797
                        SHA-256:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D3272B2E6B0F0FDED1BDB60
                        SHA-512:17BEDCD516BA8F18B5E4D8A2A8C9D1B6E95BE2158D654B3B15FE2D379CDCE682C609801E1B5C01487FA732EF1591D7CDE1460448FFD4FFE8A50F6C3C82CB36C2
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe, Author: Brian Wallace @botnet_hunter
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Virustotal, Detection: 77%, Browse
                        • Antivirus: Metadefender, Detection: 86%, Browse
                        • Antivirus: ReversingLabs, Detection: 95%
                        Reputation:low
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.`................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9156ea52d892a71a5c604fdd4141de82.exe:Zone.Identifier
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: [ZoneTransfer]....ZoneId=0
                        C:\Users\user\AppData\Roaming\System.exe
                        Process:C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):5.575659694964963
                        Encrypted:false
                        SSDEEP:384:3IhqBkiyrnDNGRn5IyUv6IzfDhW/6wFbbrAF+rMRTyN/0L+EcoinblneHQM3epz3:If5M5jUvPzQCw1rM+rMRa8Nu1pt
                        MD5:70ACA878BFAAC1EAF7019EDDD97FC877
                        SHA1:4997C055B582C71CBB3863C9523986B51A339797
                        SHA-256:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D3272B2E6B0F0FDED1BDB60
                        SHA-512:17BEDCD516BA8F18B5E4D8A2A8C9D1B6E95BE2158D654B3B15FE2D379CDCE682C609801E1B5C01487FA732EF1591D7CDE1460448FFD4FFE8A50F6C3C82CB36C2
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\System.exe, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\System.exe, Author: Brian Wallace @botnet_hunter
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Virustotal, Detection: 77%, Browse
                        • Antivirus: Metadefender, Detection: 86%, Browse
                        • Antivirus: ReversingLabs, Detection: 95%
                        Reputation:low
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.`................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.
                        C:\Users\user\AppData\Roaming\System.exe:Zone.Identifier
                        Process:C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: [ZoneTransfer]....ZoneId=0
                        C:\autorun.inf
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:Microsoft Windows Autorun file, ASCII text, with CRLF line terminators
                        Category:modified
                        Size (bytes):50
                        Entropy (8bit):4.320240000427043
                        Encrypted:false
                        SSDEEP:3:It1KV2LKMACovK0x:e1KzxvD
                        MD5:5B0B50BADE67C5EC92D42E971287A5D9
                        SHA1:90D5C99143E7A56AD6E5EE401015F8ECC093D95A
                        SHA-256:04DDE2489D2D2E6846D42250D813AB90B5CA847D527F8F2C022E6C327DC6DB53
                        SHA-512:C064DC3C4185A38D1CAEBD069ACB9FDBB85DFB650D6A241036E501A09BC89FD06E267BE9D400D20E6C14B4068473D1C6557962E8D82FDFD191DB7EABB6E66821
                        Malicious:true
                        Preview: [autorun]..open=C:\svchost.exe..shellexecute=C:\..
                        C:\svchost.exe
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):37888
                        Entropy (8bit):5.575659694964963
                        Encrypted:false
                        SSDEEP:384:3IhqBkiyrnDNGRn5IyUv6IzfDhW/6wFbbrAF+rMRTyN/0L+EcoinblneHQM3epz3:If5M5jUvPzQCw1rM+rMRa8Nu1pt
                        MD5:70ACA878BFAAC1EAF7019EDDD97FC877
                        SHA1:4997C055B582C71CBB3863C9523986B51A339797
                        SHA-256:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D3272B2E6B0F0FDED1BDB60
                        SHA-512:17BEDCD516BA8F18B5E4D8A2A8C9D1B6E95BE2158D654B3B15FE2D379CDCE682C609801E1B5C01487FA732EF1591D7CDE1460448FFD4FFE8A50F6C3C82CB36C2
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\svchost.exe, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: C:\svchost.exe, Author: Brian Wallace @botnet_hunter
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: Virustotal, Detection: 77%, Browse
                        • Antivirus: Metadefender, Detection: 86%, Browse
                        • Antivirus: ReversingLabs, Detection: 95%
                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.`................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.
                        C:\svchost.exe:Zone.Identifier
                        Process:C:\Users\user\AppData\Roaming\System.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview: [ZoneTransfer]....ZoneId=0
                        \Device\ConDrv
                        Process:C:\Windows\SysWOW64\netsh.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):313
                        Entropy (8bit):4.971939296804078
                        Encrypted:false
                        SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                        MD5:689E2126A85BF55121488295EE068FA1
                        SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                        SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                        SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                        Malicious:false
                        Preview: ..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.575659694964963
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        File size:37888
                        MD5:70aca878bfaac1eaf7019eddd97fc877
                        SHA1:4997c055b582c71cbb3863c9523986b51a339797
                        SHA256:72ca3e2f8479a075c8e089f543f79c4f1cf868d66d3272b2e6b0f0fded1bdb60
                        SHA512:17bedcd516ba8f18b5e4d8a2a8c9d1b6e95be2158d654b3b15fe2d379cdce682c609801e1b5c01487fa732ef1591d7cde1460448ffd4ffe8a50f6c3c82cb36c2
                        SSDEEP:384:3IhqBkiyrnDNGRn5IyUv6IzfDhW/6wFbbrAF+rMRTyN/0L+EcoinblneHQM3epz3:If5M5jUvPzQCw1rM+rMRa8Nu1pt
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.`................................. ........@.. ....................................@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x40abbe
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x60AB6F12 [Mon May 24 09:17:06 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v2.0.50727
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xab700x4b.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x240.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x8bc40x8c00False0.463895089286data5.60730804361IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0xc0000x2400x400False0.3134765625data4.96877165952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xe0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_MANIFEST0xc0580x1e7XML 1.0 document, ASCII text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        01/14/22-14:55:46.343993TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975313467192.168.2.33.17.7.232
                        01/14/22-14:55:48.595556UDP254DNS SPOOF query response with TTL of 1 min. and no authority53607848.8.8.8192.168.2.3
                        01/14/22-14:55:48.762801TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975413467192.168.2.33.17.7.232
                        01/14/22-14:55:51.454912TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975513467192.168.2.33.17.7.232
                        01/14/22-14:55:54.224128TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975813467192.168.2.33.17.7.232
                        01/14/22-14:55:57.123895TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975913467192.168.2.33.14.182.203
                        01/14/22-14:56:00.006211TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976013467192.168.2.33.13.191.225
                        01/14/22-14:56:03.177148TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976113467192.168.2.33.14.182.203
                        01/14/22-14:56:05.935422UDP254DNS SPOOF query response with TTL of 1 min. and no authority53551028.8.8.8192.168.2.3
                        01/14/22-14:56:06.098596TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976213467192.168.2.33.14.182.203
                        01/14/22-14:56:08.812231UDP254DNS SPOOF query response with TTL of 1 min. and no authority53562368.8.8.8192.168.2.3
                        01/14/22-14:56:08.974929TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976313467192.168.2.33.14.182.203
                        01/14/22-14:56:11.736334UDP254DNS SPOOF query response with TTL of 1 min. and no authority53495598.8.8.8192.168.2.3
                        01/14/22-14:56:11.904970TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976513467192.168.2.33.22.30.40
                        01/14/22-14:56:14.639656TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976713467192.168.2.33.14.182.203
                        01/14/22-14:56:17.749487TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4977013467192.168.2.33.14.182.203
                        01/14/22-14:56:20.375566TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4977113467192.168.2.33.17.7.232
                        01/14/22-14:56:23.288901TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4977313467192.168.2.33.22.30.40
                        01/14/22-14:56:26.086507TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4977813467192.168.2.33.17.7.232
                        01/14/22-14:56:28.732206TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4979913467192.168.2.33.17.7.232
                        01/14/22-14:56:31.478555TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4980313467192.168.2.33.22.30.40
                        01/14/22-14:56:34.195822TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4981313467192.168.2.33.14.182.203
                        01/14/22-14:56:36.993737TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4981613467192.168.2.33.14.182.203
                        01/14/22-14:56:39.740921TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4981813467192.168.2.33.134.125.175
                        01/14/22-14:56:42.427424TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4981913467192.168.2.33.17.7.232
                        01/14/22-14:56:45.091298TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982013467192.168.2.33.17.7.232
                        01/14/22-14:56:47.745365TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982113467192.168.2.33.22.30.40
                        01/14/22-14:56:50.337717UDP254DNS SPOOF query response with TTL of 1 min. and no authority53508248.8.8.8192.168.2.3
                        01/14/22-14:56:50.506419TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982213467192.168.2.33.14.182.203
                        01/14/22-14:56:53.280011TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982313467192.168.2.33.134.125.175
                        01/14/22-14:56:55.918054UDP254DNS SPOOF query response with TTL of 1 min. and no authority53628558.8.8.8192.168.2.3
                        01/14/22-14:56:56.085319TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982513467192.168.2.33.14.182.203
                        01/14/22-14:56:58.776496TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4982613467192.168.2.33.22.30.40
                        01/14/22-14:57:01.289281UDP254DNS SPOOF query response with TTL of 1 min. and no authority53492908.8.8.8192.168.2.3
                        01/14/22-14:57:01.456784TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4984013467192.168.2.33.22.30.40
                        01/14/22-14:57:04.185000TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985113467192.168.2.33.14.182.203
                        01/14/22-14:57:06.846067TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985213467192.168.2.33.134.125.175
                        01/14/22-14:57:09.672363TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985713467192.168.2.33.22.30.40
                        01/14/22-14:57:12.379810TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985813467192.168.2.33.134.125.175
                        01/14/22-14:57:15.052356TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4985913467192.168.2.33.13.191.225
                        01/14/22-14:57:17.712854TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986013467192.168.2.33.13.191.225
                        01/14/22-14:57:20.383404TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986113467192.168.2.33.134.125.175
                        01/14/22-14:57:23.134241TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986213467192.168.2.33.14.182.203
                        01/14/22-14:57:25.811740TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986413467192.168.2.33.134.125.175
                        01/14/22-14:57:28.851831TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986513467192.168.2.33.22.30.40
                        01/14/22-14:57:31.155906TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986613467192.168.2.33.22.30.40
                        01/14/22-14:57:33.794104TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986713467192.168.2.33.13.191.225
                        01/14/22-14:57:36.531249TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986813467192.168.2.33.13.191.225
                        01/14/22-14:57:39.326499TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4986913467192.168.2.33.22.30.40

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 14, 2022 14:55:45.856554985 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.004971981 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.005089045 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.343992949 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.492089033 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.493834972 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.541907072 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.585673094 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:46.641864061 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.951797962 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.952209949 CET13467497533.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:46.952291965 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.557099104 CET4975313467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.598484039 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.746646881 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:48.746752977 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.762800932 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:48.911252975 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:48.911369085 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:49.060733080 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:49.239238024 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:49.289077044 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:49.341176033 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:49.342351913 CET13467497543.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:49.342453957 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.242801905 CET4975413467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.271502018 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.420833111 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:51.422240973 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.454911947 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.602993965 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:51.603136063 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.751168966 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:51.759263039 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:51.907783031 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:52.019689083 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:52.052608967 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:52.052696943 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:52.053304911 CET13467497553.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:52.053371906 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.024209023 CET4975513467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.060008049 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.208894014 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.210483074 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.224128008 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.373317003 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.373409033 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:54.521255970 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.910993099 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.911032915 CET13467497583.17.7.232192.168.2.3
                        Jan 14, 2022 14:55:54.911148071 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:56.915455103 CET4975813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:55:56.951477051 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.101223946 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.101358891 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.123894930 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.273524046 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.273648024 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.424532890 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.618554115 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.664696932 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:57.731481075 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.732249975 CET13467497593.14.182.203192.168.2.3
                        Jan 14, 2022 14:55:57.732328892 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:59.634694099 CET4975913467192.168.2.33.14.182.203
                        Jan 14, 2022 14:55:59.833179951 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:55:59.981893063 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:55:59.982150078 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:00.006211042 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:00.154989958 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.155174971 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:00.305074930 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.503254890 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.555558920 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:00.617573977 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.617634058 CET13467497603.13.191.225192.168.2.3
                        Jan 14, 2022 14:56:00.617763042 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:02.915493011 CET4976013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:56:03.007220984 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:03.155801058 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.155880928 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:03.177148104 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:03.326867104 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.326941967 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:03.475833893 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.884612083 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.884649038 CET13467497613.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:03.884733915 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:05.900490046 CET4976113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:05.936701059 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:06.086052895 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.086170912 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:06.098596096 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:06.247594118 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.247698069 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:06.397921085 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.767045021 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.767075062 CET13467497623.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:06.767631054 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:08.775754929 CET4976213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:08.813993931 CET4976313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:08.963634014 CET13467497633.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:08.963727951 CET4976313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:08.974929094 CET4976313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:09.123676062 CET13467497633.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:09.123754025 CET4976313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:09.272448063 CET13467497633.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:09.615272999 CET13467497633.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:09.615313053 CET13467497633.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:09.615416050 CET4976313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:11.625684023 CET4976313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:11.737842083 CET4976513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:11.888254881 CET13467497653.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:11.888465881 CET4976513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:11.904969931 CET4976513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:12.054227114 CET13467497653.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:12.054327011 CET4976513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:12.203599930 CET13467497653.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:12.440706968 CET13467497653.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:12.494102001 CET4976513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:12.545068026 CET13467497653.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:12.545097113 CET13467497653.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:12.546008110 CET4976513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:14.447813988 CET4976513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:14.475697041 CET4976713467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:14.625844955 CET13467497673.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:14.626884937 CET4976713467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:14.639656067 CET4976713467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:14.788434029 CET13467497673.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:14.788629055 CET4976713467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:14.937830925 CET13467497673.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:15.204236984 CET13467497673.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:15.244251966 CET4976713467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:15.383178949 CET13467497673.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:15.383214951 CET13467497673.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:15.383349895 CET4976713467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:17.213562965 CET4976713467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:17.266782999 CET4977013467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:17.415743113 CET13467497703.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:17.416572094 CET4977013467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:17.749486923 CET4977013467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:17.897804022 CET13467497703.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:17.897927046 CET4977013467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:18.001857042 CET13467497703.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:18.041354895 CET4977013467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:18.046664953 CET13467497703.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:18.318001986 CET13467497703.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:18.318051100 CET13467497703.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:18.318197012 CET4977013467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:20.010759115 CET4977013467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:20.214725018 CET4977113467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:20.364236116 CET13467497713.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:20.364345074 CET4977113467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:20.375566006 CET4977113467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:20.523838997 CET13467497713.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:20.523919106 CET4977113467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:20.672972918 CET13467497713.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:20.884959936 CET13467497713.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:20.932238102 CET4977113467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:20.946546078 CET13467497713.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:20.946604967 CET13467497713.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:20.946660042 CET4977113467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:22.906924963 CET4977113467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:23.128177881 CET4977313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:23.277667999 CET13467497733.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:23.277800083 CET4977313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:23.288901091 CET4977313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:23.438060045 CET13467497733.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:23.438178062 CET4977313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:23.586961031 CET13467497733.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:23.788249016 CET13467497733.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:23.887778997 CET13467497733.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:23.887868881 CET4977313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:23.888468027 CET13467497733.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:23.888529062 CET4977313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:25.839668036 CET4977313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:25.869586945 CET4977813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:26.018043041 CET13467497783.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:26.018136024 CET4977813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:26.086507082 CET4977813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:26.235605955 CET13467497783.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:26.235682011 CET4977813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:26.384140968 CET13467497783.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:26.537439108 CET13467497783.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:26.692147970 CET13467497783.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:26.692218065 CET13467497783.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:26.692241907 CET4977813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:26.692265034 CET4977813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:28.542478085 CET4977813467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:28.570031881 CET4979913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:28.718650103 CET13467497993.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:28.718753099 CET4979913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:28.732206106 CET4979913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:28.880507946 CET13467497993.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:28.880604029 CET4979913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:29.029941082 CET13467497993.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:29.223679066 CET13467497993.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:29.330427885 CET13467497993.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:29.330447912 CET13467497993.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:29.330498934 CET4979913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:31.230338097 CET4979913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:31.264995098 CET4980313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:31.413213015 CET13467498033.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:31.413340092 CET4980313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:31.478554964 CET4980313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:31.626991034 CET13467498033.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:31.627573013 CET4980313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:31.776942968 CET13467498033.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:31.925545931 CET13467498033.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:31.980043888 CET4980313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:32.076556921 CET13467498033.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:32.076787949 CET13467498033.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:32.076862097 CET4980313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:33.934036970 CET4980313467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:33.971385956 CET4981313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:34.121014118 CET13467498133.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:34.121889114 CET4981313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:34.195822001 CET4981313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:34.345889091 CET13467498133.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:34.345998049 CET4981313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:34.496643066 CET13467498133.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:34.627521992 CET13467498133.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:34.683475018 CET4981313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:34.787466049 CET13467498133.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:34.787513971 CET13467498133.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:34.787620068 CET4981313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:36.667517900 CET4981313467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:36.827167988 CET4981613467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:36.976691008 CET13467498163.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:36.977701902 CET4981613467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:36.993736982 CET4981613467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:37.143310070 CET13467498163.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:37.143668890 CET4981613467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:37.293864965 CET13467498163.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:37.468312979 CET13467498163.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:37.512466908 CET4981613467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:37.574076891 CET13467498163.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:37.574351072 CET13467498163.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:37.574928999 CET4981613467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:39.542098999 CET4981613467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:39.574153900 CET4981813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:39.723277092 CET13467498183.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:39.723524094 CET4981813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:39.740921021 CET4981813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:39.888979912 CET13467498183.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:39.889053106 CET4981813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:40.040402889 CET13467498183.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:40.216300011 CET13467498183.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:40.261969090 CET4981813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:40.314594984 CET13467498183.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:40.314676046 CET13467498183.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:40.316945076 CET4981813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:42.231137991 CET4981813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:42.256027937 CET4981913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:42.405697107 CET13467498193.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:42.405886889 CET4981913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:42.427423954 CET4981913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:42.575541973 CET13467498193.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:42.576255083 CET4981913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:42.724261045 CET13467498193.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:42.866415024 CET13467498193.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:42.918659925 CET4981913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:42.968957901 CET13467498193.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:42.969007015 CET13467498193.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:42.969106913 CET4981913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:44.903422117 CET4981913467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:44.933501959 CET4982013467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:45.083110094 CET13467498203.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:45.083230972 CET4982013467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:45.091298103 CET4982013467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:45.242011070 CET13467498203.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:45.242124081 CET4982013467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:45.393203974 CET13467498203.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:45.544006109 CET13467498203.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:45.590559959 CET4982013467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:45.639209032 CET13467498203.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:45.640237093 CET13467498203.17.7.232192.168.2.3
                        Jan 14, 2022 14:56:45.640310049 CET4982013467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:47.559775114 CET4982013467192.168.2.33.17.7.232
                        Jan 14, 2022 14:56:47.588242054 CET4982113467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:47.736836910 CET13467498213.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:47.737030029 CET4982113467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:47.745364904 CET4982113467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:47.894793987 CET13467498213.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:47.894951105 CET4982113467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:48.042984962 CET13467498213.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:48.240365982 CET13467498213.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:48.282761097 CET13467498213.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:48.282898903 CET4982113467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:48.283854008 CET13467498213.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:48.284064054 CET4982113467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:50.294591904 CET4982113467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:50.339847088 CET4982213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:50.490030050 CET13467498223.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:50.491406918 CET4982213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:50.506418943 CET4982213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:50.655863047 CET13467498223.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:50.655982018 CET4982213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:50.805308104 CET13467498223.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:50.949506044 CET13467498223.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:50.997353077 CET4982213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:51.046550035 CET13467498223.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:51.046588898 CET13467498223.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:51.046660900 CET4982213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:52.966859102 CET4982213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:53.103064060 CET4982313467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:53.251183987 CET13467498233.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:53.251293898 CET4982313467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:53.280010939 CET4982313467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:53.429203033 CET13467498233.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:53.431643963 CET4982313467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:53.580948114 CET13467498233.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:53.735677004 CET13467498233.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:53.794426918 CET4982313467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:53.878997087 CET13467498233.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:53.879054070 CET13467498233.134.125.175192.168.2.3
                        Jan 14, 2022 14:56:53.879175901 CET4982313467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:55.888577938 CET4982313467192.168.2.33.134.125.175
                        Jan 14, 2022 14:56:55.919542074 CET4982513467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:56.068867922 CET13467498253.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:56.068957090 CET4982513467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:56.085319042 CET4982513467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:56.237842083 CET13467498253.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:56.237957001 CET4982513467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:56.387898922 CET13467498253.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:56.544210911 CET13467498253.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:56.591474056 CET4982513467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:56.731281042 CET13467498253.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:56.731333971 CET13467498253.14.182.203192.168.2.3
                        Jan 14, 2022 14:56:56.731381893 CET4982513467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:58.577136993 CET4982513467192.168.2.33.14.182.203
                        Jan 14, 2022 14:56:58.611886024 CET4982613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:58.760361910 CET13467498263.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:58.760550976 CET4982613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:58.776495934 CET4982613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:58.925617933 CET13467498263.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:58.925697088 CET4982613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:59.073448896 CET13467498263.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:59.243772984 CET13467498263.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:59.294843912 CET4982613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:56:59.433795929 CET13467498263.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:59.434016943 CET13467498263.22.30.40192.168.2.3
                        Jan 14, 2022 14:56:59.434086084 CET4982613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:01.248769045 CET4982613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:01.292131901 CET4984013467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:01.441229105 CET13467498403.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:01.441431999 CET4984013467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:01.456784010 CET4984013467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:01.605844975 CET13467498403.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:01.605973959 CET4984013467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:01.755194902 CET13467498403.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:01.920366049 CET13467498403.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:01.967009068 CET4984013467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:01.994836092 CET13467498403.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:01.994862080 CET13467498403.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:01.994939089 CET4984013467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:03.936264992 CET4984013467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:03.968389034 CET4985113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:04.118103027 CET13467498513.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:04.118232012 CET4985113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:04.184999943 CET4985113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:04.334923029 CET13467498513.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:04.335092068 CET4985113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:04.484425068 CET13467498513.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:04.578169107 CET13467498513.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:04.623488903 CET4985113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:04.726304054 CET13467498513.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:04.727257013 CET13467498513.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:04.727353096 CET4985113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:06.597639084 CET4985113467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:06.682106018 CET4985213467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:06.831762075 CET13467498523.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:06.831931114 CET4985213467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:06.846066952 CET4985213467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:06.996845007 CET13467498523.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:06.996959925 CET4985213467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:07.144865990 CET13467498523.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:07.288036108 CET13467498523.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:07.342412949 CET4985213467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:07.391819000 CET13467498523.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:07.393424034 CET13467498523.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:07.393484116 CET4985213467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:09.306349039 CET4985213467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:09.477884054 CET4985713467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:09.626111031 CET13467498573.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:09.629101038 CET4985713467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:09.672363043 CET4985713467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:09.820550919 CET13467498573.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:09.820625067 CET4985713467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:09.969440937 CET13467498573.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:10.136903048 CET13467498573.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:10.187722921 CET4985713467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:10.211730003 CET13467498573.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:10.213141918 CET13467498573.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:10.217284918 CET4985713467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:12.195146084 CET4985713467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:12.222390890 CET4985813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:12.371764898 CET13467498583.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:12.371877909 CET4985813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:12.379810095 CET4985813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:12.529593945 CET13467498583.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:12.529719114 CET4985813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:12.677889109 CET13467498583.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:12.842143059 CET13467498583.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:12.927910089 CET13467498583.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:12.927933931 CET13467498583.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:12.928009033 CET4985813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:14.859451056 CET4985813467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:14.894783020 CET4985913467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:15.044862032 CET13467498593.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:15.044970989 CET4985913467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:15.052356005 CET4985913467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:15.203074932 CET13467498593.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:15.203237057 CET4985913467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:15.353569984 CET13467498593.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:15.497052908 CET13467498593.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:15.546277046 CET4985913467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:15.593873978 CET13467498593.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:15.594454050 CET13467498593.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:15.594548941 CET4985913467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:17.505371094 CET4985913467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:17.555666924 CET4986013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:17.704787970 CET13467498603.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:17.704937935 CET4986013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:17.712853909 CET4986013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:17.862019062 CET13467498603.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:17.862117052 CET4986013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:18.012576103 CET13467498603.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:18.153377056 CET13467498603.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:18.202678919 CET4986013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:18.253457069 CET13467498603.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:18.254405022 CET13467498603.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:18.255052090 CET4986013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:20.171401024 CET4986013467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:20.205161095 CET4986113467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:20.354484081 CET13467498613.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:20.359708071 CET4986113467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:20.383404016 CET4986113467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:20.531452894 CET13467498613.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:20.531692982 CET4986113467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:20.680902958 CET13467498613.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:20.815593004 CET13467498613.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:20.872159004 CET4986113467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:20.922147036 CET13467498613.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:20.922171116 CET13467498613.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:20.923648119 CET4986113467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:22.922624111 CET4986113467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:22.953860998 CET4986213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:23.102494955 CET13467498623.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:23.102730036 CET4986213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:23.134241104 CET4986213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:23.283987045 CET13467498623.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:23.284220934 CET4986213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:23.434010983 CET13467498623.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:23.587218046 CET13467498623.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:23.627883911 CET4986213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:23.672132015 CET13467498623.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:23.672179937 CET13467498623.14.182.203192.168.2.3
                        Jan 14, 2022 14:57:23.672395945 CET4986213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:25.603193998 CET4986213467192.168.2.33.14.182.203
                        Jan 14, 2022 14:57:25.650895119 CET4986413467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:25.798964024 CET13467498643.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:25.800141096 CET4986413467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:25.811739922 CET4986413467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:25.960921049 CET13467498643.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:25.961035013 CET4986413467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:26.109395981 CET13467498643.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:26.277720928 CET13467498643.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:26.320991993 CET4986413467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:26.373708963 CET13467498643.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:26.373766899 CET13467498643.134.125.175192.168.2.3
                        Jan 14, 2022 14:57:26.374031067 CET4986413467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:28.305177927 CET4986413467192.168.2.33.134.125.175
                        Jan 14, 2022 14:57:28.334876060 CET4986513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:28.482990026 CET13467498653.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:28.486665010 CET4986513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:28.851830959 CET4986513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:28.935770988 CET13467498653.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:28.935954094 CET4986513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:29.000933886 CET13467498653.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:29.083980083 CET13467498653.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:29.331485033 CET13467498653.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:29.331649065 CET13467498653.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:29.332684040 CET4986513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:30.968499899 CET4986513467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:31.001785994 CET4986613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:31.151562929 CET13467498663.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:31.151684999 CET4986613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:31.155905962 CET4986613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:31.304626942 CET13467498663.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:31.304698944 CET4986613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:31.453993082 CET13467498663.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:31.611686945 CET13467498663.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:31.664241076 CET4986613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:31.700320959 CET13467498663.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:31.700858116 CET13467498663.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:31.700938940 CET4986613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:33.618360996 CET4986613467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:33.640954018 CET4986713467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:33.789655924 CET13467498673.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:33.791275024 CET4986713467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:33.794104099 CET4986713467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:33.942908049 CET13467498673.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:33.949666023 CET4986713467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:34.099528074 CET13467498673.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:34.336123943 CET13467498673.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:34.345657110 CET13467498673.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:34.345771074 CET4986713467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:34.441003084 CET13467498673.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:34.441072941 CET4986713467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:36.352360964 CET4986713467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:36.379312038 CET4986813467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:36.529062986 CET13467498683.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:36.529194117 CET4986813467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:36.531249046 CET4986813467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:36.680871964 CET13467498683.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:36.681094885 CET4986813467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:36.830693007 CET13467498683.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:37.118520975 CET13467498683.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:37.118561029 CET13467498683.13.191.225192.168.2.3
                        Jan 14, 2022 14:57:37.118671894 CET4986813467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:39.135499954 CET4986813467192.168.2.33.13.191.225
                        Jan 14, 2022 14:57:39.165522099 CET4986913467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:39.313790083 CET13467498693.22.30.40192.168.2.3
                        Jan 14, 2022 14:57:39.314306021 CET4986913467192.168.2.33.22.30.40
                        Jan 14, 2022 14:57:39.326498985 CET4986913467192.168.2.33.22.30.40

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 14, 2022 14:55:45.826014996 CET6402153192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:45.845385075 CET53640218.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:48.573869944 CET6078453192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:48.595556021 CET53607848.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:51.250332117 CET5114353192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:51.267457962 CET53511438.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:54.034359932 CET5902653192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:54.053494930 CET53590268.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:56.930083036 CET4957253192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:56.949445963 CET53495728.8.8.8192.168.2.3
                        Jan 14, 2022 14:55:59.640835047 CET6082353192.168.2.38.8.8.8
                        Jan 14, 2022 14:55:59.660417080 CET53608238.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:02.986785889 CET5213053192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:03.006030083 CET53521308.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:05.912566900 CET5510253192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:05.935421944 CET53551028.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:08.785914898 CET5623653192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:08.812231064 CET53562368.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:11.714885950 CET4955953192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:11.736334085 CET53495598.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:14.454736948 CET6329753192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:14.474361897 CET53632978.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:17.219274998 CET5836153192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:17.238837957 CET53583618.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:20.142657042 CET5361553192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:20.162110090 CET53536158.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:23.108827114 CET5377753192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:23.126688004 CET53537778.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:25.848159075 CET6098253192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:25.867337942 CET53609828.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:28.549057961 CET6345653192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:28.568577051 CET53634568.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:31.243753910 CET5510853192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:31.262999058 CET53551088.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:33.952836037 CET5894253192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:33.969996929 CET53589428.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:36.805179119 CET6443253192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:36.825191021 CET53644328.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:39.552303076 CET6349053192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:39.572302103 CET53634908.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:42.237478018 CET6511053192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:42.254549980 CET53651108.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:44.912789106 CET6112053192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:44.930639029 CET53611208.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:47.566504002 CET5307953192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:47.586004019 CET53530798.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:50.310465097 CET5082453192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:50.337717056 CET53508248.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:53.083189011 CET5670653192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:53.101566076 CET53567068.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:55.895234108 CET6285553192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:55.918054104 CET53628558.8.8.8192.168.2.3
                        Jan 14, 2022 14:56:58.591355085 CET5104653192.168.2.38.8.8.8
                        Jan 14, 2022 14:56:58.608932018 CET53510468.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:01.259596109 CET4929053192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:01.289280891 CET53492908.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:03.945168972 CET5975453192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:03.965209007 CET53597548.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:06.660762072 CET4923453192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:06.680274010 CET53492348.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:09.400335073 CET5744753192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:09.419737101 CET53574478.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:12.201404095 CET6358353192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:12.220947981 CET53635838.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:14.870506048 CET6409953192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:14.890022993 CET53640998.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:17.534580946 CET6461053192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:17.553966999 CET53646108.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:20.180349112 CET5198953192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:20.201327085 CET53519898.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:22.931205988 CET5315253192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:22.950678110 CET53531528.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:25.630670071 CET5607753192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:25.649379969 CET53560778.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:28.312005997 CET5795153192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:28.331880093 CET53579518.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:30.979021072 CET5327653192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:30.998452902 CET53532768.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:33.620198011 CET6013553192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:33.639610052 CET53601358.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:36.354939938 CET4984953192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:36.375444889 CET53498498.8.8.8192.168.2.3
                        Jan 14, 2022 14:57:39.139276981 CET6025353192.168.2.38.8.8.8
                        Jan 14, 2022 14:57:39.159666061 CET53602538.8.8.8192.168.2.3

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Jan 14, 2022 14:55:45.826014996 CET192.168.2.38.8.8.80x354dStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:48.573869944 CET192.168.2.38.8.8.80x7217Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:51.250332117 CET192.168.2.38.8.8.80x1e2Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:54.034359932 CET192.168.2.38.8.8.80x5d28Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:56.930083036 CET192.168.2.38.8.8.80xc746Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:59.640835047 CET192.168.2.38.8.8.80x47a0Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:02.986785889 CET192.168.2.38.8.8.80x53eeStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:05.912566900 CET192.168.2.38.8.8.80x1b23Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:08.785914898 CET192.168.2.38.8.8.80x7451Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:11.714885950 CET192.168.2.38.8.8.80xa4ddStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:14.454736948 CET192.168.2.38.8.8.80xb74Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:17.219274998 CET192.168.2.38.8.8.80xd3eStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:20.142657042 CET192.168.2.38.8.8.80x4e7aStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:23.108827114 CET192.168.2.38.8.8.80x900eStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:25.848159075 CET192.168.2.38.8.8.80xa643Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:28.549057961 CET192.168.2.38.8.8.80x1087Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:31.243753910 CET192.168.2.38.8.8.80x990cStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:33.952836037 CET192.168.2.38.8.8.80x8d4Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:36.805179119 CET192.168.2.38.8.8.80xf5bStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:39.552303076 CET192.168.2.38.8.8.80x135dStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:42.237478018 CET192.168.2.38.8.8.80x8ce5Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:44.912789106 CET192.168.2.38.8.8.80x1565Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:47.566504002 CET192.168.2.38.8.8.80xfe29Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:50.310465097 CET192.168.2.38.8.8.80xecfStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:53.083189011 CET192.168.2.38.8.8.80xa4ddStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:55.895234108 CET192.168.2.38.8.8.80x6f54Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:58.591355085 CET192.168.2.38.8.8.80x3abeStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:01.259596109 CET192.168.2.38.8.8.80xa299Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:03.945168972 CET192.168.2.38.8.8.80x5d9fStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:06.660762072 CET192.168.2.38.8.8.80x7ff4Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:09.400335073 CET192.168.2.38.8.8.80x296dStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:12.201404095 CET192.168.2.38.8.8.80xcb98Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:14.870506048 CET192.168.2.38.8.8.80x7190Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:17.534580946 CET192.168.2.38.8.8.80x2b1bStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:20.180349112 CET192.168.2.38.8.8.80x732dStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:22.931205988 CET192.168.2.38.8.8.80xff31Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:25.630670071 CET192.168.2.38.8.8.80x3ef9Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:28.312005997 CET192.168.2.38.8.8.80x5e29Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:30.979021072 CET192.168.2.38.8.8.80xf575Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:33.620198011 CET192.168.2.38.8.8.80xec81Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:36.354939938 CET192.168.2.38.8.8.80x2c4cStandard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:39.139276981 CET192.168.2.38.8.8.80x4984Standard query (0)0.tcp.ngrok.ioA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Jan 14, 2022 14:55:45.845385075 CET8.8.8.8192.168.2.30x354dNo error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:48.595556021 CET8.8.8.8192.168.2.30x7217No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:51.267457962 CET8.8.8.8192.168.2.30x1e2No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:54.053494930 CET8.8.8.8192.168.2.30x5d28No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:56.949445963 CET8.8.8.8192.168.2.30xc746No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:55:59.660417080 CET8.8.8.8192.168.2.30x47a0No error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:03.006030083 CET8.8.8.8192.168.2.30x53eeNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:05.935421944 CET8.8.8.8192.168.2.30x1b23No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:08.812231064 CET8.8.8.8192.168.2.30x7451No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:11.736334085 CET8.8.8.8192.168.2.30xa4ddNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:14.474361897 CET8.8.8.8192.168.2.30xb74No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:17.238837957 CET8.8.8.8192.168.2.30xd3eNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:20.162110090 CET8.8.8.8192.168.2.30x4e7aNo error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:23.126688004 CET8.8.8.8192.168.2.30x900eNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:25.867337942 CET8.8.8.8192.168.2.30xa643No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:28.568577051 CET8.8.8.8192.168.2.30x1087No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:31.262999058 CET8.8.8.8192.168.2.30x990cNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:33.969996929 CET8.8.8.8192.168.2.30x8d4No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:36.825191021 CET8.8.8.8192.168.2.30xf5bNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:39.572302103 CET8.8.8.8192.168.2.30x135dNo error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:42.254549980 CET8.8.8.8192.168.2.30x8ce5No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:44.930639029 CET8.8.8.8192.168.2.30x1565No error (0)0.tcp.ngrok.io3.17.7.232A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:47.586004019 CET8.8.8.8192.168.2.30xfe29No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:50.337717056 CET8.8.8.8192.168.2.30xecfNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:53.101566076 CET8.8.8.8192.168.2.30xa4ddNo error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:55.918054104 CET8.8.8.8192.168.2.30x6f54No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:56:58.608932018 CET8.8.8.8192.168.2.30x3abeNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:01.289280891 CET8.8.8.8192.168.2.30xa299No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:03.965209007 CET8.8.8.8192.168.2.30x5d9fNo error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:06.680274010 CET8.8.8.8192.168.2.30x7ff4No error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:09.419737101 CET8.8.8.8192.168.2.30x296dNo error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:12.220947981 CET8.8.8.8192.168.2.30xcb98No error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:14.890022993 CET8.8.8.8192.168.2.30x7190No error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:17.553966999 CET8.8.8.8192.168.2.30x2b1bNo error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:20.201327085 CET8.8.8.8192.168.2.30x732dNo error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:22.950678110 CET8.8.8.8192.168.2.30xff31No error (0)0.tcp.ngrok.io3.14.182.203A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:25.649379969 CET8.8.8.8192.168.2.30x3ef9No error (0)0.tcp.ngrok.io3.134.125.175A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:28.331880093 CET8.8.8.8192.168.2.30x5e29No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:30.998452902 CET8.8.8.8192.168.2.30xf575No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:33.639610052 CET8.8.8.8192.168.2.30xec81No error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:36.375444889 CET8.8.8.8192.168.2.30x2c4cNo error (0)0.tcp.ngrok.io3.13.191.225A (IP address)IN (0x0001)
                        Jan 14, 2022 14:57:39.159666061 CET8.8.8.8192.168.2.30x4984No error (0)0.tcp.ngrok.io3.22.30.40A (IP address)IN (0x0001)

                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756 Parent PID: 2944

                        General

                        Start time:14:55:24
                        Start date:14/01/2022
                        Path:C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe"
                        Imagebase:0x840000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.300280402.0000000000842000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        Reputation:low

                        Chronological Activities

                        Analysis Process: System.exe PID: 5628 Parent PID: 6756

                        General

                        Start time:14:55:32
                        Start date:14/01/2022
                        Path:C:\Users\user\AppData\Roaming\System.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\System.exe"
                        Imagebase:0xc70000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.318400224.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.317417479.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.317702364.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.317974918.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.571615119.0000000000C72000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\System.exe, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\System.exe, Author: Brian Wallace @botnet_hunter
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 77%, Virustotal, Browse
                        • Detection: 86%, Metadefender, Browse
                        • Detection: 95%, ReversingLabs
                        Reputation:low

                        Chronological Activities

                        Analysis Process: netsh.exe PID: 2976 Parent PID: 5628

                        General

                        Start time:14:55:40
                        Start date:14/01/2022
                        Path:C:\Windows\SysWOW64\netsh.exe
                        Wow64 process (32bit):true
                        Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\System.exe" "System.exe" ENABLE
                        Imagebase:0xe40000
                        File size:82944 bytes
                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 1876 Parent PID: 2976

                        General

                        Start time:14:55:41
                        Start date:14/01/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7f20f0000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: System.exe PID: 6172 Parent PID: 3352

                        General

                        Start time:14:55:51
                        Start date:14/01/2022
                        Path:C:\Users\user\AppData\Roaming\System.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\System.exe" ..
                        Imagebase:0xf50000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000009.00000000.356890184.0000000000F52000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 00000009.00000002.370029896.0000000000F52000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        Reputation:low

                        Chronological Activities

                        Analysis Process: System.exe PID: 6964 Parent PID: 3352

                        General

                        Start time:14:55:59
                        Start date:14/01/2022
                        Path:C:\Users\user\AppData\Roaming\System.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\System.exe" ..
                        Imagebase:0x50000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000002.388359726.0000000000052000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000000.376536403.0000000000052000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        Reputation:low

                        Chronological Activities

                        Analysis Process: System.exe PID: 5224 Parent PID: 3352

                        General

                        Start time:14:56:07
                        Start date:14/01/2022
                        Path:C:\Users\user\AppData\Roaming\System.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\System.exe" ..
                        Imagebase:0x510000
                        File size:37888 bytes
                        MD5 hash:70ACA878BFAAC1EAF7019EDDD97FC877
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000000.392201898.0000000000512000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: njrat1, Description: Identify njRat, Source: 0000000C.00000002.403902841.0000000000512000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                        Reputation:low

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >

                          Analysis Process: 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exe PID: 6756 Parent PID: 2944 72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.exeCOMMON

                          Executed Functions

                          Function 04FD0310, Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.319635332.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4fd0000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID: he$pc
                          • API String ID: 0-636139565
                          • Opcode ID: 30ac297cf1e6a2b5a739fc9aaccbd99218755ddff243c7546598d2d53ec2a031
                          • Instruction ID: 5d7544d2eb2649e9d6a000b49d424aac14402607bb57c201f50539a7be1e3886
                          • Opcode Fuzzy Hash: 30ac297cf1e6a2b5a739fc9aaccbd99218755ddff243c7546598d2d53ec2a031
                          • Instruction Fuzzy Hash: CA5106327002418FCB15AB7AD451A7D3BE7AFC9345B584129E406EB3A6DF38DD42CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04FD03BD, Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.319635332.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4fd0000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID: he$pc
                          • API String ID: 0-636139565
                          • Opcode ID: 05203b1da52ae6d0817bddd8a9f647031fa83826ab65200d409983d1bb736d88
                          • Instruction ID: 912eac38ece537fa6d62d00e79bb06b169ac31badacc34b78198b0787f671493
                          • Opcode Fuzzy Hash: 05203b1da52ae6d0817bddd8a9f647031fa83826ab65200d409983d1bb736d88
                          • Instruction Fuzzy Hash: 2F4125327005518FCB0ABB7AD5116BD3AD76FC8745B584129E406FF3A6DF388D068BA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04FD0968, Relevance: 1.8, Strings: 1, Instructions: 507COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.319635332.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4fd0000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID: X1q
                          • API String ID: 0-4213818131
                          • Opcode ID: c0b1e80ca38f762a5b15007a74659e3b4c56c0639be333b98ce8770678b9e894
                          • Instruction ID: 77b720225e7a698d88a7732c319850ff662d7090dc4344a67e924f3b73daea40
                          • Opcode Fuzzy Hash: c0b1e80ca38f762a5b15007a74659e3b4c56c0639be333b98ce8770678b9e894
                          • Instruction Fuzzy Hash: 1A025C327002518FCB19FB78D85466E7BE7AF88305F144469D406EB3A9EF39AC46CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04FD0889, Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.319635332.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4fd0000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID: h
                          • API String ID: 0-2369973550
                          • Opcode ID: 3f4c12082a4fe3cbc6fad9888bc85bc114af3487867b2c9eef4a4e81d503f121
                          • Instruction ID: 294810a0f649feea362bc0d349c0c0486ca197e1c69b8bf9c43115d4e7782889
                          • Opcode Fuzzy Hash: 3f4c12082a4fe3cbc6fad9888bc85bc114af3487867b2c9eef4a4e81d503f121
                          • Instruction Fuzzy Hash: 9F014C31604282CFCB09FB78E65945D7FE1FBC4308B418A3DA545DB35AEA709C45DB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04FD0958, Relevance: .3, Instructions: 300COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.319635332.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4fd0000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5c99a30234eade974fc4237d7d14ed1c7fdc21ae3fcf8a77c9772c409ba72dea
                          • Instruction ID: daa2889861858b5f4160ae9650e0d73e27b393e852d2fcc96af406e4683bd4dd
                          • Opcode Fuzzy Hash: 5c99a30234eade974fc4237d7d14ed1c7fdc21ae3fcf8a77c9772c409ba72dea
                          • Instruction Fuzzy Hash: C7B19E32700151CFDB19FB74E854A6D3BE7AB88305B144439D406EB3A9EF39AC46CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04FD0080, Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.319635332.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4fd0000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 57fca2f8576f714ee0801b9158b444e531cfdc12f1f7546be774b465ab02726a
                          • Instruction ID: 7d297b52e17a6cda464669aed559710f16cf8faf754007c805b130e6ec90d48e
                          • Opcode Fuzzy Hash: 57fca2f8576f714ee0801b9158b444e531cfdc12f1f7546be774b465ab02726a
                          • Instruction Fuzzy Hash: BE516C322142868FC706FB79EA8494D3FB6FB81305750882890458F3AFDB745E4ACF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E705D2, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.319375662.0000000000E70000.00000040.00000040.sdmp, Offset: 00E70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_e70000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f221f96d5d2507e16f6361ab97d09d3f40ab298d07222d0b0e050cc597bbc75
                          • Instruction ID: eae2195e44d274a87ff9ca071e3f137a48c30d89c36464ab6bb390326c4e5f87
                          • Opcode Fuzzy Hash: 0f221f96d5d2507e16f6361ab97d09d3f40ab298d07222d0b0e050cc597bbc75
                          • Instruction Fuzzy Hash: 8CF0D6B25093806FD7128F06DC40863FFACEA86620748C09FED498B612D225A808CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04FD001B, Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.319635332.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_4fd0000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47a5b24434550f550942c9cd41987741a80c8fad834f0ea7fe10cec59e7c64f0
                          • Instruction ID: 3f8ac790711c43623c42a0f398e7ad95825ac3b37b0f0381072e7e0e276076f1
                          • Opcode Fuzzy Hash: 47a5b24434550f550942c9cd41987741a80c8fad834f0ea7fe10cec59e7c64f0
                          • Instruction Fuzzy Hash: 7FF05A8284E7C09FE70352302C7A2C23FB5AD63025B9E01D7CC82CA6A3A40C5D1E9772
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E705F6, Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.319375662.0000000000E70000.00000040.00000040.sdmp, Offset: 00E70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_e70000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 017b945f161f1937d8437e01c0d69ad57d01158b46cb8fb69e744fc2080bb515
                          • Instruction ID: e14587020b2dc1cc7571eaa3d28590df232eaf09cc4047d3f49ba6e280f8294f
                          • Opcode Fuzzy Hash: 017b945f161f1937d8437e01c0d69ad57d01158b46cb8fb69e744fc2080bb515
                          • Instruction Fuzzy Hash: 7DE092766446004BD650CF0AEC41452F7D8EB88631758C07FDD0D8B700E579B504CEA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 00846B5E, Relevance: 1.0, Instructions: 958COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.319076223.0000000000842000.00000002.00020000.sdmp, Offset: 00840000, based on PE: true
                          • Associated: 00000000.00000002.319071787.0000000000840000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.319083975.000000000084C000.00000002.00020000.sdmp Download File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_840000_72CA3E2F8479A075C8E089F543F79C4F1CF868D66D327.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6919f3a4ff4de27dcce131fea2259d80812898fa0f84e16dd768bdf78f16aea
                          • Instruction ID: a4e93e8735969ccb381aca888f729ce16362774894f1c71115dc087fcee02caf
                          • Opcode Fuzzy Hash: e6919f3a4ff4de27dcce131fea2259d80812898fa0f84e16dd768bdf78f16aea
                          • Instruction Fuzzy Hash: D982DA6684E3C14FC7138B308CA5A917FB0AE13214B1E46DBD4C1CF5A3E25D9A5ADB63
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Analysis Process: System.exe PID: 5628 Parent PID: 6756 System.exeCOMMON

                          Execution Graph

                          Execution Coverage:25.1%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:8.3%
                          Total number of Nodes:168
                          Total number of Limit Nodes:3

                          Graph

                          execution_graph 6523 57e1d7e 6526 57e1dae WSAConnect 6523->6526 6525 57e1e02 6526->6525 6552 57e2dfe 6555 57e2e2a RegCreateKeyExW 6552->6555 6554 57e2ed4 6555->6554 6527 57e0f7f 6528 57e0fa1 RegQueryValueExW 6527->6528 6530 57e1054 6528->6530 6606 57e1ab8 6607 57e1ac2 GetProcessTimes 6606->6607 6609 57e1b49 6607->6609 6344 57e2136 6345 57e2171 LoadLibraryA 6344->6345 6347 57e21ae 6345->6347 6572 57e1072 6574 57e1092 WSASocketW 6572->6574 6575 57e1106 6574->6575 6351 17303bd 6353 17303c4 6351->6353 6352 17305bf 6353->6352 6356 1732370 6353->6356 6361 1731ed7 6353->6361 6357 1732394 6356->6357 6358 17323b1 6357->6358 6366 57e0007 6357->6366 6370 57e0032 6357->6370 6358->6352 6362 1731edd 6361->6362 6363 17323b1 6362->6363 6364 57e0007 NtSetInformationProcess 6362->6364 6365 57e0032 NtSetInformationProcess 6362->6365 6363->6352 6364->6363 6365->6363 6368 57e0032 NtSetInformationProcess 6366->6368 6369 57e007c 6368->6369 6369->6358 6371 57e0067 NtSetInformationProcess 6370->6371 6372 57e0092 6370->6372 6373 57e007c 6371->6373 6372->6371 6373->6358 6539 57e1730 6541 57e176e MapViewOfFile 6539->6541 6542 57e17f5 6541->6542 6382 57e166e 6384 57e16a6 OpenFileMappingW 6382->6384 6385 57e16e1 6384->6385 6591 57e022f 6594 57e0241 NtQuerySystemInformation 6591->6594 6593 57e02b4 6594->6593 6531 57e316c 6532 57e3183 GetProcessWorkingSetSize 6531->6532 6534 57e320b 6532->6534 6564 57e1bac 6566 57e1bce getaddrinfo 6564->6566 6567 57e1c7b 6566->6567 6390 57e026a 6391 57e029f NtQuerySystemInformation 6390->6391 6393 57e02ca 6390->6393 6392 57e02b4 6391->6392 6393->6391 6595 1731227 6596 1731252 6595->6596 6597 1731653 4 API calls 6596->6597 6598 17316f2 4 API calls 6596->6598 6599 17316c1 4 API calls 6596->6599 6600 1731660 4 API calls 6596->6600 6601 17316df 4 API calls 6596->6601 6597->6596 6598->6596 6599->6596 6600->6596 6601->6596 6576 57e326b 6577 57e328e SetProcessWorkingSetSize 6576->6577 6579 57e32ef 6577->6579 6602 57e02e4 6603 57e0312 DuplicateHandle 6602->6603 6605 57e035e 6603->6605 6556 57e19e5 6557 57e1a12 shutdown 6556->6557 6559 57e1a70 6557->6559 6535 57e0160 6536 57e0180 K32EnumProcesses 6535->6536 6538 57e01ee 6536->6538 6610 57e309d 6611 57e30d6 select 6610->6611 6613 57e3134 6611->6613 6614 57e1498 6615 57e14be ConvertStringSecurityDescriptorToSecurityDescriptorW 6614->6615 6617 57e1537 6615->6617 6543 57e2116 6544 57e2136 LoadLibraryA 6543->6544 6546 57e21ae 6544->6546 6560 57e2fd7 6561 57e2ffa ioctlsocket 6560->6561 6563 57e305b 6561->6563 6410 57e0312 6411 57e0388 6410->6411 6412 57e0350 DuplicateHandle 6410->6412 6411->6412 6413 57e035e 6412->6413 6580 57e164e 6581 57e166e OpenFileMappingW 6580->6581 6583 57e16e1 6581->6583 6547 1730301 6548 1730322 6547->6548 6549 1730348 6548->6549 6550 1732370 2 API calls 6548->6550 6551 1731ed7 2 API calls 6548->6551 6550->6549 6551->6549 6439 1731608 6440 1731252 6439->6440 6446 1731653 6440->6446 6455 17316df 6440->6455 6464 1731660 6440->6464 6473 17316c1 6440->6473 6482 17316f2 6440->6482 6447 173168b 6446->6447 6491 1730310 6447->6491 6450 1730310 2 API calls 6451 1731816 6450->6451 6452 173183c 6451->6452 6496 17327c0 6451->6496 6501 173275f 6451->6501 6456 17316e6 6455->6456 6457 1730310 2 API calls 6456->6457 6458 17317ad 6457->6458 6459 1730310 2 API calls 6458->6459 6460 1731816 6459->6460 6461 173183c 6460->6461 6462 17327c0 2 API calls 6460->6462 6463 173275f 2 API calls 6460->6463 6462->6461 6463->6461 6465 173168b 6464->6465 6466 1730310 2 API calls 6465->6466 6467 17317ad 6466->6467 6468 1730310 2 API calls 6467->6468 6469 1731816 6468->6469 6470 173183c 6469->6470 6471 17327c0 2 API calls 6469->6471 6472 173275f 2 API calls 6469->6472 6471->6470 6472->6470 6474 17316c8 6473->6474 6475 1730310 2 API calls 6474->6475 6476 17317ad 6475->6476 6477 1730310 2 API calls 6476->6477 6478 1731816 6477->6478 6479 173183c 6478->6479 6480 17327c0 2 API calls 6478->6480 6481 173275f 2 API calls 6478->6481 6480->6479 6481->6479 6483 17316f9 6482->6483 6484 1730310 2 API calls 6483->6484 6485 17317ad 6484->6485 6486 1730310 2 API calls 6485->6486 6487 1731816 6486->6487 6488 173183c 6487->6488 6489 17327c0 2 API calls 6487->6489 6490 173275f 2 API calls 6487->6490 6489->6488 6490->6488 6493 1730322 6491->6493 6492 1730348 6492->6450 6493->6492 6494 1732370 2 API calls 6493->6494 6495 1731ed7 2 API calls 6493->6495 6494->6492 6495->6492 6497 17327eb 6496->6497 6498 1732833 6497->6498 6506 1732de8 6497->6506 6511 1732dd8 6497->6511 6498->6452 6502 1732768 6501->6502 6503 1732794 6502->6503 6504 1732de8 2 API calls 6502->6504 6505 1732dd8 2 API calls 6502->6505 6503->6452 6504->6503 6505->6503 6507 1732e08 6506->6507 6516 57e1e3a 6507->6516 6520 57e1eaa 6507->6520 6508 1732e48 6508->6498 6512 1732de0 6511->6512 6514 57e1e3a GetVolumeInformationA 6512->6514 6515 57e1eaa GetVolumeInformationA 6512->6515 6513 1732e48 6513->6498 6514->6513 6515->6513 6517 57e1eaa GetVolumeInformationA 6516->6517 6519 57e1f02 6517->6519 6519->6508 6521 57e1efa GetVolumeInformationA 6520->6521 6522 57e1f02 6521->6522 6522->6508

                          Executed Functions

                          Function 057E022F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtQuerySystemInformation.NTDLL ref: 057E02A5
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: InformationQuerySystem
                          • String ID:
                          • API String ID: 3562636166-0
                          • Opcode ID: 5ff2e06adb2883ae90ffa0d01ab9b1c40eb3a7b64c79ea5f554ccbc0db085717
                          • Instruction ID: 98950b7ec71e933b6c200088527e2d53cf4f857bcaccee730fa8741117a8cd0c
                          • Opcode Fuzzy Hash: 5ff2e06adb2883ae90ffa0d01ab9b1c40eb3a7b64c79ea5f554ccbc0db085717
                          • Instruction Fuzzy Hash: ED21A1714097C05FDB238B20DC45A51FFB4EF16314F0984DBE9844B163D265A90DDB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E0007, Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationProcess.NTDLL(?,?,?,?), ref: 057E006D
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: InformationProcess
                          • String ID:
                          • API String ID: 1801817001-0
                          • Opcode ID: 096b2284d674f75eb89a4955f909c716e81c38372b4815082f5acf74d17959d8
                          • Instruction ID: c61ab4fb3136987a30f93a066f7845f7228ecdd60b8fe2d5eebd555b2259f09f
                          • Opcode Fuzzy Hash: 096b2284d674f75eb89a4955f909c716e81c38372b4815082f5acf74d17959d8
                          • Instruction Fuzzy Hash: 3A11BF714097809FD7228F14DC44F62FFB4EF4A320F09C49AED844B263D2B9A948CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E026A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtQuerySystemInformation.NTDLL ref: 057E02A5
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: InformationQuerySystem
                          • String ID:
                          • API String ID: 3562636166-0
                          • Opcode ID: 8e345f910a8468ae69867f4ce5a8e4a526aeae5a2709842a13a0bb58be92970f
                          • Instruction ID: 7320a6419127464d73811d03952e05181a13e91d3aa6e0cc5dca6e5979e4ce33
                          • Opcode Fuzzy Hash: 8e345f910a8468ae69867f4ce5a8e4a526aeae5a2709842a13a0bb58be92970f
                          • Instruction Fuzzy Hash: E5018B355003409FDB21CF49D988B65FFE4FF08321F08C49ADD895B612C2B5A418DF62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E0032, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtSetInformationProcess.NTDLL(?,?,?,?), ref: 057E006D
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: InformationProcess
                          • String ID:
                          • API String ID: 1801817001-0
                          • Opcode ID: 8e345f910a8468ae69867f4ce5a8e4a526aeae5a2709842a13a0bb58be92970f
                          • Instruction ID: c97807564f246a40d2d9c9e291d8b97c314959571997b42683261a9e7ee16eb5
                          • Opcode Fuzzy Hash: 8e345f910a8468ae69867f4ce5a8e4a526aeae5a2709842a13a0bb58be92970f
                          • Instruction Fuzzy Hash: C2018B35500740DFDB22CF19D988B22FFA1FF48321F08C49ADD890B612E2B6A418DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730968, Relevance: 1.8, Strings: 1, Instructions: 506COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 1730968-1730993 2 1730999-1730a22 0->2 3 1730a2e-1730a30 0->3 154 1730a24 call 30e05cf 2->154 155 1730a24 call 30e05f6 2->155 4 1730a37-1730a3c 3->4 5 1730a42-1730a7a 4->5 6 1730b1e-1730bc2 4->6 23 1730aa1-1730b01 5->23 24 1730a7c-1730a9a 5->24 44 1730bc8-1730c50 6->44 45 1730c9e-1730ca7 6->45 23->6 24->23 43 1730a2a-1730a2c 43->3 46 1730a32 43->46 81 1730c57-1730c8b 44->81 48 1730d51-1730d5a 45->48 49 1730cad-1730d2c 45->49 46->4 50 1730d7a-1730d83 48->50 51 1730d5c-1730d73 48->51 93 1730d33-1730d3e 49->93 53 1730d85-1730d8c 50->53 54 1730da9-1730db2 50->54 51->50 66 1730d96 53->66 58 1730f33-1730f3a 54->58 59 1730db8-1730dd6 54->59 152 1730dd8 call 30e05cf 59->152 153 1730dd8 call 30e05f6 59->153 65 1730dde-1730e06 79 1730f1c-1730f2d 65->79 66->54 79->58 82 1730e0b-1730e14 79->82 81->45 83 1730f40-1730fd1 82->83 84 1730e1a-1730efb 82->84 114 1730fd7-1730fe8 83->114 115 17310ca 83->115 129 1730f03-1730f1a 84->129 93->48 122 1730fea-173100b 114->122 117 17310cc-17310d3 115->117 130 1731012-1731048 122->130 131 173100d 122->131 129->79 134 1730f3b 129->134 139 173104a 130->139 140 173104f-1731077 130->140 131->130 134->83 139->140 144 1731079-173107b 140->144 145 173107d-17310a1 140->145 144->117 148 17310a3-17310a8 145->148 149 17310aa-17310b4 145->149 148->117 150 17310b6-17310b8 149->150 151 17310ba-17310c4 149->151 150->117 151->115 151->122 152->65 153->65 154->43 155->43
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: X1q
                          • API String ID: 0-4213818131
                          • Opcode ID: 894cddc6264d61207374902c81ea6b5646cba37f1bf7c983047965f3528a21bd
                          • Instruction ID: 540568ad2df8380038093fb891abe96a1877dd56b271fb209787d428c20fa7c5
                          • Opcode Fuzzy Hash: 894cddc6264d61207374902c81ea6b5646cba37f1bf7c983047965f3528a21bd
                          • Instruction Fuzzy Hash: 26026B307002518FEB19DB78E85466EBBE2EFC8701B148479E506DB3A5EF399C46CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E0F7F, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 156 57e0f7f-57e0f9f 157 57e0fc1-57e0ff3 156->157 158 57e0fa1-57e0fc0 156->158 161 57e0ff6-57e104e RegQueryValueExW 157->161 158->157 163 57e1054-57e106a 161->163
                          APIs
                          • RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 057E1046
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: bc1739463f51e8792405c4722dec0c19807bcc73f7cda6d314c00df16b1c214b
                          • Instruction ID: 207a2f33c9d68ec0b7f41424ebdff8ae92d7d36ee188579f0a11079fc8dbbb0e
                          • Opcode Fuzzy Hash: bc1739463f51e8792405c4722dec0c19807bcc73f7cda6d314c00df16b1c214b
                          • Instruction Fuzzy Hash: 50318F7500E3C06FD3138B258C61A61BFB4EF47610B0E85CBE8848F5A3D269A919C7B2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E2DFE, Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 164 57e2dfe-57e2e82 168 57e2e87-57e2e93 164->168 169 57e2e84 164->169 170 57e2e98-57e2ea1 168->170 171 57e2e95 168->171 169->168 172 57e2ea6-57e2ebd 170->172 173 57e2ea3 170->173 171->170 175 57e2eff-57e2f04 172->175 176 57e2ebf-57e2ed2 RegCreateKeyExW 172->176 173->172 175->176 177 57e2f06-57e2f0b 176->177 178 57e2ed4-57e2efc 176->178 177->178
                          APIs
                          • RegCreateKeyExW.KERNEL32(?,00000E2C), ref: 057E2EC5
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: af12d9c3f4c1ad40f0baccd513a7a27584d781f5932ba2dd2cd0ff7ea5ddacb5
                          • Instruction ID: 895e6112c067f830f78f95b4e267472f035b2ef5ef015b25ab8636f3b52468fc
                          • Opcode Fuzzy Hash: af12d9c3f4c1ad40f0baccd513a7a27584d781f5932ba2dd2cd0ff7ea5ddacb5
                          • Instruction Fuzzy Hash: 9B316F76504344AFEB22CF25CD85F66BFECEF09310F08859AE9859B152D264E908DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1BAC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 183 57e1bac-57e1c6b 189 57e1cbd-57e1cc2 183->189 190 57e1c6d-57e1c75 getaddrinfo 183->190 189->190 191 57e1c7b-57e1c8d 190->191 193 57e1c8f-57e1cba 191->193 194 57e1cc4-57e1cc9 191->194 194->193
                          APIs
                          • getaddrinfo.WS2_32(?,00000E2C), ref: 057E1C73
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: getaddrinfo
                          • String ID:
                          • API String ID: 300660673-0
                          • Opcode ID: 2946b9a768b0f1dc97d7d1e3cd2dec8b5f35631258d72506bf51a7c38fdb2c2d
                          • Instruction ID: 1767e2de6ace837bb42a02f818022c192fd136235badecbca98bd6a3e176e742
                          • Opcode Fuzzy Hash: 2946b9a768b0f1dc97d7d1e3cd2dec8b5f35631258d72506bf51a7c38fdb2c2d
                          • Instruction Fuzzy Hash: DB31C4715003447FE721DB24CC45FA6FBACEF04310F14899AFA459B192D275A948CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1E3A, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 198 57e1e3a-57e1efc GetVolumeInformationA 201 57e1f02-57e1f2b 198->201
                          APIs
                          • GetVolumeInformationA.KERNEL32(?,00000E2C,?,?), ref: 057E1EFA
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: InformationVolume
                          • String ID:
                          • API String ID: 2039140958-0
                          • Opcode ID: 2c3b48b5b88e90f910529ab349b2029ab8a18b5a1fde0dff6de7c7be721c6662
                          • Instruction ID: b4030006df5abf3341e4d49e1e1aa743c0fa2145d081fb25d8fe3b0c0fb5d33a
                          • Opcode Fuzzy Hash: 2c3b48b5b88e90f910529ab349b2029ab8a18b5a1fde0dff6de7c7be721c6662
                          • Instruction Fuzzy Hash: 00317C7140D3C06FD3138B258C51A62BFB8AF47610F1981DBD8848F1A3D225A959C7A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1498, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 203 57e1498-57e1519 207 57e151e-57e1527 203->207 208 57e151b 203->208 209 57e157f-57e1584 207->209 210 57e1529-57e1531 ConvertStringSecurityDescriptorToSecurityDescriptorW 207->210 208->207 209->210 211 57e1537-57e1549 210->211 213 57e154b-57e157c 211->213 214 57e1586-57e158b 211->214 214->213
                          APIs
                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 057E152F
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: DescriptorSecurity$ConvertString
                          • String ID:
                          • API String ID: 3907675253-0
                          • Opcode ID: c25f553ac7c233e5c55e1f75c6e8f8d9c4eff6a44e96b659597c575fc28c1ccb
                          • Instruction ID: 7441c2e96f5a32455264bad3f47f5be72b7f364796e286091216c130c3600814
                          • Opcode Fuzzy Hash: c25f553ac7c233e5c55e1f75c6e8f8d9c4eff6a44e96b659597c575fc28c1ccb
                          • Instruction Fuzzy Hash: 7C3181715043846FE722CF29DC45F66BFACEF45310F0884AAED85DB152D264A909CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1730, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 218 57e1730-57e17da 223 57e181e-57e1823 218->223 224 57e17dc-57e17f3 MapViewOfFile 218->224 223->224 225 57e1825-57e182a 224->225 226 57e17f5-57e181b 224->226 225->226
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: FileView
                          • String ID:
                          • API String ID: 3314676101-0
                          • Opcode ID: 17cd5d2951b666e6a2fa7cbb84eb1f0ba43be892b55e63f8a5a963c4398aad99
                          • Instruction ID: 353ba145175e11741748d200d589f9b5991ed73d6fc6b01025c886377818d672
                          • Opcode Fuzzy Hash: 17cd5d2951b666e6a2fa7cbb84eb1f0ba43be892b55e63f8a5a963c4398aad99
                          • Instruction Fuzzy Hash: E031B3B2404780AFE722CB19DC45F96FFF8EF0A320F04859AE9849B252D375A549CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E2E2A, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 230 57e2e2a-57e2e82 233 57e2e87-57e2e93 230->233 234 57e2e84 230->234 235 57e2e98-57e2ea1 233->235 236 57e2e95 233->236 234->233 237 57e2ea6-57e2ebd 235->237 238 57e2ea3 235->238 236->235 240 57e2eff-57e2f04 237->240 241 57e2ebf-57e2ed2 RegCreateKeyExW 237->241 238->237 240->241 242 57e2f06-57e2f0b 241->242 243 57e2ed4-57e2efc 241->243 242->243
                          APIs
                          • RegCreateKeyExW.KERNEL32(?,00000E2C), ref: 057E2EC5
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: b1747a51b8dd60b6e8259ef2e6bf4d51f39458b5013d9262a265e00dddfa836d
                          • Instruction ID: a6b8d6e98b959d54170d170942583f364ae7d15fd589ea6009b742a82790f600
                          • Opcode Fuzzy Hash: b1747a51b8dd60b6e8259ef2e6bf4d51f39458b5013d9262a265e00dddfa836d
                          • Instruction Fuzzy Hash: F7217C76500304AFEB21DE29CD89F67BBECEF08710F08855AED85DB652D660E5089BB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E316C, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 248 57e316c-57e3181 249 57e318b-57e31fb 248->249 250 57e3183-57e318a 248->250 254 57e31fd-57e3205 GetProcessWorkingSetSize 249->254 255 57e3248-57e324d 249->255 250->249 257 57e320b-57e321d 254->257 255->254 258 57e324f-57e3254 257->258 259 57e321f-57e3245 257->259 258->259
                          APIs
                          • GetProcessWorkingSetSize.KERNEL32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E3203
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: ProcessSizeWorking
                          • String ID:
                          • API String ID: 3584180929-0
                          • Opcode ID: 44eeccc40fd3d730a67b80ec59f1a0bb53bfa2576b2b214ac9525f0825685c99
                          • Instruction ID: 34357288c3577dbd19e31b42c7326872fb785a430f0ceeaf6c275ea9d0582b94
                          • Opcode Fuzzy Hash: 44eeccc40fd3d730a67b80ec59f1a0bb53bfa2576b2b214ac9525f0825685c99
                          • Instruction Fuzzy Hash: 8321C3715093806FE7138B24DC55FA6BFA8EF46210F08C4EAE9889F153D225A909C762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1BCE, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 262 57e1bce-57e1c6b 267 57e1cbd-57e1cc2 262->267 268 57e1c6d-57e1c75 getaddrinfo 262->268 267->268 269 57e1c7b-57e1c8d 268->269 271 57e1c8f-57e1cba 269->271 272 57e1cc4-57e1cc9 269->272 272->271
                          APIs
                          • getaddrinfo.WS2_32(?,00000E2C), ref: 057E1C73
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: getaddrinfo
                          • String ID:
                          • API String ID: 300660673-0
                          • Opcode ID: 1356ed4adfa993eb9ac2989824d98933f1bfd8717df234194585e469c631f437
                          • Instruction ID: 92aa5f11629a1d79810570b073601788969eccb6e2bcc16454dbefa097da682f
                          • Opcode Fuzzy Hash: 1356ed4adfa993eb9ac2989824d98933f1bfd8717df234194585e469c631f437
                          • Instruction Fuzzy Hash: 9E21D371500204AFFB21DF28CD85FBAFBACEF08710F10895AEE45AB181D675A508CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E309D, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 276 57e309d-57e30fd 278 57e30ff 276->278 279 57e3102-57e3108 276->279 278->279 280 57e310d-57e3113 279->280 281 57e310a 279->281 282 57e3118-57e3124 280->282 283 57e3115 280->283 281->280 284 57e315e-57e3163 282->284 285 57e3126-57e312e select 282->285 283->282 284->285 286 57e3134-57e3146 285->286 288 57e3148-57e315b 286->288 289 57e3165-57e316a 286->289 289->288
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: select
                          • String ID:
                          • API String ID: 1274211008-0
                          • Opcode ID: cd34dcaa7cfbdd213cb992089f06afe370cd5ced12bd9048a7eafa6a89e21e49
                          • Instruction ID: 7c8ff6426de18da0e511b5cd504089c06419dd0c4be5f5ea82d4b9f47f957d3e
                          • Opcode Fuzzy Hash: cd34dcaa7cfbdd213cb992089f06afe370cd5ced12bd9048a7eafa6a89e21e49
                          • Instruction Fuzzy Hash: 16218D715097849FD722CF25CC44AA2BFF8FF0A210F0888DAE984CB163D235A909DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1AB8, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 416 57e1ab8-57e1b39 421 57e1b3b-57e1b43 GetProcessTimes 416->421 422 57e1b86-57e1b8b 416->422 424 57e1b49-57e1b5b 421->424 422->421 425 57e1b8d-57e1b92 424->425 426 57e1b5d-57e1b83 424->426 425->426
                          APIs
                          • GetProcessTimes.KERNEL32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E1B41
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: ProcessTimes
                          • String ID:
                          • API String ID: 1995159646-0
                          • Opcode ID: 2891aadc803bf4038c3cba5a4972d78750080916403bf130b4f0111c0974ddff
                          • Instruction ID: 9dcf0eac8870d8ecbdc056644bdbceb655bdccbad6d7b29fea6d513660bcd2f2
                          • Opcode Fuzzy Hash: 2891aadc803bf4038c3cba5a4972d78750080916403bf130b4f0111c0974ddff
                          • Instruction Fuzzy Hash: 0E21C471105380AFEB22CF24DD45FA7BFB8EF46310F08849AED859B152D235A448CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731660, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 291 1731660-17316a8 294 17316d2-173182f call 1730310 * 2 291->294 295 17316aa-17316b0 291->295 400 1731836 call 30e05cf 294->400 401 1731836 call 17327c0 294->401 402 1731836 call 1732957 294->402 403 1731836 call 1732915 294->403 404 1731836 call 17328c5 294->404 405 1731836 call 17329cb 294->405 406 1731836 call 30e05f6 294->406 407 1731836 call 1732bc8 294->407 408 1731836 call 173275f 294->408 409 1731836 call 1732aad 294->409 296 17316b7-17316bf 295->296 296->294 325 173183c 410 173183e call 1733048 325->410 411 173183e call 1733038 325->411 326 1731844-173184a 412 1731850 call 1731d70 326->412 413 1731850 call 1731d60 326->413 327 1731856-173186e 330 1731893-17318d1 327->330 331 1731870-1731891 327->331 336 17318d4-17319ac 330->336 331->336 353 17319b5 336->353 354 17319ae-17319b3 336->354 355 17319ba-17319e2 353->355 354->355 358 17319e4-17319e9 355->358 359 17319eb 355->359 360 17319f0-1731a18 358->360 359->360 363 1731a21 360->363 364 1731a1a-1731a1f 360->364 365 1731a26-1731a4e 363->365 364->365 368 1731a50-1731a55 365->368 369 1731a57 365->369 370 1731a5c-1731a84 368->370 369->370 373 1731a86-1731a8b 370->373 374 1731a8d 370->374 375 1731a92-1731aba 373->375 374->375 378 1731ac3 375->378 379 1731abc-1731ac1 375->379 380 1731ac8-1731af0 378->380 379->380 383 1731af2-1731af7 380->383 384 1731af9 380->384 385 1731afe-1731b26 383->385 384->385 388 1731b28-1731b2d 385->388 389 1731b2f 385->389 390 1731b34-1731b6a 388->390 389->390 414 1731b6c call 1733048 390->414 415 1731b6c call 1733038 390->415 395 1731b72-1731bbc 399 1731bbd 395->399 399->399 400->325 401->325 402->325 403->325 404->325 405->325 406->325 407->325 408->325 409->325 410->326 411->326 412->327 413->327 414->395 415->395
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: X1q
                          • API String ID: 0-4213818131
                          • Opcode ID: def2c2492329fc206b6a6298f57dcb0b7af09b69a8af1bc600c90bac702a5cc3
                          • Instruction ID: cbb6214635fea365ce84f1ae218753695a5e9f65e22317b3ed8ea11e0caadc53
                          • Opcode Fuzzy Hash: def2c2492329fc206b6a6298f57dcb0b7af09b69a8af1bc600c90bac702a5cc3
                          • Instruction Fuzzy Hash: D6C1AC34700190CFEB1ADB78E65476E7BE7EBC8B02F508029E50A97396DE798D05CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E164E, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 429 57e164e-57e16bd 433 57e16bf 429->433 434 57e16c2-57e16d1 429->434 433->434 435 57e1722-57e1727 434->435 436 57e16d3-57e16f7 OpenFileMappingW 434->436 435->436 439 57e1729-57e172e 436->439 440 57e16f9-57e171f 436->440 439->440
                          APIs
                          • OpenFileMappingW.KERNELBASE(?,?), ref: 057E16D9
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: FileMappingOpen
                          • String ID:
                          • API String ID: 1680863896-0
                          • Opcode ID: 99630f6736f7d85e22eaec2bcc3f5fcde556e03f4f26ce500b6210a326c19927
                          • Instruction ID: 5072fa5af3fceddc477b6b19b14b2270f226ddee1147f21537d0eceaab303c48
                          • Opcode Fuzzy Hash: 99630f6736f7d85e22eaec2bcc3f5fcde556e03f4f26ce500b6210a326c19927
                          • Instruction Fuzzy Hash: F72191B15053806FE722CF25DC45F66FFE8EF45210F08849EED859B252D275E908CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1072, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 443 57e1072-57e10f6 447 57e10f8-57e1100 WSASocketW 443->447 448 57e1147-57e114c 443->448 449 57e1106-57e111c 447->449 448->447 451 57e114e-57e1153 449->451 452 57e111e-57e1144 449->452 451->452
                          APIs
                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 057E10FE
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: Socket
                          • String ID:
                          • API String ID: 38366605-0
                          • Opcode ID: b706bb3dacd28e1ecece06b95a640ee54d9c2ac51ff20c34a42eb7cae547d5c9
                          • Instruction ID: fca62b8e9de2359cdfede66ac0c758a7f937b1efcea600efe8a912c63ef48885
                          • Opcode Fuzzy Hash: b706bb3dacd28e1ecece06b95a640ee54d9c2ac51ff20c34a42eb7cae547d5c9
                          • Instruction Fuzzy Hash: 3D21AD71509380AFE722CF65DD45FA6FFB8EF09310F08849EE9859B652D375A408CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E0160, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • K32EnumProcesses.KERNEL32(?,?,?,A5D7C5F2,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 057E01E6
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: EnumProcesses
                          • String ID:
                          • API String ID: 84517404-0
                          • Opcode ID: bd9e7fbd099f9f45f8f17e69b693cdf8b6c917e0f376f552fb1251bfc51dcc59
                          • Instruction ID: 2e45aa903374c8f5c867503be5f95ebf2f9b63329e7c38f4e7ebc280cc0c5d2a
                          • Opcode Fuzzy Hash: bd9e7fbd099f9f45f8f17e69b693cdf8b6c917e0f376f552fb1251bfc51dcc59
                          • Instruction Fuzzy Hash: FA218B7150A3C09FD7138B75DC54A92BFB8AF47220F0D84EBD984CF1A3D264A908CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E14BE, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                          Download Yara Rule
                          APIs
                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 057E152F
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: DescriptorSecurity$ConvertString
                          • String ID:
                          • API String ID: 3907675253-0
                          • Opcode ID: e46246023608d7152359b5c23f1cabe8f90a9f444eb91eb3c861acf2712da3c1
                          • Instruction ID: e6e715aca77536985b7fb919641365c912b77862f707f46c1d619157dd0ab73b
                          • Opcode Fuzzy Hash: e46246023608d7152359b5c23f1cabe8f90a9f444eb91eb3c861acf2712da3c1
                          • Instruction Fuzzy Hash: 86219271600304AFEB21DF29DD46F6ABBACEF44310F14846AED46DB242D674A505CB71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E13A6, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNEL32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E1444
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 1a61bcfde7254e66acc018a2d7af26ab9e77ee4dde8b4daae6a3f845b3638fbe
                          • Instruction ID: 0103c1f269cc172c89b2706a9f1beb1fe86836018ff1f27e0632dbc3a12332ec
                          • Opcode Fuzzy Hash: 1a61bcfde7254e66acc018a2d7af26ab9e77ee4dde8b4daae6a3f845b3638fbe
                          • Instruction Fuzzy Hash: A7219172508380AFE722CB15CD45F66BFF8EF4A310F08849AE9859B292D264E808C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E326B, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • SetProcessWorkingSetSize.KERNEL32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E32E7
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: ProcessSizeWorking
                          • String ID:
                          • API String ID: 3584180929-0
                          • Opcode ID: ca9beb4ae8811bde8a2a13e8d7abd670e94298ac85fd14b046d63ff8a3bf859a
                          • Instruction ID: 0419740ec348925dcf8ffb8a8eed928b03dbcc6307e98e891aad550afc098adb
                          • Opcode Fuzzy Hash: ca9beb4ae8811bde8a2a13e8d7abd670e94298ac85fd14b046d63ff8a3bf859a
                          • Instruction Fuzzy Hash: 322192715093846FE712CB25DD45F66BFA8EF46220F08C4AAED859B152D264A908CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E19E5, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • shutdown.WS2_32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E1A68
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: shutdown
                          • String ID:
                          • API String ID: 2510479042-0
                          • Opcode ID: 0072236bd36e5441f4d9e322e6f405b714ba22792fda80882a846d05144e05dd
                          • Instruction ID: 4d376cef1fda1b2dadec3c7ec2455c2dfb0622d411a6c17c24dd468bb4c243eb
                          • Opcode Fuzzy Hash: 0072236bd36e5441f4d9e322e6f405b714ba22792fda80882a846d05144e05dd
                          • Instruction Fuzzy Hash: 4D21C571409380AFE712CB24CD45F66FFA8EF46220F0884DBE9849F152C268A548C7A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E2FD7, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • ioctlsocket.WS2_32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E3053
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: ioctlsocket
                          • String ID:
                          • API String ID: 3577187118-0
                          • Opcode ID: bac35ce86eb74c7c8eb797ca23f65711307f40e9e92e27d0f9c47eaac0488ad0
                          • Instruction ID: 5bbe2fd60644cdac939483786a83e4b7c42fb31c7394d20dca0f0302f2ca9a02
                          • Opcode Fuzzy Hash: bac35ce86eb74c7c8eb797ca23f65711307f40e9e92e27d0f9c47eaac0488ad0
                          • Instruction Fuzzy Hash: C52184714093846FEB22CF25DD45F66BFA8EF46310F18849AED849B152D274A548C7A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E166E, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • OpenFileMappingW.KERNELBASE(?,?), ref: 057E16D9
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: FileMappingOpen
                          • String ID:
                          • API String ID: 1680863896-0
                          • Opcode ID: b95ec5c677f48532c29a3fd7e764c97f381436922b85bf2119d58f47c882c4fd
                          • Instruction ID: 6669e3df89ef7f3f120c423c26c15a5573634b16cbee74f6f20e32f4c480837a
                          • Opcode Fuzzy Hash: b95ec5c677f48532c29a3fd7e764c97f381436922b85bf2119d58f47c882c4fd
                          • Instruction Fuzzy Hash: 3521D2B1500340AFE721DF29DD85B66FBE8EF48320F18846EED859B252D675E404CB76
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1D7E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 057E1DFA
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: Connect
                          • String ID:
                          • API String ID: 3144859779-0
                          • Opcode ID: d57efa010723fe57e81a379b7c1f626a69c6b47396d6a19530e41da421d01920
                          • Instruction ID: ba8a357f6412a1279bf382a6b1aa34cff035dae1b45745abba7f3d8e47bb6aeb
                          • Opcode Fuzzy Hash: d57efa010723fe57e81a379b7c1f626a69c6b47396d6a19530e41da421d01920
                          • Instruction Fuzzy Hash: 6E218071409384AFDB228F55DC44B62BFF4FF4A210F08859AE9858B163D275A818DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E176E, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: FileView
                          • String ID:
                          • API String ID: 3314676101-0
                          • Opcode ID: 787af54808f00e951bf556ddee37828f4a5f2cfca6dfcc150c8c71e7683544cb
                          • Instruction ID: e0ff756e2902a1eeb876f7e1bbbe3227777186af00993726bad1dd93cb22677e
                          • Opcode Fuzzy Hash: 787af54808f00e951bf556ddee37828f4a5f2cfca6dfcc150c8c71e7683544cb
                          • Instruction Fuzzy Hash: 7221C071500344AFE722CF19CD89FA6FBE8EF08320F04845EE9859B652D375A508CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1092, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSASocketW.WS2_32(?,?,?,?,?), ref: 057E10FE
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: Socket
                          • String ID:
                          • API String ID: 38366605-0
                          • Opcode ID: 367824b59faaa1ee0d998f3ae82e7e79f8890699635d53d97e1c83207ff251ad
                          • Instruction ID: 2f70d0db86a7196eb389debaf28e204e01fb72e735cd5c720de02428714e1356
                          • Opcode Fuzzy Hash: 367824b59faaa1ee0d998f3ae82e7e79f8890699635d53d97e1c83207ff251ad
                          • Instruction Fuzzy Hash: F621D171500340AFE722DF69DD45F66FBE9EF08310F04846EED858B652D371A408CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E2116, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?,00000E2C), ref: 057E219F
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 20bb44fcc9cbe377a304cbbf36599631c337c870a33c16f9a94ca47c155bc41a
                          • Instruction ID: 1adfebfb0b0c2ba6d525a1a67a3904cab41a16f69234e22c2e4231f3f50bd4eb
                          • Opcode Fuzzy Hash: 20bb44fcc9cbe377a304cbbf36599631c337c870a33c16f9a94ca47c155bc41a
                          • Instruction Fuzzy Hash: 26110A711043406FE722CB14DD45F66FFACEF45320F14809AFD445B192C275A948CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E13D2, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNEL32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E1444
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: b462507d7fc1c026c624ab7bf1f5f53211ea9b4c3ae4294d1160ce9028db25b4
                          • Instruction ID: 29656f61a484bbb8e58067063d4f4ed28b57a46f7e9bf0e3c03a850ce095229c
                          • Opcode Fuzzy Hash: b462507d7fc1c026c624ab7bf1f5f53211ea9b4c3ae4294d1160ce9028db25b4
                          • Instruction Fuzzy Hash: 6C117F72500300AFEB21CF15DD45F66FBE8EF09710F14846AED859B652D674E448DBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1AE2, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessTimes.KERNEL32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E1B41
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: ProcessTimes
                          • String ID:
                          • API String ID: 1995159646-0
                          • Opcode ID: f7e95fa8aa8637358891fc9238be31e411689302c5fa2955fa8fbcc5cf1c5fb6
                          • Instruction ID: 7838071d00bab35eb5601e046cd2fc416ac982c372a7381e71444f00d0d1a667
                          • Opcode Fuzzy Hash: f7e95fa8aa8637358891fc9238be31e411689302c5fa2955fa8fbcc5cf1c5fb6
                          • Instruction Fuzzy Hash: 2E11E671500304AFEB22CF65DE85F66FBA8EF48720F14C46AED459B651D270A404CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E31AA, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • GetProcessWorkingSetSize.KERNEL32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E3203
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: ProcessSizeWorking
                          • String ID:
                          • API String ID: 3584180929-0
                          • Opcode ID: 5bbdac413a469e96a9172bbcca80472d66097ded9b0db4b76964f15770218e92
                          • Instruction ID: ef6f05bdc2de26e18fd6ddf39f970645e15b703210d451f085c09f4032cffe6a
                          • Opcode Fuzzy Hash: 5bbdac413a469e96a9172bbcca80472d66097ded9b0db4b76964f15770218e92
                          • Instruction Fuzzy Hash: 9411C471500300AFEB12CF65DE45F6AFB9CEF45720F14C46AED459B241D674A5048BB5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E328E, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • SetProcessWorkingSetSize.KERNEL32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E32E7
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: ProcessSizeWorking
                          • String ID:
                          • API String ID: 3584180929-0
                          • Opcode ID: 5bbdac413a469e96a9172bbcca80472d66097ded9b0db4b76964f15770218e92
                          • Instruction ID: 31a9bbabeea49b2c6db14420f0d1577e732d613510ddca90bbd60aa3eb180b8c
                          • Opcode Fuzzy Hash: 5bbdac413a469e96a9172bbcca80472d66097ded9b0db4b76964f15770218e92
                          • Instruction Fuzzy Hash: 0611B271500340AFEB12CF29DE45F6AFB98EF45320F14C46AED459B242D674A8048BB6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E02E4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 057E0356
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 3d9f08750f12db6eb7444abf04fc1cc8c99c09380c3d03d67017f82c99690ee9
                          • Instruction ID: 43467d5cb6353d254826e260fdc3dd339b7c8c415a72fb2b53222ab696da24db
                          • Opcode Fuzzy Hash: 3d9f08750f12db6eb7444abf04fc1cc8c99c09380c3d03d67017f82c99690ee9
                          • Instruction Fuzzy Hash: C621C6314093809FDB228F50DC44A52FFF4FF46220F0988DEE9858F162C275A858CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731653, Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: X1q
                          • API String ID: 0-4213818131
                          • Opcode ID: a2f9dfa88c003cf35fd271c05f5d25be5bec88eb25cc6caee6fe1d26ac2d6002
                          • Instruction ID: 447d08c3675527c940484dd26ff51cc00e82b135f60c67bc0e26ca348d6e7bef
                          • Opcode Fuzzy Hash: a2f9dfa88c003cf35fd271c05f5d25be5bec88eb25cc6caee6fe1d26ac2d6002
                          • Instruction Fuzzy Hash: A1B1AF307001908FEB1ADB78E5547AE7BE7EBC8B02F508069D50A973D6DE798D05CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E2FFA, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • ioctlsocket.WS2_32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E3053
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: ioctlsocket
                          • String ID:
                          • API String ID: 3577187118-0
                          • Opcode ID: d82c2057f8fa3967917eefe48c608f1b44eb9c0ed251afb4cd1613704b2afc30
                          • Instruction ID: 741a529dc9c9e3cdf3ab9c45c8731e30b7e70d0e7a9e224a67fd39a75983cfee
                          • Opcode Fuzzy Hash: d82c2057f8fa3967917eefe48c608f1b44eb9c0ed251afb4cd1613704b2afc30
                          • Instruction Fuzzy Hash: A611CA71500344AFEB22DF55DE45F66FBD8EF44720F14C46AED459B242D274A504CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1A12, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • shutdown.WS2_32(?,00000E2C,A5D7C5F2,00000000,00000000,00000000,00000000), ref: 057E1A68
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: shutdown
                          • String ID:
                          • API String ID: 2510479042-0
                          • Opcode ID: 49a005217089758d93a85f803d586f78d5c6803b190b69cd9cbf440ec083ec4a
                          • Instruction ID: bc215b314a4bf469852d044262bc962bdad6529eb0dd55f94c1ca99b76edae4b
                          • Opcode Fuzzy Hash: 49a005217089758d93a85f803d586f78d5c6803b190b69cd9cbf440ec083ec4a
                          • Instruction Fuzzy Hash: 6611A371500344AEEB11CF15DE4AB76BB9CEF44320F1484AAED45AB242D274A504CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E2136, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?,00000E2C), ref: 057E219F
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 3c2ce84b643653fcd3574f824a9bc94a966605f2e428fce861430186aa844388
                          • Instruction ID: 6e364bcc407f188a6d3d471151af7bc3023f183f86c884d7aba1aeee53c3e503
                          • Opcode Fuzzy Hash: 3c2ce84b643653fcd3574f824a9bc94a966605f2e428fce861430186aa844388
                          • Instruction Fuzzy Hash: 01112575100300AFE721DB18DD45F7AFB9CEF08720F14849AEE445B282C2B5A6488AB6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E30D6, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: select
                          • String ID:
                          • API String ID: 1274211008-0
                          • Opcode ID: 72bd6b9273e1016147d2c4324d5c1e1dd29e57d78a0f082a7507f875642ce063
                          • Instruction ID: 1cbba5555a494f2d84983bef3a0eaa123222fc5590e1a0998eb37919be5f5d67
                          • Opcode Fuzzy Hash: 72bd6b9273e1016147d2c4324d5c1e1dd29e57d78a0f082a7507f875642ce063
                          • Instruction Fuzzy Hash: 33115B755047449FD720CF59DD84B62FBE8EF08610F0888AADD49CB212D271E508DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1DAE, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 057E1DFA
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: Connect
                          • String ID:
                          • API String ID: 3144859779-0
                          • Opcode ID: 3cd8261eda7f291ceba98c5424bad8df4cbb468118820288844b90c5775b6d5f
                          • Instruction ID: afbf1045ff056a689168cd5f23a929122fb3c38c529a10b592b55387b33280ac
                          • Opcode Fuzzy Hash: 3cd8261eda7f291ceba98c5424bad8df4cbb468118820288844b90c5775b6d5f
                          • Instruction Fuzzy Hash: E511A9315007409FDB21CF55D985B62FBE4FF08321F48C4AAEE8A8B622D371E418DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E01A6, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • K32EnumProcesses.KERNEL32(?,?,?,A5D7C5F2,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 057E01E6
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: EnumProcesses
                          • String ID:
                          • API String ID: 84517404-0
                          • Opcode ID: bf90e7670885263243f02231ce2e1b4442450e35d0d083adb3f5a5953a5d9469
                          • Instruction ID: 4d547070c3e9b9ecba162096ec95e4d1671807b318903b90c7628ae31c4a15b8
                          • Opcode Fuzzy Hash: bf90e7670885263243f02231ce2e1b4442450e35d0d083adb3f5a5953a5d9469
                          • Instruction Fuzzy Hash: 1B11A1715003448FDB11CF65D988B66FBE8EF08320F08C4AADD49CB612D2B0E508DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E1EAA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetVolumeInformationA.KERNEL32(?,00000E2C,?,?), ref: 057E1EFA
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: InformationVolume
                          • String ID:
                          • API String ID: 2039140958-0
                          • Opcode ID: e7bc5cc3eb2fd2183cc1ee12b69b23a61add5ddd61d9f3ad8ebfddd1e85c7ec6
                          • Instruction ID: 06563f73c216889894bdb12c6b772da931ea5e5eca56fa0d85ea33ce96a6f49c
                          • Opcode Fuzzy Hash: e7bc5cc3eb2fd2183cc1ee12b69b23a61add5ddd61d9f3ad8ebfddd1e85c7ec6
                          • Instruction Fuzzy Hash: A701B171500204ABD350DF1ADC85B26FBE8EB88B20F14C12AED089B641D671B515CBE2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E0312, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 057E0356
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: e56d9a9773e7fbd4c2b600134c59b7fc462eedfbd8032e0ec40ba2fa7c692f25
                          • Instruction ID: 4216ff53fb76e1b554a2bd88b4e349451f43773638b5e9646d8881568bd3eb04
                          • Opcode Fuzzy Hash: e56d9a9773e7fbd4c2b600134c59b7fc462eedfbd8032e0ec40ba2fa7c692f25
                          • Instruction Fuzzy Hash: 77016D314007409FDB21CF55D948B66FFE5EF48320F08C59EDE894B662D2B6A418DF62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057E0FF6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExW.KERNEL32(?,00000E2C,?,?), ref: 057E1046
                          Memory Dump Source
                          • Source File: 00000004.00000002.574961153.00000000057E0000.00000040.00000001.sdmp, Offset: 057E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_57e0000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 56d8481b8307edb718b74ee540de269c0a15da437895e2779a99815f020977ed
                          • Instruction ID: d52203ebe74dada997c35c4cb62daebac85cf7b4cdfe0270baaf3b475d7bb953
                          • Opcode Fuzzy Hash: 56d8481b8307edb718b74ee540de269c0a15da437895e2779a99815f020977ed
                          • Instruction Fuzzy Hash: 9801A275500204ABD254DF1ADC86F26FBE8FB88B20F14C11AED085B741D671F515CBE6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017316C1, Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: X1q
                          • API String ID: 0-4213818131
                          • Opcode ID: 5053c17ab3c9706fc67a603c112590bb01b65be58fd09b333b681ed6fb485468
                          • Instruction ID: 21e749dc4735b774da0db7c86c8043ec414fd03138c4d4725904a6acf7ed3897
                          • Opcode Fuzzy Hash: 5053c17ab3c9706fc67a603c112590bb01b65be58fd09b333b681ed6fb485468
                          • Instruction Fuzzy Hash: 49A191347001908FEB1ADB78E66476E7BE7EBC8B01F508069D50A973D6DE788D05CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017316DF, Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: X1q
                          • API String ID: 0-4213818131
                          • Opcode ID: f85f373b40d1eedffec6032b2cf3b02fb36f3af2a173d1f8355ec4281998ac08
                          • Instruction ID: 542434d5bc5869a962073e57ce8c53976f28281ad54e697b9fd65170d738e3dc
                          • Opcode Fuzzy Hash: f85f373b40d1eedffec6032b2cf3b02fb36f3af2a173d1f8355ec4281998ac08
                          • Instruction Fuzzy Hash: 93A1A1347001908FEB1A9B78E65476E7BE7EBC8B01F508069D50A973D6DE788D05CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017316F2, Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: X1q
                          • API String ID: 0-4213818131
                          • Opcode ID: 676d6a1f08a93b3ff43a2d37f39f0d7864a86c1d51ca92c6a198561cc056979d
                          • Instruction ID: f0d908dab212aff5abed05b1466d6e48b148200882e24f70f1cb95e53cde637b
                          • Opcode Fuzzy Hash: 676d6a1f08a93b3ff43a2d37f39f0d7864a86c1d51ca92c6a198561cc056979d
                          • Instruction Fuzzy Hash: D8A1A1347001A08FEB1ADB78E66476E7BE7EBC8B01F508069D50A973D6DE788D05CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730E55, Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: X1q
                          • API String ID: 0-4213818131
                          • Opcode ID: 5395d18622276848aeca888f7f21a654bf3eb9e5dd27e09459e02e2b83c42df0
                          • Instruction ID: 310a78977cdadaccdbfd4b49de97f9a549384b05630ad5a2dd36016bad358d09
                          • Opcode Fuzzy Hash: 5395d18622276848aeca888f7f21a654bf3eb9e5dd27e09459e02e2b83c42df0
                          • Instruction Fuzzy Hash: D3219D34B10015DFCB04DBA8D4989ADB7F3FFC8615B2081A9E406AB361DF359C05CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731ED7, Relevance: .4, Instructions: 393COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f1741b64a7edd69565faac6508d118a252dabd64cb4d537d519e82367c4ac9b
                          • Instruction ID: d227c774deaf3572fd4f22b4d66d948b564c1ee6ac3cee82e44f93e85ec83594
                          • Opcode Fuzzy Hash: 2f1741b64a7edd69565faac6508d118a252dabd64cb4d537d519e82367c4ac9b
                          • Instruction Fuzzy Hash: 1CD1AC30B012168FDB59EB78C9507BEBAE6EFC4300F548439D549DB292EB38D986CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017327C0, Relevance: .3, Instructions: 327COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f18cd59cba46619d2ee70751ecac5bfcc93c06c0211852b7c2733aaf81aaaf95
                          • Instruction ID: 513acb66c09ec29fcb652c72afcd6d867d7f22ee9d01ae801112ffb75427bed5
                          • Opcode Fuzzy Hash: f18cd59cba46619d2ee70751ecac5bfcc93c06c0211852b7c2733aaf81aaaf95
                          • Instruction Fuzzy Hash: ABD16E34A00205EFDB09DFB4E95499DBBB2FF88702B108469E516A73A5EF799C05CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730958, Relevance: .3, Instructions: 298COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 153c588309dcf64cb954038af2476ca03e0213f12a4e78420b25acc6a1d6afa6
                          • Instruction ID: df1e20dc9aaa67b670f5427c76f0796c13ff8c739b73c4e809dfc5f18191f30b
                          • Opcode Fuzzy Hash: 153c588309dcf64cb954038af2476ca03e0213f12a4e78420b25acc6a1d6afa6
                          • Instruction Fuzzy Hash: 1AB17C34700251CFEB19DB78E85466D7BE3FBC8706B248468E5069B3A5EF3A9C46CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0173275F, Relevance: .3, Instructions: 295COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8554f73b989c759483f96f591b3202875011c35e89f38a06ee811095528b463
                          • Instruction ID: fe1f5f5719d9a4e7f1afd31eed5e8b6c9d55163cca8860dffd35c463345dad0f
                          • Opcode Fuzzy Hash: f8554f73b989c759483f96f591b3202875011c35e89f38a06ee811095528b463
                          • Instruction Fuzzy Hash: D9B15F34A00205DFDB19DFB4E954A9DBBB2FF88702B108469E516A73A5EF3A9C05CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731238, Relevance: .3, Instructions: 283COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a27dc5422fb14bbfc85c130d87e15fab2d7bf24082dca3aaa227d50be9bd6680
                          • Instruction ID: 256c2600043946fdf7feec9c0afa7a7451a5360909515e6e5fece6224dc3fc8f
                          • Opcode Fuzzy Hash: a27dc5422fb14bbfc85c130d87e15fab2d7bf24082dca3aaa227d50be9bd6680
                          • Instruction Fuzzy Hash: 9CA1E131B002018BE715DB79D944B6DBBE2FBC5711F988668E612DB2E2EB39DC44CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017328C5, Relevance: .2, Instructions: 228COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e1fe52194931b504cd29314348914f3ae44037b13a15db375d1d9da6c39055e
                          • Instruction ID: d197d0d52b2f60d5c7087b8e97b8d1c7514785c433dc0884cad6382e5f0514dd
                          • Opcode Fuzzy Hash: 6e1fe52194931b504cd29314348914f3ae44037b13a15db375d1d9da6c39055e
                          • Instruction Fuzzy Hash: 1B913D34A00205DFDB1ADFB4E954A9DB7B2FF88702B108469E516A73A5EF3A9C05CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732915, Relevance: .2, Instructions: 217COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 42242df1cd35d4994c503ec8f3706893009ede2b20a6cde42aad488be1533333
                          • Instruction ID: 83c5b835297e4f4bb9b5bb934f207f680d16736e967c9e699338c9161112558c
                          • Opcode Fuzzy Hash: 42242df1cd35d4994c503ec8f3706893009ede2b20a6cde42aad488be1533333
                          • Instruction Fuzzy Hash: 27814934A00215DFDB0ADFB4E950A9DB7B2FF88702B108469E516A73A5EF7A9C05CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017323E0, Relevance: .2, Instructions: 213COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a7cb55adba1b84454e52c0eef67da8223c14ba193d8bb2b3934f2632a874917
                          • Instruction ID: e5567fceaec7a12d9ec6344d4369cb20f482d6208e92e22dce30218351e62c62
                          • Opcode Fuzzy Hash: 9a7cb55adba1b84454e52c0eef67da8223c14ba193d8bb2b3934f2632a874917
                          • Instruction Fuzzy Hash: D461B772D00625CAEB2D667CC0643ECFAE19B89346F2A44B5C952A72D3DF388D81C7D1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732957, Relevance: .2, Instructions: 210COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 742f914638bd492e590341fae5ca7e5f4e499799978b8012c9f2802731b0adcd
                          • Instruction ID: bf2d6d6253f6a8ab565a411bea3395212a95003849c8ffe8a277098dbdea5c25
                          • Opcode Fuzzy Hash: 742f914638bd492e590341fae5ca7e5f4e499799978b8012c9f2802731b0adcd
                          • Instruction Fuzzy Hash: 73814A34A00215DFDB0ADFB4E950A9DB7B2FF88702B108469E516A73A5EF7A9C05CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730310, Relevance: .2, Instructions: 195COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fb805ec44afabe064377db8e6910ffaea7ec03e19e62a7267c044a102ce7f680
                          • Instruction ID: de7d1d49a150f701e336835cc56d58865ad1b1386ab0e2b39d7527a2799d6307
                          • Opcode Fuzzy Hash: fb805ec44afabe064377db8e6910ffaea7ec03e19e62a7267c044a102ce7f680
                          • Instruction Fuzzy Hash: 9D6110307002018FEB19DB7DA44467E7BE6BBC9601B594069E806DB3E6DF39CC02CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730B03, Relevance: .2, Instructions: 194COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 617726e9c2f97519a31db497370b284deee9c2b91acce7b37e1866a67417d057
                          • Instruction ID: f72799466df81a45a8d3353489da4699a2fde32efe695f3bbf44d3764183da52
                          • Opcode Fuzzy Hash: 617726e9c2f97519a31db497370b284deee9c2b91acce7b37e1866a67417d057
                          • Instruction Fuzzy Hash: FA719E34700250CFEB19DB78E55476D7BE3FB88706B2080A9E5069B3A5DF3A9C46CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017329CB, Relevance: .2, Instructions: 189COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 244f135163d9db61597aba747308c8498f31d110917484992165fe034b7b4d8d
                          • Instruction ID: 2fbe05744e642208a16b19ab833f1d05edbd85fa73d7d83db5e8172c07f277e5
                          • Opcode Fuzzy Hash: 244f135163d9db61597aba747308c8498f31d110917484992165fe034b7b4d8d
                          • Instruction Fuzzy Hash: 4D715C34A00201DFDB1A9FB4E95466DB7B3FF88702B108469E616A73A5DF7A9C05CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017305C5, Relevance: .2, Instructions: 177COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28005d8ce386efd8be1424733296bad2d42e3b110b9c07583e2b67cd00caebee
                          • Instruction ID: 0ac52bfaea565772ac89b8a40d9e194fa6ef75b468b1ff2b8c0117cfa659f8fb
                          • Opcode Fuzzy Hash: 28005d8ce386efd8be1424733296bad2d42e3b110b9c07583e2b67cd00caebee
                          • Instruction Fuzzy Hash: 9C614D34B00201CFEB15DB78E5546AD7BA2FB88706B1544A9E901973A5DF3EDC46CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730BA8, Relevance: .2, Instructions: 153COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9fb819ac39ce897bc72cce06c2b12eb49c9b9bebf0762a55daa507c9f72124b7
                          • Instruction ID: f4bd3c041e15b82de8190ac664853084c162e756fb6e40543204835c93c69ac7
                          • Opcode Fuzzy Hash: 9fb819ac39ce897bc72cce06c2b12eb49c9b9bebf0762a55daa507c9f72124b7
                          • Instruction Fuzzy Hash: F0519134700210CFEB15DB78E55466D7BB2FB89706B2444A8E5069B3A5DF3AEC46CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731227, Relevance: .1, Instructions: 146COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c92cc71c83a10971e0c8138cfa5920465cbc0c6d025aa93419cf7b71b7fb8c78
                          • Instruction ID: e79b58242a3443ec4cc7e9c65e507cd762522e1304c312b3a187536d7684716c
                          • Opcode Fuzzy Hash: c92cc71c83a10971e0c8138cfa5920465cbc0c6d025aa93419cf7b71b7fb8c78
                          • Instruction Fuzzy Hash: BA510531A04302CFE715CF3AE8047A9BBE2FB85315F9881A9E511DB2E2DB39D845CB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730634, Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff0455976eeb20db1a1f2b3dbfed35458a917b7d54e264c10ab0f035847ac59d
                          • Instruction ID: 842f406a0e02ba47b26de45d22c2f95cab994f36730ac4a9c9e5eb12628456b2
                          • Opcode Fuzzy Hash: ff0455976eeb20db1a1f2b3dbfed35458a917b7d54e264c10ab0f035847ac59d
                          • Instruction Fuzzy Hash: 9B512C34700201CFEB19DB78E5546AD77A3FB88B0672580A9E902973A4DF3E9C06CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732AAD, Relevance: .1, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f3a39e63da6d1d50bba3115a9f3b3ea4bb8e9500e563a6a08356ed71fee0f4b
                          • Instruction ID: aa1f0117f0b0dcb036b1fa4b67cf7978fdca145f9cd97301967de5a2a106c126
                          • Opcode Fuzzy Hash: 3f3a39e63da6d1d50bba3115a9f3b3ea4bb8e9500e563a6a08356ed71fee0f4b
                          • Instruction Fuzzy Hash: B2516D30B00211DFDB199BB4E9546AEB7A6FF88702F108469E516A73A6DF399C01CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017303BD, Relevance: .1, Instructions: 135COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6679e3d1a10455e03f045ed795c388cc39b8e32ab4dcdca0cbd3b9406cb48cff
                          • Instruction ID: c38be4575361c06c14388f3d1a44b748b6aff62aa3e255722fde9bae9c210e02
                          • Opcode Fuzzy Hash: 6679e3d1a10455e03f045ed795c388cc39b8e32ab4dcdca0cbd3b9406cb48cff
                          • Instruction Fuzzy Hash: F8413A307005428FDB09EB7E91546BD3AE7BFC8A41B584019E806EF3E6DF398D0687A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731608, Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b53ab3988a71174d11b880eb71ef8dbc16c72dcb56cf2ddb11f19e589a97347
                          • Instruction ID: deb14e5ac08623e299775eec8e3c22706ed898e559b4407521de52b588f4a2d2
                          • Opcode Fuzzy Hash: 2b53ab3988a71174d11b880eb71ef8dbc16c72dcb56cf2ddb11f19e589a97347
                          • Instruction Fuzzy Hash: 1241B135A04302CBEB15CF7AE9007ACBBE2BB85311F988569E111DB2D2DF39D845CB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730080, Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a12ada83de1676f96b6d838b41068f3e3d4765f45b05a30eddb68c4c225e0355
                          • Instruction ID: a675627360bb50a05e24739c7a11817fdfaa30107a5bf0ed448978dab44cd0e5
                          • Opcode Fuzzy Hash: a12ada83de1676f96b6d838b41068f3e3d4765f45b05a30eddb68c4c225e0355
                          • Instruction Fuzzy Hash: 385170302142868FE706DF7CE69494E3BB2FB81B06714C869E1458B26AEB785C0DCF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730C22, Relevance: .1, Instructions: 125COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08cac4140da3955510e577c9253d4be7349f5c996f66ec883e610acbf775428f
                          • Instruction ID: 913bdc1a71bb34df42015cf99647e85fc55d84447ef8bfc47876774e96b6e87c
                          • Opcode Fuzzy Hash: 08cac4140da3955510e577c9253d4be7349f5c996f66ec883e610acbf775428f
                          • Instruction Fuzzy Hash: 38419034700210CFEB19DB78E55466D7BA2FB88706B2484A8E50ADB3A5DF39EC46CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05E31F43, Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.575867383.0000000005E30000.00000040.00000001.sdmp, Offset: 05E30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_5e30000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a346ae4fda21d4a1cdb3765d394ac919735301ef20cf817dc80afe6274920a09
                          • Instruction ID: c4c42361cb9d0a3435d6552ff2bd7511c5a1e336309b7d3a1b7e5b63aa37b02f
                          • Opcode Fuzzy Hash: a346ae4fda21d4a1cdb3765d394ac919735301ef20cf817dc80afe6274920a09
                          • Instruction Fuzzy Hash: 6041737550D3819FD302CF259851A56BFF4EF86620F08899FE8C8DB253D2359949CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01733228, Relevance: .1, Instructions: 116COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c839379b2c6bcfc900c69087705963df387754f25e5274199f72fe66ebd3c52
                          • Instruction ID: cd8b5cec3446f17d3a0fb5c733ebe0d417b9e37bc14e60f1f8b96eb6cb0af605
                          • Opcode Fuzzy Hash: 0c839379b2c6bcfc900c69087705963df387754f25e5274199f72fe66ebd3c52
                          • Instruction Fuzzy Hash: D931BB30A002419FDB19DBB8DA51AEEBBE7FFC4310F54442AA505A73A2DB359E05CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731BF0, Relevance: .1, Instructions: 115COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d9662ee3c5095b6793240d9e6d19e2a4ca4ee4f13ebcbb579056b34820cef347
                          • Instruction ID: 85c635ba564f17fba6e9bbcf80462c1db26d8022a90745b363e7c4bbf4efc8a0
                          • Opcode Fuzzy Hash: d9662ee3c5095b6793240d9e6d19e2a4ca4ee4f13ebcbb579056b34820cef347
                          • Instruction Fuzzy Hash: 0B41D8317102058FDB04EF78D9985ADBBA6EFC8200B548879D905DB39BDB35CD45CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731BE1, Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 149a21766e09a8a8304c9a626e40cae928b4d6e6da098cd2d4a451373342fc99
                          • Instruction ID: 4a6fccd2743f5909da41961979b148f48a3763d60e21ffd40f5cc7de01bd9907
                          • Opcode Fuzzy Hash: 149a21766e09a8a8304c9a626e40cae928b4d6e6da098cd2d4a451373342fc99
                          • Instruction Fuzzy Hash: 0141A7316102058FCB14DF38C89456DBBA6EF88304B548479D905DB39BDB35DD42CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01733078, Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 82c0e49f6d39e56ba5bad5c59336e8f301360b07f907df6392de49b778896350
                          • Instruction ID: 8d55e7f150c3d35bb13e32b375dc78a17b24ed3d4f95f50bb2396b7a064f45e7
                          • Opcode Fuzzy Hash: 82c0e49f6d39e56ba5bad5c59336e8f301360b07f907df6392de49b778896350
                          • Instruction Fuzzy Hash: 05319034B002059FDB25CB69DA54BAEBBF2BFC8311F148069E505EB3A2DB749C058B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01733238, Relevance: .1, Instructions: 105COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b1317a360d74037eb28daf2475e664402e53f83efa1225f864a793bccbeb9b1c
                          • Instruction ID: 2396e7718272d8fd13cce03892f3c5bdb2d05362ee55ca98539a8fab68573c6c
                          • Opcode Fuzzy Hash: b1317a360d74037eb28daf2475e664402e53f83efa1225f864a793bccbeb9b1c
                          • Instruction Fuzzy Hash: 7C31AB31B002059FDB09DBB9DA51AAEBBE7EFC4310F54442AA505A3392DE349E058B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730C8D, Relevance: .1, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a858059b69a4f649e4fe5e0c6e8c7599b040322c5601c8fecbcfe572f1b1d8e
                          • Instruction ID: e8babe7aee0ec1bb1af0acfbe4ecf2f18657851016784ad5ac45d457299bb838
                          • Opcode Fuzzy Hash: 4a858059b69a4f649e4fe5e0c6e8c7599b040322c5601c8fecbcfe572f1b1d8e
                          • Instruction Fuzzy Hash: 5231AE30B002508FEB15DBB9E55876D7BA2FB88705F148068E50ADB3A5DF39DC46DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732BC8, Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 71cd317d37319c4546f7b202b2dc0f81e258f8ad1ccc8936f6cb4d2d5b4f0649
                          • Instruction ID: 7f1af09cd507b82e8da662aeef7ad36fad9db4d8b5d7a6a96fb937af99f87b07
                          • Opcode Fuzzy Hash: 71cd317d37319c4546f7b202b2dc0f81e258f8ad1ccc8936f6cb4d2d5b4f0649
                          • Instruction Fuzzy Hash: 43317134B00111DFDB1A9BB5E5556AD77A6FFC8702B108429D406A73A6DF398C05CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017326A0, Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c0a01178caa21dfcf5a126de5359aa762ef7e053d2cefdd197ecd7a6741caf9
                          • Instruction ID: 5910c0abe5da8b0bb788b8c7d573ba0a975903c50c776baa2d67c324b2d40591
                          • Opcode Fuzzy Hash: 7c0a01178caa21dfcf5a126de5359aa762ef7e053d2cefdd197ecd7a6741caf9
                          • Instruction Fuzzy Hash: 4A119D31F102599BDB18EBB5C850BBEB7BAEFC8250F108529D605FB281EE319C5087A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 017323D1, Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f47829eac315543722c8419fe02c8e2dba386a2157a5693783dc18480e6fdc08
                          • Instruction ID: 2fadba68c79ca3ec00943290efb06cf6356f335553cc9841131a984f5719e427
                          • Opcode Fuzzy Hash: f47829eac315543722c8419fe02c8e2dba386a2157a5693783dc18480e6fdc08
                          • Instruction Fuzzy Hash: 1B21F371A10224CFDB189B7CC4442EDBBB2FFC8315B2444BDC905A7652EB369C42CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730773, Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8a1a1cb854a324394bafa00b20cdb1fcea170cb9e59e6a22f579a15e85481ae8
                          • Instruction ID: 886676517fe1987249da64932c2307482b58a8adec7e5221771758f8462f9803
                          • Opcode Fuzzy Hash: 8a1a1cb854a324394bafa00b20cdb1fcea170cb9e59e6a22f579a15e85481ae8
                          • Instruction Fuzzy Hash: 95212C34700201CFEB1ADB78E1546AD77A3FB88B0672544A9E90297364DF3EAC46CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730D40, Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f64299c19d12c194e5614bc06dc5a23387ef7d8b727c7f14ba18611ec9248f6f
                          • Instruction ID: f26e35641a76f925af03ba8b6d6b36f3d14d9a45138a71b8d8cd2d184f29d9d4
                          • Opcode Fuzzy Hash: f64299c19d12c194e5614bc06dc5a23387ef7d8b727c7f14ba18611ec9248f6f
                          • Instruction Fuzzy Hash: 0A11E130B00250CFEB18DBB9E0986ACBBB2FBC5305B108469E015DB395DB35C846CB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05E32738, Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.575867383.0000000005E30000.00000040.00000001.sdmp, Offset: 05E30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_5e30000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 841d05fca7d847723d8598ed5ad2185ca0943b5b619f6b11d78541963144950f
                          • Instruction ID: 443436e1359cad6682a7bca99cf8a4f7445c76954f4c9c86d87a706484ec43a8
                          • Opcode Fuzzy Hash: 841d05fca7d847723d8598ed5ad2185ca0943b5b619f6b11d78541963144950f
                          • Instruction Fuzzy Hash: 6011BAB5508341AFD340CF19D881A5BFBE4FBC8664F04896EF898D7311D231EA148FA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030E0924, Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.573251663.00000000030E0000.00000040.00000040.sdmp, Offset: 030E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_30e0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df9fa33642a3934f705a47caf2b0691c3dbc63231df05d9ff2a73491c42a867d
                          • Instruction ID: 2db5d4a522e93cd0752d3525584156e4dc5c7cf366d9810e4a576bc64e8ebc58
                          • Opcode Fuzzy Hash: df9fa33642a3934f705a47caf2b0691c3dbc63231df05d9ff2a73491c42a867d
                          • Instruction Fuzzy Hash: AC11A2343452809FE315CF55C944B29FBE5AB89718F28C99DE9891B743C7BB9803CA51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030E08ED, Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.573251663.00000000030E0000.00000040.00000040.sdmp, Offset: 030E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_30e0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e76cf951fa224f26c632f7a602f850fb48bcedde42093f5a60e8766a5236995
                          • Instruction ID: 4049997df24a2474054b487e35875462e560d2b2711446f1b0edad14b586e83a
                          • Opcode Fuzzy Hash: 1e76cf951fa224f26c632f7a602f850fb48bcedde42093f5a60e8766a5236995
                          • Instruction Fuzzy Hash: 59216D352093C08FD717CB21D950B55BFB2AF86214F198ADED4848B663C37A8916CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732EF8, Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2bb3366b78fba51c77197044f12663947e40d6809257414e801724ec7cb4277f
                          • Instruction ID: 5aa9f455a77f3e92db4902f3e42a890e43f4b179073585b261ad89ebbd15ff4f
                          • Opcode Fuzzy Hash: 2bb3366b78fba51c77197044f12663947e40d6809257414e801724ec7cb4277f
                          • Instruction Fuzzy Hash: 1601F732F1020656EB00EABEC8006FEFBEBDFC4254F400436D618E7287EE35D9454662
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732DD8, Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0af1cf198bf484518828260cbf206a63415e1b7294713feec8bbc0b2c8f71682
                          • Instruction ID: 93889c36ceb179f8eb18d6c787c96353f27d69f1db35abd8dcf6f197e05fa683
                          • Opcode Fuzzy Hash: 0af1cf198bf484518828260cbf206a63415e1b7294713feec8bbc0b2c8f71682
                          • Instruction Fuzzy Hash: B411FA72D10109AFDF18DBADE9848EEFBF9EFC8251F10856AE505B3225E6305945CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732FA0, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cbe74e575ed3cb74c388c44f44b3f854de61b8d7fe53f00adfd59abebd566353
                          • Instruction ID: f6fe2070936692592b378956a9d5b34e50e78b50a1118bd48c78b8391023b7f2
                          • Opcode Fuzzy Hash: cbe74e575ed3cb74c388c44f44b3f854de61b8d7fe53f00adfd59abebd566353
                          • Instruction Fuzzy Hash: 7D01B132E101199B8F00F7B9D8048FEBBF9EF88655B4008A1D500EB242EE3ADE0587E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731D60, Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70e7d049d516441ff03610c96012324ec95f212cb60d378400856c7422149e42
                          • Instruction ID: 6436699c36d18be1316b6c97e7f0133d54020e5632eba3b7f16cad08627b39a9
                          • Opcode Fuzzy Hash: 70e7d049d516441ff03610c96012324ec95f212cb60d378400856c7422149e42
                          • Instruction Fuzzy Hash: 43113C35E002148FCF64DFBC98546AEBBF6EB8835572544B9C409E7354EB365D12CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730014, Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 679fd4f49e880010713d7af6acfeedbe045e3fa1033a24c506afeb78115fed99
                          • Instruction ID: b3336e9eaf11c89631388c2fa9a1315eb703551debbbcf1e7cdc3e2d6b22385d
                          • Opcode Fuzzy Hash: 679fd4f49e880010713d7af6acfeedbe045e3fa1033a24c506afeb78115fed99
                          • Instruction Fuzzy Hash: EE019DA184E3C14FCB838B304C681A1BF716E9322475E41DFD8C4CF0A7E15D494AD726
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730509, Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8798995871f262995f6cdb34d38a25eb0594b360b152d0c080dca27f5bffb91f
                          • Instruction ID: f1431ab0668a3b4bfe9cfd538e0b62f925433825ca1dd53fe03312079a8ba9af
                          • Opcode Fuzzy Hash: 8798995871f262995f6cdb34d38a25eb0594b360b152d0c080dca27f5bffb91f
                          • Instruction Fuzzy Hash: 88014750B00101CBDB59E7BE105827E65EB3FD8540709801AE80AEB3D5DE38CC019BE2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01731D70, Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 789816ec14cedc99fc8fef837127bb00f0bb9b97099324dd6da41e0913e60074
                          • Instruction ID: fef8d383519870148a202f6ca94666ae8bee35acb689277f075032f7d464d5d6
                          • Opcode Fuzzy Hash: 789816ec14cedc99fc8fef837127bb00f0bb9b97099324dd6da41e0913e60074
                          • Instruction Fuzzy Hash: A5015A76F002148FCB64DBBCD85069EBBF6EBC825172044B9D40AE7354EB399D01CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732DE8, Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8b4ff710049219249c48a921e8dc2490c876356c2d32c167994ccd450b7dbea
                          • Instruction ID: b16f0504bf3e6cfc4b2b525296c284db22423dbfedd7d70ae79f990992801251
                          • Opcode Fuzzy Hash: f8b4ff710049219249c48a921e8dc2490c876356c2d32c167994ccd450b7dbea
                          • Instruction Fuzzy Hash: E201A972D1110DABDB04DFE9E9808DEFBF9EF88210F108566E515B7250EA306949CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732EE8, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0cdb9a4d8889fcf7a1c40fd20407d335c409874fcadeb8e48d728658b623c8bd
                          • Instruction ID: dfd3547768bb5bc6a431360947571c07cd6e400de97da3487132310cca6d875f
                          • Opcode Fuzzy Hash: 0cdb9a4d8889fcf7a1c40fd20407d335c409874fcadeb8e48d728658b623c8bd
                          • Instruction Fuzzy Hash: AF01F232E002059FEB10DABCC8046FEFBF6DBC8320F01002ADA14B7186DA32595286A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030E05CF, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.573251663.00000000030E0000.00000040.00000040.sdmp, Offset: 030E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_30e0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ffc4cace70b77fbbeb8cb365604c773ffdeff7960c1a7316f8be8ae5e2ca6b6
                          • Instruction ID: ba52de4a70afe472b10f56fb554d41bb6af4150395b1d34f84890d28066adcb2
                          • Opcode Fuzzy Hash: 2ffc4cace70b77fbbeb8cb365604c773ffdeff7960c1a7316f8be8ae5e2ca6b6
                          • Instruction Fuzzy Hash: C601A7B25093905FD712CB05DC50863FFA8EE86620748C09BEC898B612D265B904CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730D98, Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f5d06f1589c7dba30514488c61fd0b40411d430e1af76362b9cf9b9a872538e
                          • Instruction ID: 29c185a211f39161e628ed099784b0700e86c0e7dd71f77e158188b187365c71
                          • Opcode Fuzzy Hash: 1f5d06f1589c7dba30514488c61fd0b40411d430e1af76362b9cf9b9a872538e
                          • Instruction Fuzzy Hash: BC015A34A01254CFDB19EFB9E1980ACBBB6FF88319B508469E0159B355EB36C846CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01730894, Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f61ed03cb6a5cc7ad132aa0afbc776043b20e26543ab6dda94faab1fc68f3d82
                          • Instruction ID: 329cc47b951a099ef13fc40b4fd755231e94ea54ac300ed260bab7209dec4011
                          • Opcode Fuzzy Hash: f61ed03cb6a5cc7ad132aa0afbc776043b20e26543ab6dda94faab1fc68f3d82
                          • Instruction Fuzzy Hash: DE012135604247DFDB49EF78D68885D7BE2FB84715F00882CE845C739AEB759C449B42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732370, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8ef74643e0c0b0de3bc9455c7228c6c78b3392f42ecdf2e3bfe4965b652cbdf1
                          • Instruction ID: b53db1ea352092705d4f8fda6f4fdf8c0d0ffb7db152e6e49a0953fc622f91f6
                          • Opcode Fuzzy Hash: 8ef74643e0c0b0de3bc9455c7228c6c78b3392f42ecdf2e3bfe4965b652cbdf1
                          • Instruction Fuzzy Hash: 1BF03E71E002199FCF54EFB988016EFBBF9DB88210F10447BD209E3241F6355A058BE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01732F90, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b7cecaa341d6a54f89b48ee0a1cfbd84c50c7532d86230e6860b5b8d7b22e401
                          • Instruction ID: af635b1e7d9bd5e7b1c85851c94e81a0e8a5aa04ab504694231ddd033d196f8e
                          • Opcode Fuzzy Hash: b7cecaa341d6a54f89b48ee0a1cfbd84c50c7532d86230e6860b5b8d7b22e401
                          • Instruction Fuzzy Hash: F7F02732D14309AFDB60EB38A8044EBFBF4EB81660F0004BAD980E6142DB35CD05CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030E09E0, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.573251663.00000000030E0000.00000040.00000040.sdmp, Offset: 030E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_30e0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                          • Instruction ID: 407ef62af7621124a53c38eb7a295fb2d8d09435f42839bd9cd65360086af71d
                          • Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                          • Instruction Fuzzy Hash: 21F06D35204644DFC302CF00D540B25FBE2EB89718F24C6ADE9481B752C337D813DA81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 030E05F6, Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.573251663.00000000030E0000.00000040.00000040.sdmp, Offset: 030E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_30e0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c580350be6402cd6e9ac611eeabe97cefff7be8c628001dabc907a095fed4d9
                          • Instruction ID: b11c8da21969cead66407c890e19f807eeaee7e4bdae928b5189c096a89dc945
                          • Opcode Fuzzy Hash: 2c580350be6402cd6e9ac611eeabe97cefff7be8c628001dabc907a095fed4d9
                          • Instruction Fuzzy Hash: 46E092B66406004BD654CF0AEC45452F7D8EB84631718C07FDC0D8B711D576B508CEA6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05E327A3, Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.575867383.0000000005E30000.00000040.00000001.sdmp, Offset: 05E30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_5e30000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2fe142fd4fc2835a8e9f7d83234be13063f9ffe842767c8ab4bfa67efeb5271
                          • Instruction ID: 57f12796312f2b6deaebe4ad87de8ef08d13bef1bcb1c3cd7b8c1dc984e525b5
                          • Opcode Fuzzy Hash: d2fe142fd4fc2835a8e9f7d83234be13063f9ffe842767c8ab4bfa67efeb5271
                          • Instruction Fuzzy Hash: 54E0D8B25412046BD2108F069C45B12FB98DB84A31F04C467ED081B702D072B5188AF1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05E3204F, Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.575867383.0000000005E30000.00000040.00000001.sdmp, Offset: 05E30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_5e30000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ed2ff7f624102e8f1c6e73b1949be5ec9446ec0c2f96aac22446b54de251c879
                          • Instruction ID: 2abc2ced28394506fb0b60efe3595376ab4ad8b8cf172fd7a6ec2a0af8102888
                          • Opcode Fuzzy Hash: ed2ff7f624102e8f1c6e73b1949be5ec9446ec0c2f96aac22446b54de251c879
                          • Instruction Fuzzy Hash: 8AE0D8B25012046BD2109F469C45B13FB98DB80A30F04C457ED091B702D172B514CAF1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01733038, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51bf5d57d05d6cc7234cc4c6e5d89a3927644f6e3012624887331526e8881285
                          • Instruction ID: b9acbf88809f679a4818c247e3805dc67d554a56d509e6eff1c33f82d0741226
                          • Opcode Fuzzy Hash: 51bf5d57d05d6cc7234cc4c6e5d89a3927644f6e3012624887331526e8881285
                          • Instruction Fuzzy Hash: 5AD05E71A05204AFCB15DAA0B8180EC7F34DB96200B0005BFE409C3262D6304E198710
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01733048, Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000004.00000002.572859662.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_4_2_1730000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: adc7dfdeea85f49b1b1c6f1c5aee44c1d2503f5680c2f1438d7d0941fae5f2a1
                          • Instruction ID: 9ea9a08439675d7169a3efc508abca4449b716ff4d59b6241e62cbf2c4ce6a03
                          • Opcode Fuzzy Hash: adc7dfdeea85f49b1b1c6f1c5aee44c1d2503f5680c2f1438d7d0941fae5f2a1
                          • Instruction Fuzzy Hash: 34C08C3190020CBB8B04EBE0F90E4ACBB6CEA49110B0000ADD80A93351EE312E0497A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Analysis Process: System.exe PID: 6172 Parent PID: 3352 System.exeCOMMON

                          Execution Graph

                          Execution Coverage:5.6%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:12
                          Total number of Limit Nodes:0

                          Graph

                          execution_graph 716 161a361 718 161a392 RegQueryValueExW 716->718 719 161a41b 718->719 720 161a462 722 161a486 RegSetValueExW 720->722 723 161a507 722->723 724 161a612 726 161a646 CreateMutexW 724->726 727 161a6c1 726->727 708 161a646 710 161a67e CreateMutexW 708->710 711 161a6c1 710->711

                          Callgraph

                          • Executed
                          • Not Executed
                          • Opacity -> Relevance
                          • Disassembly available
                          callgraph 0 Function_0161A361 1 Function_0161A462 2 Function_01612264 3 Function_01612364 4 Function_00F5547A 5 Function_0161A56E 6 Function_016121F0 7 Function_00F55DE7 8 Function_0161A172 9 Function_016123F4 10 Function_0161A1F4 11 Function_03160000 12 Function_03160700 13 Function_0161A078 14 Function_00F55F69 15 Function_00F577E9 16 Function_00F56068 17 Function_0161A2FE 18 Function_0161A540 19 Function_00F57651 20 Function_031605B2 21 Function_01612044 22 Function_00F55452 23 Function_0161A646 24 Function_00F56B5E 25 Function_00F555D9 26 Function_00F556DB 27 Function_03160638 44 Function_0316065A 27->44 28 Function_0161A74E 29 Function_016120D0 30 Function_0161A2D2 31 Function_031605A2 32 Function_00F574C0 33 Function_01612458 34 Function_0316072A 35 Function_00F555C8 36 Function_0161A45C 37 Function_0161A25E 38 Function_01612621 39 Function_0161A120 40 Function_00F57633 41 Function_031605D0 42 Function_0316005F 43 Function_00F56C3E 45 Function_057003BD 46 Function_00F57ABA 47 Function_0161A02E 48 Function_01612430 49 Function_016126B0 50 Function_031605C2 51 Function_016123BC 52 Function_0161213C 53 Function_0161A23C 54 Function_031605F6 55 Function_05700310 56 Function_00F55514 57 Function_0161A005 58 Function_0161A486 59 Function_01612006 60 Function_00F57892 61 Function_0570069B 62 Function_05700080 63 Function_01612310 64 Function_00F52984 65 Function_05700301 66 Function_0161A710 67 Function_0161A392 68 Function_0161A612 69 Function_01612194 70 Function_05700007 71 Function_0316066F 72 Function_00F5788C 73 Function_0161A09A

                          Executed Functions

                          Function 05700310, Relevance: 2.7, Strings: 2, Instructions: 195COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 5700310-5700334 2 5700336-5700338 0->2 3 570033e-5700346 0->3 2->3 4 5700348-570034d 3->4 5 570034e-570035a 3->5 7 5700361 5->7 8 570035c 5->8 9 5700362 7->9 8->9 10 570035e 8->10 13 5700364 9->13 14 5700369-5700391 9->14 11 5700360 10->11 12 5700365-5700368 10->12 11->7 12->14 13->12 16 5700393-57003bb 14->16 17 57003d8-57003ff 14->17 22 57003ce 16->22 23 570040a-5700418 17->23 22->17 24 570041a 23->24 25 570041f-5700434 23->25 24->25 27 5700436-5700460 25->27 28 570046b-5700523 25->28 27->28 47 5700570-5700587 28->47 48 5700525-5700569 28->48 49 5700880 47->49 50 570058d-57005bf 47->50 48->47 50->49
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.370422093.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5700000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: [p^$Zp^
                          • API String ID: 0-1934270176
                          • Opcode ID: cd9ba8c9cdccc556dc33199bd5536ae1cae345498750a1a7b04f04cc00b57266
                          • Instruction ID: db288b5b041438b5d2b3f9d8d6a1a1b7a3a7165fb6e273003caed7425d629a6d
                          • Opcode Fuzzy Hash: cd9ba8c9cdccc556dc33199bd5536ae1cae345498750a1a7b04f04cc00b57266
                          • Instruction Fuzzy Hash: D36140307042058FCB4ADB799428A7D3BE7BB89351B994169E802DB3D5DF38CE05DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 057003BD, Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 61 57003bd-5700418 69 570041a 61->69 70 570041f-5700434 61->70 69->70 72 5700436-5700460 70->72 73 570046b-5700523 70->73 72->73 92 5700570-5700587 73->92 93 5700525-5700569 73->93 94 5700880 92->94 95 570058d-57005bf 92->95 93->92 95->94
                          Strings
                          Memory Dump Source
                          • Source File: 00000009.00000002.370422093.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5700000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: [p^$Zp^
                          • API String ID: 0-1934270176
                          • Opcode ID: def7b7f705427161d017ea8b10ffc3f7058e60a63d081acbd212a416215db142
                          • Instruction ID: 100f247fb8fcedd798fecfa8f5ec8fc4b25c780db134a3bc5d94af34cdb181f9
                          • Opcode Fuzzy Hash: def7b7f705427161d017ea8b10ffc3f7058e60a63d081acbd212a416215db142
                          • Instruction Fuzzy Hash: 8F4146307005558BCB49EB7A81246BC36D7BFC8741769401DE806DB3D9DF288E05DBE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0161A612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 106 161a612-161a695 110 161a697 106->110 111 161a69a-161a6a3 106->111 110->111 112 161a6a5 111->112 113 161a6a8-161a6b1 111->113 112->113 114 161a6b3-161a6d7 CreateMutexW 113->114 115 161a702-161a707 113->115 118 161a709-161a70e 114->118 119 161a6d9-161a6ff 114->119 115->114 118->119
                          APIs
                          • CreateMutexW.KERNELBASE(?,?), ref: 0161A6B9
                          Memory Dump Source
                          • Source File: 00000009.00000002.370245020.000000000161A000.00000040.00000001.sdmp, Offset: 0161A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_161a000_System.jbxd
                          Similarity
                          • API ID: CreateMutex
                          • String ID:
                          • API String ID: 1964310414-0
                          • Opcode ID: 8c1f506bf7d0fa780cf3891de1c3a22c0851db199e894f77c48370fb9c5a49a0
                          • Instruction ID: 6fa92d6c1f1a130bf428c06562a95b13774f02576272514f48b18a009599b3aa
                          • Opcode Fuzzy Hash: 8c1f506bf7d0fa780cf3891de1c3a22c0851db199e894f77c48370fb9c5a49a0
                          • Instruction Fuzzy Hash: 8031AF755093806FE722CB69CD85B56FFF8EF06210F08849AE984CB293D335A909C7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0161A361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 122 161a361-161a3cf 125 161a3d1 122->125 126 161a3d4-161a3dd 122->126 125->126 127 161a3e2-161a3e8 126->127 128 161a3df 126->128 129 161a3ea 127->129 130 161a3ed-161a404 127->130 128->127 129->130 132 161a406-161a419 RegQueryValueExW 130->132 133 161a43b-161a440 130->133 134 161a442-161a447 132->134 135 161a41b-161a438 132->135 133->132 134->135
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E2C,750815A7,00000000,00000000,00000000,00000000), ref: 0161A40C
                          Memory Dump Source
                          • Source File: 00000009.00000002.370245020.000000000161A000.00000040.00000001.sdmp, Offset: 0161A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_161a000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 8f9233866a99f5067e2dfeaf7c399bfe724d4a3eb9843a6240c706a3eb7d3152
                          • Instruction ID: 92bed89b4cc7142015239026679775eac20ace054a44173a71b94e6a54fe3f77
                          • Opcode Fuzzy Hash: 8f9233866a99f5067e2dfeaf7c399bfe724d4a3eb9843a6240c706a3eb7d3152
                          • Instruction Fuzzy Hash: 30318071505780AFE722CF25CC85F62BFB8EF06610F08859AE985DB252D364E949CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0161A462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 139 161a462-161a4c3 142 161a4c5 139->142 143 161a4c8-161a4d4 139->143 142->143 144 161a4d6 143->144 145 161a4d9-161a4f0 143->145 144->145 147 161a4f2-161a505 RegSetValueExW 145->147 148 161a527-161a52c 145->148 149 161a507-161a524 147->149 150 161a52e-161a533 147->150 148->147 150->149
                          APIs
                          • RegSetValueExW.KERNELBASE(?,00000E2C,750815A7,00000000,00000000,00000000,00000000), ref: 0161A4F8
                          Memory Dump Source
                          • Source File: 00000009.00000002.370245020.000000000161A000.00000040.00000001.sdmp, Offset: 0161A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_161a000_System.jbxd
                          Similarity
                          • API ID: Value
                          • String ID:
                          • API String ID: 3702945584-0
                          • Opcode ID: b8e689fb8474d8624cf1d0c30b7aedcb9688243dc38e9700c3a08c3c824162ff
                          • Instruction ID: 1a254d1ba780203492f72359c18a8ba9d99468c3c80efd68cde66b162fc12395
                          • Opcode Fuzzy Hash: b8e689fb8474d8624cf1d0c30b7aedcb9688243dc38e9700c3a08c3c824162ff
                          • Instruction Fuzzy Hash: C421A172109380AFE7228F65DD45F67BFA8EF06610F08859AED85DB252C364E448C771
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0161A646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 154 161a646-161a695 157 161a697 154->157 158 161a69a-161a6a3 154->158 157->158 159 161a6a5 158->159 160 161a6a8-161a6b1 158->160 159->160 161 161a6b3-161a6bb CreateMutexW 160->161 162 161a702-161a707 160->162 163 161a6c1-161a6d7 161->163 162->161 165 161a709-161a70e 163->165 166 161a6d9-161a6ff 163->166 165->166
                          APIs
                          • CreateMutexW.KERNELBASE(?,?), ref: 0161A6B9
                          Memory Dump Source
                          • Source File: 00000009.00000002.370245020.000000000161A000.00000040.00000001.sdmp, Offset: 0161A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_161a000_System.jbxd
                          Similarity
                          • API ID: CreateMutex
                          • String ID:
                          • API String ID: 1964310414-0
                          • Opcode ID: cc6f841643159bf8f3e831c784873296422bf3ad07437ef829b13ec8b80e99ee
                          • Instruction ID: d5404de279c40aa109325f18af272c3fcd0c6cf4ce498465be76937e1ebf6211
                          • Opcode Fuzzy Hash: cc6f841643159bf8f3e831c784873296422bf3ad07437ef829b13ec8b80e99ee
                          • Instruction Fuzzy Hash: CD21C275601280AFE721DF69CE85B66FBE8EF04310F18846AED85CB242D371E505CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0161A392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 169 161a392-161a3cf 171 161a3d1 169->171 172 161a3d4-161a3dd 169->172 171->172 173 161a3e2-161a3e8 172->173 174 161a3df 172->174 175 161a3ea 173->175 176 161a3ed-161a404 173->176 174->173 175->176 178 161a406-161a419 RegQueryValueExW 176->178 179 161a43b-161a440 176->179 180 161a442-161a447 178->180 181 161a41b-161a438 178->181 179->178 180->181
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E2C,750815A7,00000000,00000000,00000000,00000000), ref: 0161A40C
                          Memory Dump Source
                          • Source File: 00000009.00000002.370245020.000000000161A000.00000040.00000001.sdmp, Offset: 0161A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_161a000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 88160547367490b6771f478d45ed910d3097b4c292c6364c32fd048ca419e84e
                          • Instruction ID: 5465ba3ea7f17ff3289c3522135a746faca1caa827ccc4480818abd6bc8f8e4d
                          • Opcode Fuzzy Hash: 88160547367490b6771f478d45ed910d3097b4c292c6364c32fd048ca419e84e
                          • Instruction Fuzzy Hash: CB218E71601244AFE721CE59CD89FA6FBECEF04710F18856AED85DB256D360E809CA71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0161A486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 185 161a486-161a4c3 187 161a4c5 185->187 188 161a4c8-161a4d4 185->188 187->188 189 161a4d6 188->189 190 161a4d9-161a4f0 188->190 189->190 192 161a4f2-161a505 RegSetValueExW 190->192 193 161a527-161a52c 190->193 194 161a507-161a524 192->194 195 161a52e-161a533 192->195 193->192 195->194
                          APIs
                          • RegSetValueExW.KERNELBASE(?,00000E2C,750815A7,00000000,00000000,00000000,00000000), ref: 0161A4F8
                          Memory Dump Source
                          • Source File: 00000009.00000002.370245020.000000000161A000.00000040.00000001.sdmp, Offset: 0161A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_161a000_System.jbxd
                          Similarity
                          • API ID: Value
                          • String ID:
                          • API String ID: 3702945584-0
                          • Opcode ID: 4c039b36f37a15cc2ec13a64dd89800e5a36eed09f0871700378d29ba4a676f1
                          • Instruction ID: 06a0809093f3d363f29c31d9f70c6fe60d2eec0de9ba36ac61ee772c0f367ffa
                          • Opcode Fuzzy Hash: 4c039b36f37a15cc2ec13a64dd89800e5a36eed09f0871700378d29ba4a676f1
                          • Instruction Fuzzy Hash: C5118E72541640AFEB228E59DE45F66FBACEF04720F08855AED85DB646D360E408CAB2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05700080, Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 199 5700080-57000ad 202 57000b8-57002f9 199->202
                          Memory Dump Source
                          • Source File: 00000009.00000002.370422093.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5700000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd929c00cf36c27fc31c22d3d2da740e2afe067bc7bb31b07ef66340e44dc4c1
                          • Instruction ID: 57e29e9300733c37bf65a13624d836bbccbf5fe24e8721cb3bb722292fa4fd0f
                          • Opcode Fuzzy Hash: bd929c00cf36c27fc31c22d3d2da740e2afe067bc7bb31b07ef66340e44dc4c1
                          • Instruction Fuzzy Hash: 01518430114A8A8BC7C6DF7CE6A854D3BB2FB85344B108568E0448B22ADB385D0DDFE1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05700007, Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 240 5700007-570002a 241 5700031-570006a 240->241 242 570002c-5700030 240->242 245 5700071-5700076 241->245 246 570006c-570006e 241->246 242->241 246->245
                          Memory Dump Source
                          • Source File: 00000009.00000002.370422093.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_5700000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50e5f5bf364752099261752109d080eae1cf8c11f8f7006f9c291ddb08436115
                          • Instruction ID: 92f2253df50997791c6853b8114594aa8fa0a3b4781d780bf2373c49ed18eab8
                          • Opcode Fuzzy Hash: 50e5f5bf364752099261752109d080eae1cf8c11f8f7006f9c291ddb08436115
                          • Instruction Fuzzy Hash: CD018CA640E3C48FC7038B7458286913FB1AE1326839F10D7C881DF1F3E65A894AD722
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 031605D0, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 247 31605d0-31605f3 248 31605f6-3160610 247->248 249 3160616-3160633 248->249
                          Memory Dump Source
                          • Source File: 00000009.00000002.370363230.0000000003160000.00000040.00000040.sdmp, Offset: 03160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3160000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3882be0701df4271c66020fb6c94e6dcdba242521954766ac92c92ec7f8b1de2
                          • Instruction ID: ae05eb28a7008a335d4b40d529dea86e72e20e300f691835b5c382f04d6db178
                          • Opcode Fuzzy Hash: 3882be0701df4271c66020fb6c94e6dcdba242521954766ac92c92ec7f8b1de2
                          • Instruction Fuzzy Hash: 8701A77150D7805FD7128B15EC44862FFA8DE86520709C4DFEC898B613D225A808CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 031605F6, Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 250 31605f6-3160610 251 3160616-3160633 250->251
                          Memory Dump Source
                          • Source File: 00000009.00000002.370363230.0000000003160000.00000040.00000040.sdmp, Offset: 03160000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_3160000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6468f9a519a4e917844851ca3321c847f90873cb23e2242dc6398c904d357c06
                          • Instruction ID: cca9b6440ed4821c65292da09e6ef0a5baf6c4d439430bb7d8c87df5829f18ff
                          • Opcode Fuzzy Hash: 6468f9a519a4e917844851ca3321c847f90873cb23e2242dc6398c904d357c06
                          • Instruction Fuzzy Hash: 3EE09276A406008BD650CF0AFC41866F7D8EF84A30B18C17FDC4D8B700D636B508CEA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016123F4, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 252 16123f4-16123ff 253 1612401-161240e 252->253 254 1612412-1612417 252->254 253->254 255 1612419 254->255 256 161241a 254->256 257 1612420-1612421 256->257
                          Memory Dump Source
                          • Source File: 00000009.00000002.370240204.0000000001612000.00000040.00000001.sdmp, Offset: 01612000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_1612000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce6a282bb57585542f7b0e8c22e4fd8873517205307731fdcb291160a1b24863
                          • Instruction ID: 942145b41aba4f5e082d037c00b03ea4c82fb42a64e3a6024fca34964ed85644
                          • Opcode Fuzzy Hash: ce6a282bb57585542f7b0e8c22e4fd8873517205307731fdcb291160a1b24863
                          • Instruction Fuzzy Hash: 51D05E79246AC14FE3268A1CC6B8B953FF4AF51B04F5A44FDE8008B767C368E5D1D200
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 016123BC, Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 258 16123bc-16123c3 259 16123c5-16123d2 258->259 260 16123d6-16123db 258->260 259->260 261 16123e1 260->261 262 16123dd-16123e0 260->262 263 16123e7-16123e8 261->263
                          Memory Dump Source
                          • Source File: 00000009.00000002.370240204.0000000001612000.00000040.00000001.sdmp, Offset: 01612000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_1612000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01f97690945932e0b7fb634deea3e105b07bb14753cabeb9781d33ca68c1b660
                          • Instruction ID: 36e163722765a3561c8ce659a61f9a0d388bda37e25c4d3340350caed123ef19
                          • Opcode Fuzzy Hash: 01f97690945932e0b7fb634deea3e105b07bb14753cabeb9781d33ca68c1b660
                          • Instruction Fuzzy Hash: A4D05E342002814FD716DB0CCAA8F593BD4AB41B00F1A44ECAC008B366C7B5D881D600
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Analysis Process: System.exe PID: 6964 Parent PID: 3352 System.exeCOMMON

                          Execution Graph

                          Execution Coverage:6%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:22
                          Total number of Limit Nodes:2

                          Graph

                          execution_graph 698 92a612 699 92a646 698->699 700 92a6b3 CreateMutexW 699->700 701 92a6c1 699->701 700->701 707 92a462 709 92a486 RegSetValueExW 707->709 710 92a507 709->710 702 92a710 703 92a6d9 702->703 705 92a71c FindCloseChangeNotification 702->705 706 92a788 705->706 711 92a361 712 92a392 RegQueryValueExW 711->712 714 92a41b 712->714 690 92a646 692 92a67e 690->692 691 92a6b3 CreateMutexW 693 92a6c1 691->693 692->691 692->693 694 92a74e 695 92a77a FindCloseChangeNotification 694->695 696 92a7b9 694->696 697 92a788 695->697 696->695

                          Callgraph

                          • Executed
                          • Not Executed
                          • Opacity -> Relevance
                          • Disassembly available
                          callgraph 0 Function_04800080 1 Function_0092A392 2 Function_0092A612 3 Function_04800301 4 Function_00052984 5 Function_0092A710 6 Function_00922194 7 Function_04800007 8 Function_0092A09A 9 Function_0005788C 10 Function_04800310 11 Function_00055514 12 Function_04800693 13 Function_00922006 14 Function_00950701 15 Function_0092A486 16 Function_00950000 17 Function_0092A005 18 Function_00057892 19 Function_0095000C 20 Function_00922430 21 Function_009226B0 22 Function_009505B1 23 Function_009222B4 24 Function_00950638 45 Function_0095065A 24->45 25 Function_009223BC 26 Function_0092213C 27 Function_0092A23C 28 Function_00950724 29 Function_0092A120 30 Function_00922621 31 Function_00057633 32 Function_00056C3E 33 Function_0092A02E 34 Function_048003BD 35 Function_00057ABA 36 Function_0092A2D2 37 Function_009220D0 38 Function_009505D1 39 Function_000574C0 40 Function_0095025D 41 Function_00922458 42 Function_0092A25E 43 Function_000555C8 44 Function_0092A45C 46 Function_0092A540 47 Function_0092A646 48 Function_009505C1 49 Function_00057651 50 Function_00922044 51 Function_00055452 52 Function_00056B5E 53 Function_0092A74E 54 Function_000555D9 55 Function_000556DB 56 Function_0092A172 57 Function_009221F0 58 Function_00055DE7 59 Function_009505F6 60 Function_009223F4 61 Function_0092A1F4 62 Function_0092A078 63 Function_0092A2FE 64 Function_00055F69 65 Function_000577E9 66 Function_00056068 67 Function_0092A462 68 Function_0092A361 69 Function_00922264 70 Function_00922364 71 Function_0095066F 72 Function_0092A56E 73 Function_0005547A

                          Executed Functions

                          Function 0092A710, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 92a710-92a71a 1 92a704 0->1 2 92a71c 0->2 3 92a6e6-92a6ff 1->3 4 92a706-92a70e 1->4 5 92a736-92a778 2->5 6 92a71e-92a735 2->6 4->3 11 92a77a-92a782 FindCloseChangeNotification 5->11 12 92a7b9-92a7be 5->12 6->5 14 92a788-92a79a 11->14 12->11 17 92a7c0-92a7c5 14->17 18 92a79c-92a7b8 14->18 17->18
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0092A780
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388599646.000000000092A000.00000040.00000001.sdmp, Offset: 0092A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_92a000_System.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: aebb7a4c575daebe1a2e444cf7ae733b6684d48ee71104e27823bd4e2c0fe227
                          • Instruction ID: edc8789cbce75093e0899cd9c2c4100450907ca4b2a56c97c073a4577912dab8
                          • Opcode Fuzzy Hash: aebb7a4c575daebe1a2e444cf7ae733b6684d48ee71104e27823bd4e2c0fe227
                          • Instruction Fuzzy Hash: 8331F6B68093849FD712CB18EC45662BFA8EF52320F0880EBDD858B653D2356909CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0092A612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 20 92a612-92a695 24 92a697 20->24 25 92a69a-92a6a3 20->25 24->25 26 92a6a5 25->26 27 92a6a8-92a6b1 25->27 26->27 28 92a702-92a707 27->28 29 92a6b3-92a6d7 CreateMutexW 27->29 28->29 32 92a709-92a70e 28->32 29->32 33 92a6d9-92a6ff 29->33 32->33
                          APIs
                          • CreateMutexW.KERNELBASE(?,?), ref: 0092A6B9
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388599646.000000000092A000.00000040.00000001.sdmp, Offset: 0092A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_92a000_System.jbxd
                          Similarity
                          • API ID: CreateMutex
                          • String ID:
                          • API String ID: 1964310414-0
                          • Opcode ID: 3229b44438167181e5f2be392d5c9f03e7405c243dc3b81572a96aa2e4d60c90
                          • Instruction ID: 1ef385163f8623e38509815429005837fbab81294f07ad8845c6f90bb77eb4c4
                          • Opcode Fuzzy Hash: 3229b44438167181e5f2be392d5c9f03e7405c243dc3b81572a96aa2e4d60c90
                          • Instruction Fuzzy Hash: E23191755097806FE722CB25DC85B56FFF8EF06310F08849AE984CB293D375A909C766
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0092A361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 37 92a361-92a3cf 40 92a3d1 37->40 41 92a3d4-92a3dd 37->41 40->41 42 92a3e2-92a3e8 41->42 43 92a3df 41->43 44 92a3ea 42->44 45 92a3ed-92a404 42->45 43->42 44->45 47 92a406-92a419 RegQueryValueExW 45->47 48 92a43b-92a440 45->48 49 92a442-92a447 47->49 50 92a41b-92a438 47->50 48->47 49->50
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E2C,19C83E17,00000000,00000000,00000000,00000000), ref: 0092A40C
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388599646.000000000092A000.00000040.00000001.sdmp, Offset: 0092A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_92a000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 080a6784a85ff80d32137f884722599e6e9c9c9b44c2181787685142ca2da68a
                          • Instruction ID: b935d0fc5e80d46469125ad6ca18df5d49901ef665dc5b821f141a3b861dec09
                          • Opcode Fuzzy Hash: 080a6784a85ff80d32137f884722599e6e9c9c9b44c2181787685142ca2da68a
                          • Instruction Fuzzy Hash: 8D318072104780AFE722CF25DD85F62BFBCEF06710F08849AE9859B152D264E849CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0092A462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 54 92a462-92a4c3 57 92a4c5 54->57 58 92a4c8-92a4d4 54->58 57->58 59 92a4d6 58->59 60 92a4d9-92a4f0 58->60 59->60 62 92a4f2-92a505 RegSetValueExW 60->62 63 92a527-92a52c 60->63 64 92a507-92a524 62->64 65 92a52e-92a533 62->65 63->62 65->64
                          APIs
                          • RegSetValueExW.KERNELBASE(?,00000E2C,19C83E17,00000000,00000000,00000000,00000000), ref: 0092A4F8
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388599646.000000000092A000.00000040.00000001.sdmp, Offset: 0092A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_92a000_System.jbxd
                          Similarity
                          • API ID: Value
                          • String ID:
                          • API String ID: 3702945584-0
                          • Opcode ID: 96398cf614413e28f137bc5bb66137af4fecd5118b6a3a345eb20ba79ce47e64
                          • Instruction ID: 5f185fb88bda1bf0b4873f6e505eb5533da80c8cc9bc4dc49e6526c198669891
                          • Opcode Fuzzy Hash: 96398cf614413e28f137bc5bb66137af4fecd5118b6a3a345eb20ba79ce47e64
                          • Instruction Fuzzy Hash: 71218E72104380AFE7228B25DD45F67BFACEF46710F08849AED859B252D264E848CB72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0092A646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 69 92a646-92a695 72 92a697 69->72 73 92a69a-92a6a3 69->73 72->73 74 92a6a5 73->74 75 92a6a8-92a6b1 73->75 74->75 76 92a702-92a707 75->76 77 92a6b3-92a6bb CreateMutexW 75->77 76->77 80 92a709-92a70e 76->80 78 92a6c1-92a6d7 77->78 78->80 81 92a6d9-92a6ff 78->81 80->81
                          APIs
                          • CreateMutexW.KERNELBASE(?,?), ref: 0092A6B9
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388599646.000000000092A000.00000040.00000001.sdmp, Offset: 0092A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_92a000_System.jbxd
                          Similarity
                          • API ID: CreateMutex
                          • String ID:
                          • API String ID: 1964310414-0
                          • Opcode ID: 185bd0acb9f4fcaee5c5868d830fa837f6ac02f00ae01ae45df6b43a8781fe33
                          • Instruction ID: 23f8092d1324ae60ce8b738887c0a8c94006c5154e4f8bfda5b4c419767c663a
                          • Opcode Fuzzy Hash: 185bd0acb9f4fcaee5c5868d830fa837f6ac02f00ae01ae45df6b43a8781fe33
                          • Instruction Fuzzy Hash: 9B21D172500240AFE721DF29DD85B66FBECEF04310F18846AED888B246D375E804CB76
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0092A392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 85 92a392-92a3cf 87 92a3d1 85->87 88 92a3d4-92a3dd 85->88 87->88 89 92a3e2-92a3e8 88->89 90 92a3df 88->90 91 92a3ea 89->91 92 92a3ed-92a404 89->92 90->89 91->92 94 92a406-92a419 RegQueryValueExW 92->94 95 92a43b-92a440 92->95 96 92a442-92a447 94->96 97 92a41b-92a438 94->97 95->94 96->97
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E2C,19C83E17,00000000,00000000,00000000,00000000), ref: 0092A40C
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388599646.000000000092A000.00000040.00000001.sdmp, Offset: 0092A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_92a000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: f49cd81aacd5cb0f9f168720ff5430b060b747ec0218057b665539bd41c1c231
                          • Instruction ID: ba0bb1591924c3e381f78bbd3f26411a7ed398a9a4922c46279ccc301dae6e0f
                          • Opcode Fuzzy Hash: f49cd81aacd5cb0f9f168720ff5430b060b747ec0218057b665539bd41c1c231
                          • Instruction Fuzzy Hash: F8219072500604AFE721DF15ED89F66FBECEF04710F14846AED459B256D364E809CB72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0092A486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 101 92a486-92a4c3 103 92a4c5 101->103 104 92a4c8-92a4d4 101->104 103->104 105 92a4d6 104->105 106 92a4d9-92a4f0 104->106 105->106 108 92a4f2-92a505 RegSetValueExW 106->108 109 92a527-92a52c 106->109 110 92a507-92a524 108->110 111 92a52e-92a533 108->111 109->108 111->110
                          APIs
                          • RegSetValueExW.KERNELBASE(?,00000E2C,19C83E17,00000000,00000000,00000000,00000000), ref: 0092A4F8
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388599646.000000000092A000.00000040.00000001.sdmp, Offset: 0092A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_92a000_System.jbxd
                          Similarity
                          • API ID: Value
                          • String ID:
                          • API String ID: 3702945584-0
                          • Opcode ID: 3ec6785e4f9991921a5daf83d62fffc0686b6363e206655d325408474496be20
                          • Instruction ID: e2910830ad83b7e072840bd857aac8a3cabaa0bb34e7ccdd9d6feb79275f7387
                          • Opcode Fuzzy Hash: 3ec6785e4f9991921a5daf83d62fffc0686b6363e206655d325408474496be20
                          • Instruction Fuzzy Hash: 9F119072500600AFEB21DF15EE85F6BFBECEF04710F14845AED859B656D264E808CBB2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0092A74E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 115 92a74e-92a778 116 92a77a-92a782 FindCloseChangeNotification 115->116 117 92a7b9-92a7be 115->117 118 92a788-92a79a 116->118 117->116 120 92a7c0-92a7c5 118->120 121 92a79c-92a7b8 118->121 120->121
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0092A780
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388599646.000000000092A000.00000040.00000001.sdmp, Offset: 0092A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_92a000_System.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: e6625967c785e161f4d83dceb37d08087f01af605d79f48d127f12a0f304b74d
                          • Instruction ID: 6585a63a4e6e71d965c5d43ad845e9343afb5c05a8a240c858ab5aff59b326e4
                          • Opcode Fuzzy Hash: e6625967c785e161f4d83dceb37d08087f01af605d79f48d127f12a0f304b74d
                          • Instruction Fuzzy Hash: B201F7719002408FDB11CF15ED84766FBE8DF00320F18C4ABDD498F616D278A804CFA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04800310, Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 123 4800310-4800334 125 4800336-4800338 123->125 126 480033e-4800346 123->126 125->126 127 4800348-480034d 126->127 128 480034e-4800391 126->128 131 4800393-48003bb 128->131 132 48003d8-48003ff 128->132 137 48003ce 131->137 138 480040a-4800418 132->138 137->132 139 480041a 138->139 140 480041f-4800434 138->140 139->140 142 4800436-4800460 140->142 143 480046b-4800523 140->143 142->143 162 4800570-4800587 143->162 163 4800525-4800569 143->163 164 4800880 162->164 165 480058d-48005bf 162->165 163->162 165->164
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388776710.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4800000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7583f5d44afc617d4cdaf44b3ffe56c0a3aa01c48394a7064d633589f73aa167
                          • Instruction ID: ee7eb6c4c7e6395b298794a73eaacee8e88793f9e1b516f776da3a8d3734976c
                          • Opcode Fuzzy Hash: 7583f5d44afc617d4cdaf44b3ffe56c0a3aa01c48394a7064d633589f73aa167
                          • Instruction Fuzzy Hash: DC5145307146459FC709AB79A85067D3AE6AFC6300B458529E402DB3EADF38EC01DFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 048003BD, Relevance: .1, Instructions: 135COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 176 48003bd-4800418 184 480041a 176->184 185 480041f-4800434 176->185 184->185 187 4800436-4800460 185->187 188 480046b-4800523 185->188 187->188 207 4800570-4800587 188->207 208 4800525-4800569 188->208 209 4800880 207->209 210 480058d-48005bf 207->210 208->207 210->209
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388776710.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4800000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d1d505df39cc2f488ede7b2bfc361c46cd90a4e674fa73bbe72c68038faddb8
                          • Instruction ID: 686190209bf064508b083674d5bfd752259cef9426f86d8050680aed74ffc087
                          • Opcode Fuzzy Hash: 1d1d505df39cc2f488ede7b2bfc361c46cd90a4e674fa73bbe72c68038faddb8
                          • Instruction Fuzzy Hash: 6F414A307005555FCB09AB7A95147BD36D7AFCA741B488029E802EB3EADF28DD01DFA6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04800080, Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 221 4800080-48000ad 224 48000b8-48002f9 221->224
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388776710.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4800000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b90dee741ad853c3f3ced61401334d46f968fa12b1cd365253343b7493a882b
                          • Instruction ID: 20eac58935ddb34068cf1114dcfb766707b59265f9daaf270350c20beedf3a06
                          • Opcode Fuzzy Hash: 7b90dee741ad853c3f3ced61401334d46f968fa12b1cd365253343b7493a882b
                          • Instruction Fuzzy Hash: 51513D30258AC68BC706FF68E69494E7BE2FB82704B10D96890458B22FEB347D49DF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04800007, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 262 4800007-4800076
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388776710.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_4800000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d79a464ac4aa02bcb481632e0b97524b361c86138675f885921e5feacabc519
                          • Instruction ID: bca55f9e0fc54cfcbac710120fb34e422882b1602e2c0dfd221b59a7056e940c
                          • Opcode Fuzzy Hash: 0d79a464ac4aa02bcb481632e0b97524b361c86138675f885921e5feacabc519
                          • Instruction Fuzzy Hash: 9201FA9548F3D21FC30343B42C68AA07FB0AA43125B5E41EBC9D4CB0E3D65D084EA722
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009505D1, Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 263 9505d1-9505f3 264 9505f6-950610 263->264 265 950616-950633 264->265
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388624924.0000000000950000.00000040.00000040.sdmp, Offset: 00950000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_950000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de1080bdec03aca11d71b45226f1fbf17e7fd393cd4babafb9451aa9f2618080
                          • Instruction ID: ad6208789c338f360f5eb5debfed329defd24a1465b774b285aff88433ca983b
                          • Opcode Fuzzy Hash: de1080bdec03aca11d71b45226f1fbf17e7fd393cd4babafb9451aa9f2618080
                          • Instruction Fuzzy Hash: A2018B755093945FD7128F06EC40863FFB8EF46620749C49FEC898B612D125A914CB72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009505F6, Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 266 9505f6-950610 267 950616-950633 266->267
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388624924.0000000000950000.00000040.00000040.sdmp, Offset: 00950000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_950000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b28ec88b365e70c7e73bc024ef4111c605d50c68bdc4aefc94b4e3b6362b3172
                          • Instruction ID: fee9ae25bada0b958678b64f300e5b544dddfdaae64630dd103d7148f7e6a395
                          • Opcode Fuzzy Hash: b28ec88b365e70c7e73bc024ef4111c605d50c68bdc4aefc94b4e3b6362b3172
                          • Instruction Fuzzy Hash: 7AE092766406004BD650DF0AFC81466F7D8EB84631B18C07FDC4D8B711D535B504CEA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009223F4, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 268 9223f4-9223ff 269 922412-922417 268->269 270 922401-92240e 268->270 271 92241a 269->271 272 922419 269->272 270->269 273 922420-922421 271->273
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388594787.0000000000922000.00000040.00000001.sdmp, Offset: 00922000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_922000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d80c011722d872a97703227fa3b7dbc4cb1a3209eec043b45b5d02889bb25a3
                          • Instruction ID: 3b790b1ced6a6f563264dbb2c96969685add77fd2e674c6043435771881da60f
                          • Opcode Fuzzy Hash: 7d80c011722d872a97703227fa3b7dbc4cb1a3209eec043b45b5d02889bb25a3
                          • Instruction Fuzzy Hash: FCD05E79209AD15FD3269B1CD2A8B953B98AF51B04F4644FAE8008B677C368D981D610
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 009223BC, Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.388594787.0000000000922000.00000040.00000001.sdmp, Offset: 00922000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_922000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 97d973d53b22ccf5126857a3054fdc791122379a8ca11d40880d371f9cc868d2
                          • Instruction ID: e422bba084725dad00ce38704fcb09c1eba6449ec7ca79296347bbc107f83488
                          • Opcode Fuzzy Hash: 97d973d53b22ccf5126857a3054fdc791122379a8ca11d40880d371f9cc868d2
                          • Instruction Fuzzy Hash: 0ED05E342002814BC71AEB0CE698F5937D8AF41B00F0644E8AC008B266C7B9DC81C600
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Analysis Process: System.exe PID: 5224 Parent PID: 3352 System.exeCOMMON

                          Execution Graph

                          Execution Coverage:10.6%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:19
                          Total number of Limit Nodes:1

                          Graph

                          execution_graph 740 e1a361 742 e1a392 RegQueryValueExW 740->742 743 e1a41b 742->743 721 e1a710 725 e1a71c FindCloseChangeNotification 721->725 727 e1a697 721->727 723 e1a6b3 CreateMutexW 726 e1a6c1 723->726 724 e1a788 725->724 727->723 727->726 744 e1a462 747 e1a486 RegSetValueExW 744->747 746 e1a507 747->746 752 e1a612 754 e1a646 CreateMutexW 752->754 755 e1a6c1 754->755 736 e1a74e 737 e1a7b9 736->737 738 e1a77a FindCloseChangeNotification 736->738 737->738 739 e1a788 738->739

                          Callgraph

                          • Executed
                          • Not Executed
                          • Opacity -> Relevance
                          • Disassembly available
                          callgraph 0 Function_00E1A361 1 Function_00517651 2 Function_00E1A462 3 Function_00515452 4 Function_00E12264 5 Function_00E12364 6 Function_005155D9 7 Function_005156DB 8 Function_00E1A56E 9 Function_00516B5E 10 Function_00E0066F 11 Function_005174C0 12 Function_00E121F0 13 Function_04CC085F 14 Function_00E1A172 15 Function_00E1A1F4 16 Function_00E123F4 17 Function_00E005F6 18 Function_00E1A078 19 Function_005155C8 20 Function_00E0077A 21 Function_00E1A2FE 22 Function_04CC086C 23 Function_00E1A540 24 Function_00E12044 25 Function_00E1A646 26 Function_0051547A 27 Function_00E1A74E 28 Function_00E005CF 29 Function_00E120D0 30 Function_00E00052 31 Function_00E1A2D2 32 Function_00515DE7 33 Function_00515F69 34 Function_005177E9 35 Function_00516068 36 Function_00E12458 37 Function_00E0065A 38 Function_00E1A45C 39 Function_00E0025D 40 Function_00E1A25E 41 Function_00E12621 42 Function_00E1A120 43 Function_00517892 44 Function_00E00724 45 Function_00515514 46 Function_04CC0007 46->17 46->28 48 Function_04CC0301 46->48 57 Function_04CC0310 46->57 72 Function_04CC03BD 46->72 47 Function_04CC0080 49 Function_00E1A02E 50 Function_00E005AF 51 Function_00E00730 52 Function_00E12430 53 Function_00E126B0 54 Function_00512984 55 Function_00E122B4 56 Function_00E0063A 56->37 58 Function_00E1A23C 59 Function_0051788C 60 Function_00E123BC 61 Function_00E1213C 62 Function_00E005BF 63 Function_00E00700 64 Function_00E00000 65 Function_00517633 66 Function_00E1A005 67 Function_00E12005 68 Function_00E1A486 69 Function_00517ABA 70 Function_00E0000C 71 Function_00516C3E 73 Function_00E1A710 74 Function_00E12310 75 Function_00E1A392 76 Function_00E1A612 77 Function_00E12194 78 Function_00E12098 79 Function_00E1A09A

                          Executed Functions

                          Function 00E1A710, Relevance: 3.1, APIs: 2, Instructions: 115COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 e1a710-e1a71a 1 e1a704 0->1 2 e1a71c 0->2 3 e1a697-e1a6a3 1->3 4 e1a706-e1a708 1->4 5 e1a736-e1a778 2->5 6 e1a71e-e1a735 2->6 13 e1a6a5 3->13 14 e1a6a8-e1a6b1 3->14 12 e1a709-e1a70e 4->12 10 e1a7b9-e1a7be 5->10 11 e1a77a-e1a782 FindCloseChangeNotification 5->11 6->5 10->11 17 e1a788-e1a79a 11->17 24 e1a6d9-e1a6ff 12->24 13->14 15 e1a6b3-e1a6bb CreateMutexW 14->15 16 e1a702-e1a707 14->16 20 e1a6c1-e1a6d7 15->20 16->15 21 e1a7c0-e1a7c5 17->21 22 e1a79c-e1a7b8 17->22 20->12 20->24 21->22
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00E1A780
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404155571.0000000000E1A000.00000040.00000001.sdmp, Offset: 00E1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e1a000_System.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 4d188cf296b28cde472fc252f4aeb860af3e160f121e2576aa1833f83e4cdcc4
                          • Instruction ID: 9002b28f5ccc0bf5cd5c71aa5b05293793777b8b3840d992ab750ea8972bed30
                          • Opcode Fuzzy Hash: 4d188cf296b28cde472fc252f4aeb860af3e160f121e2576aa1833f83e4cdcc4
                          • Instruction Fuzzy Hash: 0341D3754063809FE712CF24DD857A6BFA8EF02324F0C80ABDD84DB293D2359948CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04CC0310, Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 27 4cc0310-4cc0334 29 4cc033e-4cc0346 27->29 30 4cc0336-4cc0338 27->30 31 4cc034e-4cc035c 29->31 32 4cc0348-4cc034d 29->32 30->29 34 4cc035e-4cc0360 31->34 35 4cc0362-4cc0391 31->35 34->35 38 4cc03d8-4cc0418 35->38 39 4cc0393-4cc03ce 35->39 46 4cc041f-4cc0434 38->46 47 4cc041a 38->47 39->38 49 4cc046b-4cc0523 46->49 50 4cc0436-4cc0460 46->50 47->46 69 4cc0525-4cc0569 49->69 70 4cc0570-4cc0587 49->70 50->49 69->70 71 4cc058d-4cc05bf 70->71 72 4cc0880 70->72 71->72
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404357258.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_4cc0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: he$pc
                          • API String ID: 0-636139565
                          • Opcode ID: 2e5cee57d728b1d4fbd9b0236679607885421fa501ecc2ee033f3cf747e17ca0
                          • Instruction ID: 4e6dc0e6ac1107456c7581a62b43d9a3917480a2f145d9aa2f385ad5fcd0045b
                          • Opcode Fuzzy Hash: 2e5cee57d728b1d4fbd9b0236679607885421fa501ecc2ee033f3cf747e17ca0
                          • Instruction Fuzzy Hash: FE51E5307002458FCB15AB7A9411A7D3BE7AFC9300B594169E406EB3A6EF39DD46CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04CC03BD, Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 83 4cc03bd-4cc0418 91 4cc041f-4cc0434 83->91 92 4cc041a 83->92 94 4cc046b-4cc0523 91->94 95 4cc0436-4cc0460 91->95 92->91 114 4cc0525-4cc0569 94->114 115 4cc0570-4cc0587 94->115 95->94 114->115 116 4cc058d-4cc05bf 115->116 117 4cc0880 115->117 116->117
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404357258.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_4cc0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID: he$pc
                          • API String ID: 0-636139565
                          • Opcode ID: 6c85de3c9e3147f9d5441961deecf95cad5f0d9440a0eef98656a317874f4624
                          • Instruction ID: 7ca5f3e249afd572ce7da4e99802a640a2925047a2ca2d085a2c13fe7ff67c52
                          • Opcode Fuzzy Hash: 6c85de3c9e3147f9d5441961deecf95cad5f0d9440a0eef98656a317874f4624
                          • Instruction Fuzzy Hash: 064106307005518FCB0AABBA95256BD36D7AFC8741758412DE406FB3B7EF288D46CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E1A612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 128 e1a612-e1a695 132 e1a697 128->132 133 e1a69a-e1a6a3 128->133 132->133 134 e1a6a5 133->134 135 e1a6a8-e1a6b1 133->135 134->135 136 e1a6b3-e1a6d7 CreateMutexW 135->136 137 e1a702-e1a707 135->137 140 e1a709-e1a70e 136->140 141 e1a6d9-e1a6ff 136->141 137->136 140->141
                          APIs
                          • CreateMutexW.KERNELBASE(?,?), ref: 00E1A6B9
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404155571.0000000000E1A000.00000040.00000001.sdmp, Offset: 00E1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e1a000_System.jbxd
                          Similarity
                          • API ID: CreateMutex
                          • String ID:
                          • API String ID: 1964310414-0
                          • Opcode ID: a1a69e3c0a290420c1b5e53e306b9ee96dc60910695989945ae817a4dba02e90
                          • Instruction ID: dd23840bb2819126661bf2a6bb2d859746871a7e069756ff0410fbbe9242cda6
                          • Opcode Fuzzy Hash: a1a69e3c0a290420c1b5e53e306b9ee96dc60910695989945ae817a4dba02e90
                          • Instruction Fuzzy Hash: A331A4755093806FE712CB25CD85B56FFF8EF06310F0884AAE984DB292D335A949C762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E1A361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 144 e1a361-e1a3cf 147 e1a3d1 144->147 148 e1a3d4-e1a3dd 144->148 147->148 149 e1a3e2-e1a3e8 148->149 150 e1a3df 148->150 151 e1a3ea 149->151 152 e1a3ed-e1a404 149->152 150->149 151->152 154 e1a406-e1a419 RegQueryValueExW 152->154 155 e1a43b-e1a440 152->155 156 e1a442-e1a447 154->156 157 e1a41b-e1a438 154->157 155->154 156->157
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E2C,A5498773,00000000,00000000,00000000,00000000), ref: 00E1A40C
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404155571.0000000000E1A000.00000040.00000001.sdmp, Offset: 00E1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e1a000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 1c6bd61fd7558cba9a0e720f16b2acc1c1ae30c60ec7a3ea079fe6f085783b57
                          • Instruction ID: 38e9e59a83abfaf9d8e47e4aad5fb2667b5340f839ed5029e8cee07489defbc5
                          • Opcode Fuzzy Hash: 1c6bd61fd7558cba9a0e720f16b2acc1c1ae30c60ec7a3ea079fe6f085783b57
                          • Instruction Fuzzy Hash: 87318471105780AFE722CF25CC85FA6BFF8EF06310F08849AE9859B152D364E949CB72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E1A462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 161 e1a462-e1a4c3 164 e1a4c5 161->164 165 e1a4c8-e1a4d4 161->165 164->165 166 e1a4d6 165->166 167 e1a4d9-e1a4f0 165->167 166->167 169 e1a4f2-e1a505 RegSetValueExW 167->169 170 e1a527-e1a52c 167->170 171 e1a507-e1a524 169->171 172 e1a52e-e1a533 169->172 170->169 172->171
                          APIs
                          • RegSetValueExW.KERNELBASE(?,00000E2C,A5498773,00000000,00000000,00000000,00000000), ref: 00E1A4F8
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404155571.0000000000E1A000.00000040.00000001.sdmp, Offset: 00E1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e1a000_System.jbxd
                          Similarity
                          • API ID: Value
                          • String ID:
                          • API String ID: 3702945584-0
                          • Opcode ID: d4cfd00f4c97d9b5de6bea40e5f59f5babdaf12b8ad6d3cc1d972234dde5b21b
                          • Instruction ID: 2ae5ed83c058e12a352de52b6b604a73a8dc7452c9733d8fc8223408a5ce144a
                          • Opcode Fuzzy Hash: d4cfd00f4c97d9b5de6bea40e5f59f5babdaf12b8ad6d3cc1d972234dde5b21b
                          • Instruction Fuzzy Hash: BA218372105380AFE7228F15DD45FA7BFA8EF46310F08849AE985DB152D264E948C772
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E1A646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 176 e1a646-e1a695 179 e1a697 176->179 180 e1a69a-e1a6a3 176->180 179->180 181 e1a6a5 180->181 182 e1a6a8-e1a6b1 180->182 181->182 183 e1a6b3-e1a6d7 CreateMutexW 182->183 184 e1a702-e1a707 182->184 187 e1a709-e1a70e 183->187 188 e1a6d9-e1a6ff 183->188 184->183 187->188
                          APIs
                          • CreateMutexW.KERNELBASE(?,?), ref: 00E1A6B9
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404155571.0000000000E1A000.00000040.00000001.sdmp, Offset: 00E1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e1a000_System.jbxd
                          Similarity
                          • API ID: CreateMutex
                          • String ID:
                          • API String ID: 1964310414-0
                          • Opcode ID: 31dbb868c15888a98d3deb7f063894348e3ddca63530f54c9f90e5db1dbc7c40
                          • Instruction ID: 1cc317e9937939d44734fdf13f176ae18b69524975562b9e9c135b5ca67c7140
                          • Opcode Fuzzy Hash: 31dbb868c15888a98d3deb7f063894348e3ddca63530f54c9f90e5db1dbc7c40
                          • Instruction Fuzzy Hash: AD21D475601240AFE721DF29CD85BA6FBE8EF04310F18846AED85DB242D371E944CB76
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E1A392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 191 e1a392-e1a3cf 193 e1a3d1 191->193 194 e1a3d4-e1a3dd 191->194 193->194 195 e1a3e2-e1a3e8 194->195 196 e1a3df 194->196 197 e1a3ea 195->197 198 e1a3ed-e1a404 195->198 196->195 197->198 200 e1a406-e1a419 RegQueryValueExW 198->200 201 e1a43b-e1a440 198->201 202 e1a442-e1a447 200->202 203 e1a41b-e1a438 200->203 201->200 202->203
                          APIs
                          • RegQueryValueExW.KERNELBASE(?,00000E2C,A5498773,00000000,00000000,00000000,00000000), ref: 00E1A40C
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404155571.0000000000E1A000.00000040.00000001.sdmp, Offset: 00E1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e1a000_System.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 69afc4b0b7d5dc11be64a376b581f5d0e9a610d2fd1247a415690ebf1cad531b
                          • Instruction ID: d4330ed91d2c137426ec02fac7275eced31bb39c843fe433d903d8f696096b39
                          • Opcode Fuzzy Hash: 69afc4b0b7d5dc11be64a376b581f5d0e9a610d2fd1247a415690ebf1cad531b
                          • Instruction Fuzzy Hash: D3219371501204AFE721CF15CD89FA6FBECEF04710F18946AED45AB252D360E949CB72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E1A486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 207 e1a486-e1a4c3 209 e1a4c5 207->209 210 e1a4c8-e1a4d4 207->210 209->210 211 e1a4d6 210->211 212 e1a4d9-e1a4f0 210->212 211->212 214 e1a4f2-e1a505 RegSetValueExW 212->214 215 e1a527-e1a52c 212->215 216 e1a507-e1a524 214->216 217 e1a52e-e1a533 214->217 215->214 217->216
                          APIs
                          • RegSetValueExW.KERNELBASE(?,00000E2C,A5498773,00000000,00000000,00000000,00000000), ref: 00E1A4F8
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404155571.0000000000E1A000.00000040.00000001.sdmp, Offset: 00E1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e1a000_System.jbxd
                          Similarity
                          • API ID: Value
                          • String ID:
                          • API String ID: 3702945584-0
                          • Opcode ID: 720fe05b102a5aaaed1770d93459adb87c0dc6e3b62413096ad71b67d0e2b1bf
                          • Instruction ID: 0303aba1a66092247cad690884900bb405094b7cb43bae85457b7f7301842408
                          • Opcode Fuzzy Hash: 720fe05b102a5aaaed1770d93459adb87c0dc6e3b62413096ad71b67d0e2b1bf
                          • Instruction Fuzzy Hash: A4118175500600AFEB218E15DE45FB6FBECEF04710F18946AED45AB642D260E944CA72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E1A74E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 221 e1a74e-e1a778 222 e1a7b9-e1a7be 221->222 223 e1a77a-e1a782 FindCloseChangeNotification 221->223 222->223 224 e1a788-e1a79a 223->224 226 e1a7c0-e1a7c5 224->226 227 e1a79c-e1a7b8 224->227 226->227
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00E1A780
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404155571.0000000000E1A000.00000040.00000001.sdmp, Offset: 00E1A000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e1a000_System.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 004505f66acecf187879073aa3b1f88358d2c769a59e8c1841d9a2cadb16f9c5
                          • Instruction ID: e51d1d4b69c6bc8f7c8e9e89491aa11f30212aa0d61993e08045027ab59e12e2
                          • Opcode Fuzzy Hash: 004505f66acecf187879073aa3b1f88358d2c769a59e8c1841d9a2cadb16f9c5
                          • Instruction Fuzzy Hash: 3901DF755012409FDB11CF69E9897A6FBA4EF40321F18C0BBDD499B242D274A548CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04CC0080, Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 229 4cc0080-4cc00ad 233 4cc00b8-4cc02f9 229->233
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404357258.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_4cc0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e272b56a1a341920daee54f5a58254575b57e8fbe17cdac83485b078384f608
                          • Instruction ID: 4ef65aaa0d6248b264b38138ed30605f07a58ad26606cb0a4f75115186b69120
                          • Opcode Fuzzy Hash: 6e272b56a1a341920daee54f5a58254575b57e8fbe17cdac83485b078384f608
                          • Instruction Fuzzy Hash: C0512C306142868FC706FB79EAA4A493BB2FB85704710892AD0459B27FFB345D0BCF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 04CC0007, Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 271 4cc0007-4cc0070 275 4cc0070 call 4cc03bd 271->275 276 4cc0070 call e005f6 271->276 277 4cc0070 call 4cc0310 271->277 278 4cc0070 call 4cc0301 271->278 279 4cc0070 call e005cf 271->279 274 4cc0076 275->274 276->274 277->274 278->274 279->274
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404357258.0000000004CC0000.00000040.00000001.sdmp, Offset: 04CC0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_4cc0000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74b4494efc910cb89842fc0b5f58f8faff1c34d5307c6aa5f2520cb228981106
                          • Instruction ID: e6f8315d6434e5e55d2d49a3ed9e25308c279eed16cd05faeb79047c1cbe04f8
                          • Opcode Fuzzy Hash: 74b4494efc910cb89842fc0b5f58f8faff1c34d5307c6aa5f2520cb228981106
                          • Instruction Fuzzy Hash: 4001579284F7C09FEB0347761C662803F71AE53118B1B02DBC084DB5A3E51C691FC762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E005CF, Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 280 e005cf-e00610 282 e00616-e00633 280->282
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404127474.0000000000E00000.00000040.00000040.sdmp, Offset: 00E00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e00000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2487e27cbc2069ce9d22c6a11da8020de36a30930f17dc7b1291deaead8419d
                          • Instruction ID: 8e59cbd8fbad27ac3ce368ad5fe6173d7f89150513a5582587ee46a0fe165e53
                          • Opcode Fuzzy Hash: e2487e27cbc2069ce9d22c6a11da8020de36a30930f17dc7b1291deaead8419d
                          • Instruction Fuzzy Hash: FD0186B65093806FD7128B16EC44863FFA8EF86630759C49FEC498B612D126A909CB72
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E005F6, Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 283 e005f6-e00610 284 e00616-e00633 283->284
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404127474.0000000000E00000.00000040.00000040.sdmp, Offset: 00E00000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e00000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d410564932680660ce804c44412108a50872ed21b05dfccfff974bd57b8be123
                          • Instruction ID: 7a306597a1ce13ac513004c7bfec5651f19b8c7738374c81f8f0e4432ea5e203
                          • Opcode Fuzzy Hash: d410564932680660ce804c44412108a50872ed21b05dfccfff974bd57b8be123
                          • Instruction Fuzzy Hash: 7AE092766406009BD654CF0AFC81452FBD8EB84631718C07FDC0D8B700D535B504CEA6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E123F4, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 285 e123f4-e123ff 286 e12401-e1240e 285->286 287 e12412-e12417 285->287 286->287 288 e12419 287->288 289 e1241a 287->289 290 e12420-e12421 289->290
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404132949.0000000000E12000.00000040.00000001.sdmp, Offset: 00E12000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e12000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63a9b855532d2db86a79c1c7b80168c087719460db2fbd51ef03b1a7202f85cf
                          • Instruction ID: e5639c5cead0c15e9bcdfc1f746ec25fd2063b30603e5521dd7974bae7979a30
                          • Opcode Fuzzy Hash: 63a9b855532d2db86a79c1c7b80168c087719460db2fbd51ef03b1a7202f85cf
                          • Instruction Fuzzy Hash: 43D05E79205AC14FD3268A1CC6A8B953BD4AF51B08F4644FDE8008B663C368E9D1E200
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00E123BC, Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.404132949.0000000000E12000.00000040.00000001.sdmp, Offset: 00E12000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_e12000_System.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab0be507ff9518defa1c5740dbcade99606bccfd09bd6387bef27b441f6a52e2
                          • Instruction ID: b482f25181f697096bd9877bbf23c77aa2ee1e2a64b09f4dfe1dd6de1f18872d
                          • Opcode Fuzzy Hash: ab0be507ff9518defa1c5740dbcade99606bccfd09bd6387bef27b441f6a52e2
                          • Instruction Fuzzy Hash: 5ED05E342002824FC716DB0CCA98F9937D4AB41B04F0654ECAC108B262C7B9DCD1D600
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions