Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236

Overview

General Information

Sample Name:SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236 (renamed file extension from 13236 to msi)
Analysis ID:562521
MD5:1d59589778c525aadcb645270cee737c
SHA1:ad4584c1b7734854939c59674cbbf22a99618285
SHA256:1f95063441e9d231e0e2b15365a8722c5136c2a6fe2716f3653c260093026354
Tags:msinjrat
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Njrat
Multi AV Scanner detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Creates autostart registry keys with suspicious names
Modifies the windows firewall
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Cabinet File Expansion
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Sigma detected: Netsh Port or Application Allowed
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6712 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 6128 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 6992 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • icacls.exe (PID: 5596 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • expand.exe (PID: 4552 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)
        • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • server.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" MD5: CD4D919B4FC88C9D6F03C864A181E40F)
        • AddInProcess.exe (PID: 6312 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)
        • InstallUtil.exe (PID: 6304 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
        • AddInProcess.exe (PID: 7104 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)
        • RegSvcs.exe (PID: 7148 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
          • netsh.exe (PID: 6520 cmdline: netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 2092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • icacls.exe (PID: 5164 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5568 cmdline: C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 3848 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" .. MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msdtc.exe (PID: 6320 cmdline: C:\Windows\System32\msdtc.exe MD5: 9A94F32C1DC90A7E5A35D0F820A8FB1D)
  • RegSvcs.exe (PID: 6972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" .. MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" .. MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x6dbd:$a1: netsh firewall add allowedprogram
        • 0x6d8d:$a2: SEE_MASK_NOZONECHECKS
        • 0x6fad:$b1: [TAP]
        • 0x6ea9:$c3: cmd.exe /c ping
        0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x6d8d:$reg: SEE_MASK_NOZONECHECKS
        • 0x6a7c:$msg: Execute ERROR
        • 0x6ad4:$msg: Execute ERROR
        • 0x6ea9:$ping: cmd.exe /c ping 0 -n 2 & del
        Click to see the 33 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        15.0.RegSvcs.exe.400000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
        • 0x70a9:$x1: cmd.exe /c ping 0 -n 2 & del "
        • 0x6cba:$s3: Executed As
        • 0x6c98:$s6: Download ERROR
        15.0.RegSvcs.exe.400000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
          15.0.RegSvcs.exe.400000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
          • 0x7049:$s1: netsh firewall delete allowedprogram
          • 0x6fbd:$s2: netsh firewall add allowedprogram
          • 0x70a9:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
          • 0x6c7c:$s4: Execute ERROR
          • 0x6cd4:$s4: Execute ERROR
          • 0x6c98:$s5: Download ERROR
          15.0.RegSvcs.exe.400000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x6fbd:$a1: netsh firewall add allowedprogram
          • 0x6f8d:$a2: SEE_MASK_NOZONECHECKS
          • 0x71ad:$b1: [TAP]
          • 0x70a9:$c3: cmd.exe /c ping
          15.0.RegSvcs.exe.400000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
          • 0x6f8d:$reg: SEE_MASK_NOZONECHECKS
          • 0x6c7c:$msg: Execute ERROR
          • 0x6cd4:$msg: Execute ERROR
          • 0x70a9:$ping: cmd.exe /c ping 0 -n 2 & del
          Click to see the 103 entries

          Sigma Overview

          System Summary

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe, ParentProcessId: 7028, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7148
          Source: Process startedAuthor: Bhabesh Raj: Data: Command: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\expand.exe, NewProcessName: C:\Windows\SysWOW64\expand.exe, OriginalFileName: C:\Windows\SysWOW64\expand.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6992, ProcessCommandLine: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files, ProcessId: 4552
          Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE, CommandLine: netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 7148, ProcessCommandLine: netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE, ProcessId: 6520
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" .., EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7148, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\040b20e882d013c0c9f6ceff16d97f7a
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe, ParentProcessId: 7028, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 6304

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msiVirustotal: Detection: 8%Perma Link
          Yara detected Njrat
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmpVirustotal: Detection: 15%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy)Virustotal: Detection: 15%Perma Link
          Source: 15.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
          Source: 15.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/ATRAPS.Gen
          Source: 15.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
          Source: 15.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/ATRAPS.Gen
          Source: 15.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/ATRAPS.Gen
          Source: 15.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/ATRAPS.Gen

          Exploits

          barindex
          Yara detected UAC Bypass using CMSTP
          Source: Yara matchFile source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
          Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8291D67C-2E0B-4E71-B034-09AFE03383E8}Jump to behavior
          Source: Binary string: (P"nTC:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: 5.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: aspnet_state.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: E:\A\_work\940\s\obj\Shell\Terminal\ServiceHub\Release\net472\Microsoft.VisualStudio.Terminal.ServiceHub.pdb source: expand.exe, 00000009.00000002.681727415.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, server.exe, SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, files.cab.5.dr, 6537c0.msi.2.dr, 6537be.msi.2.dr, cfa11b188d32074992aa4060114f8638.tmp.9.dr
          Source: Binary string: symbols\dll\System.EnterpriseServices.pdb @ source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb, source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.EnterpriseServices.pdb+ source: RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: symbols\dll\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: symbols\dll\System.EnterpriseServices.pdb 8 source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb,?F? 8?_CorExeMainmscoree.dll?% @ source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: 5.pdb# source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, MSI3B77.tmp.2.dr, MSIAA7F.tmp.2.dr, 6537c0.msi.2.dr, MSIBF62.tmp.2.dr, 6537be.msi.2.dr
          Source: Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdbP]> source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
          Source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: server.exe, 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: server.exe, 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: RegSvcs.exe, 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: RegSvcs.exe, 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: RegSvcs.exe, 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: RegSvcs.exe, 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf![autorun]
          Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeFile opened: c:Jump to behavior
          Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

          Networking

          barindex
          Uses dynamic DNS services
          Source: unknownDNS query: name: njlove.duckdns.org
          Source: Joe Sandbox ViewASN Name: TOTAL-SERVER-SOLUTIONSUS TOTAL-SERVER-SOLUTIONSUS
          Source: unknownDNS traffic detected: queries for: njlove.duckdns.org
          Source: server.exe, 0000000B.00000002.716814871.000000000168B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
          Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
          Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
          Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
          Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializations
          Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/JmGPzoRLJm.csLarge array initialization: cSPokfGgp3: array initializer size 624144
          Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.45a61b0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
          Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
          Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
          Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
          Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
          Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI3B77.tmpJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6537be.msiJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_00F4AD4511_2_00F4AD45
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_0166100811_2_01661008
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_0166847A11_2_0166847A
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_0166BA9811_2_0166BA98
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_01664D6911_2_01664D69
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_01661DE011_2_01661DE0
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_01669E8011_2_01669E80
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_016672E811_2_016672E8
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_01665AC011_2_01665AC0
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_0166BA8E11_2_0166BA8E
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B92FA811_2_06B92FA8
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B98F0011_2_06B98F00
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B96A2011_2_06B96A20
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B9125711_2_06B91257
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B97BDB11_2_06B97BDB
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B93B1011_2_06B93B10
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B9405011_2_06B94050
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B91EB011_2_06B91EB0
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B98EF011_2_06B98EF0
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B91EC011_2_06B91EC0
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B92F9811_2_06B92F98
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B9476011_2_06B94760
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B99C1811_2_06B99C18
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B99C0811_2_06B99C08
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B9044811_2_06B90448
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B9044611_2_06B90446
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B9129811_2_06B91298
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B9128811_2_06B91288
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B93AD911_2_06B93AD9
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B94B8311_2_06B94B83
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B93B0E11_2_06B93B0E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B5E28815_2_02B5E288
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B56FD815_2_02B56FD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B5D52015_2_02B5D520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B54B8015_2_02B54B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B5893015_2_02B58930
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B56E6015_2_02B56E60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B578E615_2_02B578E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_051D44D415_2_051D44D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_051D968015_2_051D9680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_051D486F15_2_051D486F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_051D488015_2_051D4880
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 30_2_013A08E230_2_013A08E2
          Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msiBinary or memory string: OriginalFilenameMicrosoft.VisualStudio.Terminal.ServiceHub.dllT vs SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dllJump to behavior
          Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dllJump to behavior
          Source: cfa11b188d32074992aa4060114f8638.tmp.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msiVirustotal: Detection: 8%
          Source: C:\Windows\SysWOW64\icacls.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi"
          Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
          Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
          Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe"
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGHJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* filesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOWJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLEJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.logJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF6CC46065D10C7A25.TMPJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winMSI@36/35@1/1
          Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\msiwrapper.iniJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 90.64%
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\040b20e882d013c0c9f6ceff16d97f7aIG1pY3Jvc29mdA==
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2092:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_01
          Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\msiwrapper.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8291D67C-2E0B-4E71-B034-09AFE03383E8}Jump to behavior
          Source: Binary string: (P"nTC:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: 5.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: aspnet_state.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: E:\A\_work\940\s\obj\Shell\Terminal\ServiceHub\Release\net472\Microsoft.VisualStudio.Terminal.ServiceHub.pdb source: expand.exe, 00000009.00000002.681727415.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, server.exe, SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, files.cab.5.dr, 6537c0.msi.2.dr, 6537be.msi.2.dr, cfa11b188d32074992aa4060114f8638.tmp.9.dr
          Source: Binary string: symbols\dll\System.EnterpriseServices.pdb @ source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb, source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.EnterpriseServices.pdb+ source: RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: symbols\dll\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\System.EnterpriseServices.pdb source: RegSvcs.exe, 00000018.00000002.781927245.0000000001418000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000001C.00000002.785495127.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: symbols\dll\System.EnterpriseServices.pdb 8 source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: server.exe, 0000000B.00000002.720641389.000000000379C000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb,?F? 8?_CorExeMainmscoree.dll?% @ source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: 5.pdb# source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdb source: RegSvcs.exe, 0000001C.00000002.784453811.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000001E.00000002.798918322.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi, MSI3B77.tmp.2.dr, MSIAA7F.tmp.2.dr, 6537c0.msi.2.dr, MSIBF62.tmp.2.dr, 6537be.msi.2.dr
          Source: Binary string: .ESystem.IO.FileLoadExceptionces.pdbrvices.pdbpdbces.pdbpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.pdbP]> source: RegSvcs.exe, 00000018.00000002.781712894.0000000001187000.00000004.00000010.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_0166F67E push esi; ret 11_2_0166F681
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B99478 pushfd ; retf 11_2_06B99479
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B93AD9 push 2806B870h; iretd 11_2_06B93B0D
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B99A08 pushfd ; iretd 11_2_06B99A09
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B91247 pushad ; iretd 11_2_06B91256
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B938D7 push es; retf 0006h11_2_06B938F2
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B99864 push eax; iretd 11_2_06B99865
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B96997 push ebx; retf 0006h11_2_06B969A2
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B96987 push ebx; retf 0006h11_2_06B96992
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B9110B push eax; retf 11_2_06B91121
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B96977 push edx; retf 0006h11_2_06B96982
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B96967 push ecx; retf 0006h11_2_06B96972
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B96958 push ecx; retf 0006h11_2_06B96962
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeCode function: 11_2_06B96947 push eax; retf 0006h11_2_06B96952
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B5B182 pushad ; ret 15_2_02B5B189
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 24_3_05710938 push A400005Eh; ret 24_3_05710951
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 28_3_04FD0938 push A400005Eh; ret 28_3_04FD0951
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 30_3_05350938 push A400005Eh; ret 30_3_05350951
          Source: cfa11b188d32074992aa4060114f8638.tmp.9.drStatic PE information: 0x8E2962A1 [Mon Jul 31 01:21:37 2045 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.96550305867
          Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/ZhZRcmjltN.csHigh entropy of concatenated method names: '.ctor', 'PsGSqzcXOd', 'fD6NyRKtch', 'OhvftqmFHr', '0OflgCiW4k', 'fdwXuqxXi1', 'heSDchQ2ge', '5WrS1oqVlc', 'aJUGSZPbYK', 'lkhlKabjuS'
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBF62.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA7F.tmpJump to dropped file
          Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy)Jump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B77.tmpJump to dropped file
          Source: C:\Windows\SysWOW64\expand.exeFile created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBF62.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA7F.tmpJump to dropped file
          Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3B77.tmpJump to dropped file

          Boot Survival

          barindex
          Creates an autostart registry key pointing to binary in C:\Windows
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7aJump to behavior
          Creates autostart registry keys with suspicious names
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7aJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7aJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7aJump to behavior

          Hooking and other Techniques for Hiding and Protection

          barindex
          Contains functionality to hide user accounts
          Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
          Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
          Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
          Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
          Source: C:\Windows\SysWOW64\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 11.2.server.exe.5720000.12.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.440db60.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.5720000.12.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.440db60.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.46b6e50.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.4412b50.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.44a6190.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.44a6190.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.46bbe40.10.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.5724ff0.11.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.46b6e50.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: server.exe, 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLD
          Source: server.exe, 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe TID: 7020Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\msdtc.exe TID: 4100Thread sleep count: 437 > 30Jump to behavior
          Source: C:\Windows\System32\msdtc.exe TID: 4100Thread sleep time: -43700s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4728Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1801Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2100Jump to behavior
          Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 437Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 671Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 391
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 444
          Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\expand.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\SysWOW64\expand.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareVBoxARun using valid operating systemUSER
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
          Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
          Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
          Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: RegSvcs.exe, 0000000F.00000003.744324007.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: RegSvcs.exe, 0000000F.00000003.744324007.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys
          Source: server.exe, 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
          Source: RegSvcs.exe, 00000018.00000002.781891461.00000000013E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
          Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VIRTUALBOXUSOFTWARE\Oracle\VirtualBox Guest Additions!noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
          Source: server.exe, 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
          Source: server.exe, 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40A000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B52008Jump to behavior
          .NET source code references suspicious native API functions
          Source: 11.0.server.exe.eb0000.1.unpack, cmwHH7P3l7/u0038IilAeO74h.csReference to suspicious API methods: ('UZTDQyKcgA', 'LoadLibrary@kernel32.dll'), ('7B0eHJViyQ', 'GetProcAddress@kernel32.dll'), ('2Nu1KEnGfG', 'VirtualProtect@kernel32.dll')
          Allocates memory in foreign processes
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGHJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* filesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOWJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files"Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: RegSvcs.exe, 0000000F.00000002.927336113.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerX
          Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager6l
          Source: RegSvcs.exe, 0000000F.00000002.926806701.0000000000F51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
          Modifies the windows firewall
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE

          Stealing of Sensitive Information

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Njrat
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.3399760.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.server.exe.3399760.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: server.exe PID: 7028, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7148, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          2
          Replication Through Removable Media          		1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		21
          Disable or Modify Tools          		1
          Input Capture          		11
          Peripheral Device Discovery          		2
          Replication Through Removable Media          		1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1
          Windows Service          		1
          Windows Service          		2
          Obfuscated Files or Information          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop Protocol1
          Input Capture          		Exfiltration Over Bluetooth1
          Non-Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)21
          Registry Run Keys / Startup Folder          		312
          Process Injection          		3
          Software Packing          		Security Account Manager13
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
          Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)1
          Services File Permissions Weakness          		21
          Registry Run Keys / Startup Folder          		1
          Timestomp          		NTDS1
          Query Registry          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon Script1
          Services File Permissions Weakness          		1
          DLL Side-Loading          		LSA Secrets21
          Security Software Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          File Deletion          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items21
          Masquerading          		DCSync21
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job21
          Virtualization/Sandbox Evasion          		Proc Filesystem1
          Application Window Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)312
          Process Injection          		/etc/passwd and /etc/shadow1
          Remote System Discovery          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
          Hidden Users          		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
          Services File Permissions Weakness          		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 562521 Sample: SecuriteInfo.com.MSIL.Krypt... Startdate: 29/01/2022 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 9 other signatures 2->77 10 msiexec.exe 82 30 2->10         started        13 RegSvcs.exe 4 2->13         started        15 RegSvcs.exe 3 2->15         started        17 3 other processes 2->17 process3 file4 59 C:\Windows\Installer\MSIBF62.tmp, PE32 10->59 dropped 61 C:\Windows\Installer\MSIAA7F.tmp, PE32 10->61 dropped 63 C:\Windows\Installer\MSI3B77.tmp, PE32 10->63 dropped 19 msiexec.exe 5 10->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        process5 process6 27 server.exe 1 19->27         started        30 expand.exe 4 19->30         started        33 icacls.exe 1 19->33         started        35 2 other processes 19->35 file7 87 Writes to foreign memory regions 27->87 89 Allocates memory in foreign processes 27->89 91 Injects a PE file into a foreign processes 27->91 37 RegSvcs.exe 7 2 27->37         started        41 AddInProcess.exe 27->41         started        43 InstallUtil.exe 27->43         started        45 AddInProcess.exe 27->45         started        65 C:\Users\user\AppData\...\server.exe (copy), PE32 30->65 dropped 67 C:\...\cfa11b188d32074992aa4060114f8638.tmp, PE32 30->67 dropped 47 conhost.exe 30->47         started        49 conhost.exe 33->49         started        51 conhost.exe 35->51         started        53 conhost.exe 35->53         started        signatures8 process9 dnsIp10 69 njlove.duckdns.org 66.154.111.162, 1900, 49775 TOTAL-SERVER-SOLUTIONSUS Canada 37->69 79 Creates autostart registry keys with suspicious names 37->79 81 Creates an autostart registry key pointing to binary in C:\Windows 37->81 83 Uses netsh to modify the Windows network and firewall settings 37->83 85 Modifies the windows firewall 37->85 55 netsh.exe 2 3 37->55         started        signatures11 process12 process13 57 conhost.exe 55->57         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi9%VirustotalBrowse
          SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi0%MetadefenderBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp16%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy)16%VirustotalBrowse
          C:\Windows\Installer\MSI3B77.tmp0%VirustotalBrowse
          C:\Windows\Installer\MSI3B77.tmp0%MetadefenderBrowse
          C:\Windows\Installer\MSI3B77.tmp0%ReversingLabs
          C:\Windows\Installer\MSIAA7F.tmp0%MetadefenderBrowse
          C:\Windows\Installer\MSIAA7F.tmp0%ReversingLabs
          C:\Windows\Installer\MSIBF62.tmp0%MetadefenderBrowse
          C:\Windows\Installer\MSIBF62.tmp0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          15.2.RegSvcs.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
          15.0.RegSvcs.exe.400000.3.unpack100%AviraTR/ATRAPS.GenDownload File
          11.2.server.exe.3399760.1.unpack100%AviraHEUR/AGEN.1131353Download File
          15.0.RegSvcs.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
          15.0.RegSvcs.exe.400000.1.unpack100%AviraTR/ATRAPS.GenDownload File
          15.0.RegSvcs.exe.400000.2.unpack100%AviraTR/ATRAPS.GenDownload File
          15.0.RegSvcs.exe.400000.4.unpack100%AviraTR/ATRAPS.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          njlove.duckdns.org2%VirustotalBrowse

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          njlove.duckdns.org
          		66.154.111.162
          		truetrueunknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          66.154.111.162
          		njlove.duckdns.orgCanada
          		46562TOTAL-SERVER-SOLUTIONSUStrue

          General Information

          Joe Sandbox Version:34.0.0 Boulder Opal
          Analysis ID:562521
          Start date:29.01.2022
          Start time:00:10:18
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 54s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:SecuriteInfo.com.MSIL.Kryptik.AECS.24576.13236 (renamed file extension from 13236 to msi)
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:39
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.expl.evad.winMSI@36/35@1/1
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 0.6% (good quality ratio 0.3%)
          • Quality average: 43.1%
          • Quality standard deviation: 42.2%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 82
          • Number of non-executed functions: 13
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI

          Warnings

          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 2.20.157.220
          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          00:11:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
          00:12:02AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
          00:12:04API Interceptor30x Sleep call for process: RegSvcs.exe modified
          00:12:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 040b20e882d013c0c9f6ceff16d97f7a "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          TOTAL-SERVER-SOLUTIONSUSarm5Get hashmaliciousBrowse
          • 192.111.221.75
          SHENZHEN MORAN SLIP.xlsxGet hashmaliciousBrowse
          • 66.154.97.102
          Quotation CNY 2022.xlsxGet hashmaliciousBrowse
          • 66.154.97.102
          ohlw_9606.xlsmGet hashmaliciousBrowse
          • 69.50.142.179
          PO#46485669RTRHF.xlsxGet hashmaliciousBrowse
          • 66.154.97.102
          tuOZ8Qr7zD.exeGet hashmaliciousBrowse
          • 192.252.210.43
          pty4Get hashmaliciousBrowse
          • 198.8.91.14
          DOC_100492538964482834455.xlsmGet hashmaliciousBrowse
          • 66.115.183.137
          DOC_100492538964482834455.xlsmGet hashmaliciousBrowse
          • 66.115.183.137
          arm7Get hashmaliciousBrowse
          • 192.111.221.22
          N64GUd01yFGet hashmaliciousBrowse
          • 45.74.33.20
          eh.armGet hashmaliciousBrowse
          • 208.93.194.82
          MZrHQA8fxF.exeGet hashmaliciousBrowse
          • 107.152.108.114
          ohEMBJb57C.exeGet hashmaliciousBrowse
          • 107.152.108.114
          MKsnmEA7gFGet hashmaliciousBrowse
          • 192.111.221.77
          Payment Advice.exeGet hashmaliciousBrowse
          • 107.152.108.114
          SMS EMAILER_45_.exeGet hashmaliciousBrowse
          • 107.152.108.114
          Account Details differs.exeGet hashmaliciousBrowse
          • 107.152.108.114
          New order PO.exeGet hashmaliciousBrowse
          • 107.152.108.114
          IN7REq0Jv5Get hashmaliciousBrowse
          • 195.123.127.199

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Config.Msi\6537bf.rbs

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):8093
          Entropy (8bit):5.4465567087908475
          Encrypted:false
          SSDEEP:96:Ymr07+63C9wQeiJYScU0+eD2JtZCsvVDeU0+eD2JtZC6jYPBQAvVDvQGqg5qZW9B:Nr7BeI38C387cUmpq
          MD5:F0C5ADEFCF329EBB98333F599A1A8BAE
          SHA1:D8B9759FA6E1E207DB6E50F80E5E2FFAC4BA92F8
          SHA-256:E3F306A54970543F1287CBE35FA41BCA21BE33A87439736ECBDEEFEB4EF36D8C
          SHA-512:47DB1FDFEBB4FC1A64B487D78218782DB4F5358F60F8103D44B609BE0E1CCA0EC23F44E9906DB508712D1767E58F18B4FA7FF3716A6FA421F2D46E2197A38D86
          Malicious:false
          Preview:...@IXOS.@.....@z.=T.@.....@.....@.....@.....@.....@......&.{8291D67C-2E0B-4E71-B034-09AFE03383E8}X.M.i.c.r.o.s.o.f.t... .V.i.s.u.a.l. .S.t.u.d.i.o... .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m.,.SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi.@.....@.....@.....@........&.{49C681E5-45C4-4467-92EE-456F1E355C5F}.....@.....@.....@.....@.......@.....@.....@.......@....X.M.i.c.r.o.s.o.f.t... .V.i.s.u.a.l. .S.t.u.d.i.o... .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m.......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}&.{8291D67C-2E0B-4E71-B034-09AFE03383E8}.@........WriteRegistryValues..Writing system registry values..Key: [1], Name: [2], Value: [3]$..@....*.SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\..

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):1141
          Entropy (8bit):5.340874572595606
          Encrypted:false
          SSDEEP:24:MLzayE4gayE47mE4K5E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:M3ayHgayH7mHK5HKXwYHKhQnoPtHoxHe
          MD5:DB2EF3BD59C93968A627D15CC207CBF4
          SHA1:F0C61B1D05A79EDBB9EBB6FFB8C8E217F2BDD62A
          SHA-256:31D645F0A9462B5632F184DF6D131C28ADEA6777C7E42AF8E91643E47447E4C8
          SHA-512:55EC90EE78C75E817F888197CE289202FF8973348DD992DAA4AB791261732AB4006E56F84A4DA449F71A69B7A2F6BD91B4A6D16521AD0CB6D3A4A531851A8F5A
          Malicious:false
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, Public

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server.exe.log

          Download File
          Process:C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):522
          Entropy (8bit):5.348034597186669
          Encrypted:false
          SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat92n4M6:ML9E4Ks2wKDE4KhK3VZ9pKhg84j
          MD5:07FC10473CB7F0DEC42EE8079EB0DF28
          SHA1:90FA6D0B604991B3E5E8F6DB041651B10FD4284A
          SHA-256:A42B61DFB4AF366D05CE1815C88E2392C7C4AA9B6B17604234BEB7A7DADA7E4C
          SHA-512:D7240EE88D207E631990907AFA96C8384FB51729A16247BD4BDB96CBA3C4CDB9A68ADCD07819B2242A0F395690AD831B1B547EC91E988CBE39398F472055D56F
          Malicious:false
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

          C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files.cab

          Download File
          Process:C:\Windows\SysWOW64\msiexec.exe
          File Type:Microsoft Cabinet archive data, 669935 bytes, 1 file
          Category:dropped
          Size (bytes):669935
          Entropy (8bit):7.957969373333579
          Encrypted:false
          SSDEEP:12288:nkKSpNcjNXmpYpNLKAKMYzh5E4OGF9+AxUH5tXT0rHo7sv0yxYElXXyoZhTUGL:kTNcjk8LKAj6h5E4Z9+SgzDOo7sv0yxX
          MD5:262E1B25CAAB9FABDED95EECFDCB28EB
          SHA1:966B778B45CF788F3F3D34C841D137F8C22AA997
          SHA-256:B17D933378BB378797102613EE8034BEC9B7E73E4540EFA2E48D4B90CB7494D9
          SHA-512:0A5562D3C41657BE46A657C62ECF2D5FF013D559621AB81734B53025F2F76E1F88B39BBCE65B669EC20677A9EB66D3674A048FFF7DAA4D531C6A13F096AF181B
          Malicious:false
          Preview:MSCF.....8......,...................G........8........<TW. .server.exe...3.....MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b)...............0.@,..........:L... ...`....@.. ....................................`.................................0K..J....`..............................zK..8............................................ ............... ..H............text...@,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..@................`K......H....... ...Xb..........xJ..............................................e`:C)......0.&............Ndq.t28q..W.z..X.....V...{.("....N.5...V.Z....l...kf..'...".6..`m....`8.).].....z5.:[5....Amy.b......:k..n.Q.N..&....\...../ ..;fsp.B...*........[@..A..h.d......h..-n...ynT...=...$.NsA....7....^.. ....]..,.A....L...E...HI#.a.#....DA.=n.....U1@...>?%....|r..0...o.L.[9#.."4..m..QW.04A.,.e.&z

          C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\02f017f8dcfd4885887fe1ceb996bbc7$dpx$.tmp\cfa11b188d32074992aa4060114f8638.tmp

          Download File
          Process:C:\Windows\SysWOW64\expand.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):669696
          Entropy (8bit):7.958276686942886
          Encrypted:false
          SSDEEP:12288:EkKSarcjMXmuYpN0KAKMSzhFE4OUF94Ax/m5GXT0rao7Ev0ixYElXtyoLhTUGe:dQrcjXv0KAjUhFE4794SOMD7o7Ev0ixm
          MD5:CD4D919B4FC88C9D6F03C864A181E40F
          SHA1:F0E56473DEBCF2DFD121E0249908828FE36EA621
          SHA-256:7E6B89DBF95819AC599FF79ACD6CB50DE2A53EE135B51E37DAF00AF7313CE8D6
          SHA-512:3E70ADBDDF558F24349896DD2CD82FCA8A4FA3C732E0966B6A2A16EAD57FB7EBABB810F5C9870C7C928C7C09F365F28C5AD0EBD1B7C0EE6279F7E85B4108D0A8
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Virustotal, Detection: 16%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b)...............0.@,..........:L... ...`....@.. ....................................`.................................0K..J....`..............................zK..8............................................ ............... ..H............text...@,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..@................`K......H....... ...Xb..........xJ..............................................e`:C)......0.&............Ndq.t28q..W.z..X.....V...{.("....N.5...V.Z....l...kf..'...".6..`m....`8.).].....z5.:[5....Amy.b......:k..n.Q.N..&....\...../ ..;fsp.B...*........[@..A..h.d......h..-n...ynT...=...$.NsA....7....^.. ....]..,.A....L...E...HI#.a.#....DA.=n.....U1@...>?%....|r..0...o.L.[9#.."4..m..QW.04A.,.e.&z*I.?PR.p4^..M.o..F<.uFyaw.....>..s-X..-\.(....f...bT>A{.P..us....2..J.m.n.$

          C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe (copy)

          Download File
          Process:C:\Windows\SysWOW64\expand.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):669696
          Entropy (8bit):7.958276686942886
          Encrypted:false
          SSDEEP:12288:EkKSarcjMXmuYpN0KAKMSzhFE4OUF94Ax/m5GXT0rao7Ev0ixYElXtyoLhTUGe:dQrcjXv0KAjUhFE4794SOMD7o7Ev0ixm
          MD5:CD4D919B4FC88C9D6F03C864A181E40F
          SHA1:F0E56473DEBCF2DFD121E0249908828FE36EA621
          SHA-256:7E6B89DBF95819AC599FF79ACD6CB50DE2A53EE135B51E37DAF00AF7313CE8D6
          SHA-512:3E70ADBDDF558F24349896DD2CD82FCA8A4FA3C732E0966B6A2A16EAD57FB7EBABB810F5C9870C7C928C7C09F365F28C5AD0EBD1B7C0EE6279F7E85B4108D0A8
          Malicious:true
          Antivirus:
          • Antivirus: Virustotal, Detection: 16%, Browse
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b)...............0.@,..........:L... ...`....@.. ....................................`.................................0K..J....`..............................zK..8............................................ ............... ..H............text...@,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..@................`K......H....... ...Xb..........xJ..............................................e`:C)......0.&............Ndq.t28q..W.z..X.....V...{.("....N.5...V.Z....l...kf..'...".6..`m....`8.).].....z5.:[5....Amy.b......:k..n.Q.N..&....\...../ ..;fsp.B...*........[@..A..h.d......h..-n...ynT...=...$.NsA....7....^.. ....]..,.A....L...E...HI#.a.#....DA.=n.....U1@...>?%....|r..0...o.L.[9#.."4..m..QW.04A.,.e.&z*I.?PR.p4^..M.o..F<.uFyaw.....>..s-X..-\.(....f...bT>A{.P..us....2..J.m.n.$

          C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\msiwrapper.ini

          Download File
          Process:C:\Windows\SysWOW64\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):1426
          Entropy (8bit):3.6464727035070923
          Encrypted:false
          SSDEEP:24:f3dX8DW8dfj+vQD+AMKcDNESrF393IFUlSaz93IFUlSaay293IFUlSaOUxlFnal3:fe6K+NJF393I8193I8Yl93I8VxlQl
          MD5:7CB5DE5993EE769767AC0E19369684CE
          SHA1:1E2183C28ABAAAD558631D6867178A3E12EE997F
          SHA-256:2ED222CF66CBD694BA3744EC49E63534D2EA9532C822BDB11D5A3FF46909E142
          SHA-512:6F486BBE7C3A6A9E86943008C47F02F1FB1DB33320D01A9CC5FDAB39303D85823F3E7A12EA4CE0962D309F35546765EC1FADD12748EE10BCB445B16CF7BF11CE
          Malicious:false
          Preview:W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.H.i.d.d.e.n...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.a.d.m.i.n.i.s.t.r.a.t.o.r.s...B.a.s.e.N.a.m.e.=.s.e.r.v.e.r...e.x.e...C.a.b.H.a.s.h.=.b.1.7.d.9.3.3.3.7.8.b.b.3.7.8.7.9.7.1.0.2.6.1.3.e.e.8.0.3.4.b.e.c.9.b.7.e.7.3.e.4.5.4.0.e.f.a.2.e.4.8.d.4.b.9.0.c.b.7.4.9.4.d.9...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=.*.S.O.U.R.C.E.D.I.R.*...U.I.L.e.v.e.l.=.5...F.o.c.u.s.=.y.e.s...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.7.1.3.2.2.5.7.0.-.7.0.0.8.-.4.6.b.5.-.b.b.7.3.-.7.7.0.9.8.a.f.1.b.7.5.2.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.7.1.3.2.2.5.7.0.-.7.0.0.8.-.4.6.b.5.-.b.b.7.3.-.7.7.0.9.8.a.f.1.b.7.5.2.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.P.a.r.a.m.e.t.e.r.s.=...R.u.n.A.f.t.e.r.I.

          C:\Windows\Installer\6537be.msi

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.6.255.35071, Subject: Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: x64;1033, Revision Number: {49C681E5-45C4-4467-92EE-456F1E355C5F}, Create Time/Date: Sun Feb 7 22:37:14 2021, Last Saved Time/Date: Sun Feb 7 22:37:14 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
          Category:dropped
          Size (bytes):921600
          Entropy (8bit):7.70038526988355
          Encrypted:false
          SSDEEP:24576:StZcpVJ78TNcjk8LKAj6h5E4Z9+SgzDOo7sv0yx3FXyoUc:Rpz78OI/i4nhgzDOo3yLC+
          MD5:1D59589778C525AADCB645270CEE737C
          SHA1:AD4584C1B7734854939C59674CBBF22A99618285
          SHA-256:1F95063441E9D231E0E2B15365A8722C5136C2A6FE2716F3653C260093026354
          SHA-512:11D4394566EFE3BC75336D90371017EA0E4E9EDC556736E2537201AFB648E9C2167BEB82CA87C3CC4A4B23603D49EB19BFC403C782858F0E781BB127771109D9
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Installer\6537c0.msi

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.6.255.35071, Subject: Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: x64;1033, Revision Number: {49C681E5-45C4-4467-92EE-456F1E355C5F}, Create Time/Date: Sun Feb 7 22:37:14 2021, Last Saved Time/Date: Sun Feb 7 22:37:14 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
          Category:dropped
          Size (bytes):921600
          Entropy (8bit):7.70038526988355
          Encrypted:false
          SSDEEP:24576:StZcpVJ78TNcjk8LKAj6h5E4Z9+SgzDOo7sv0yx3FXyoUc:Rpz78OI/i4nhgzDOo3yLC+
          MD5:1D59589778C525AADCB645270CEE737C
          SHA1:AD4584C1B7734854939C59674CBBF22A99618285
          SHA-256:1F95063441E9D231E0E2B15365A8722C5136C2A6FE2716F3653C260093026354
          SHA-512:11D4394566EFE3BC75336D90371017EA0E4E9EDC556736E2537201AFB648E9C2167BEB82CA87C3CC4A4B23603D49EB19BFC403C782858F0E781BB127771109D9
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Installer\MSI3B77.tmp

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):212992
          Entropy (8bit):6.513495229990427
          Encrypted:false
          SSDEEP:3072:9spAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLu2loHUvU1yGxr5nqM2a8:/tOdiRQYpgjpjew5JWyGxJqo8
          MD5:D8AD3B90E6F172C97F1A95678EC8E1A4
          SHA1:C33402EDEB359044309E01B2E8C4D1694B48C5E1
          SHA-256:2D4AFDF54F3CB2E602A23CD22F7223199F0E483D556CC8DF7A8DA72C7FE1336A
          SHA-512:64A2DC66A0056740BCF03065522962FFF847307F12545256817A7481A00025ECA9F0C097ECF660C17045729666D663137DEDC1B42E2FD14B587CEE242CCBE54F
          Malicious:false
          Antivirus:
          • Antivirus: Virustotal, Detection: 0%, Browse
          • Antivirus: Metadefender, Detection: 0%, Browse
          • Antivirus: ReversingLabs, Detection: 0%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L....k `...........!.....h..........K.....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

          C:\Windows\Installer\MSIAA7E.tmp

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):1940
          Entropy (8bit):5.458968263899004
          Encrypted:false
          SSDEEP:48:pLr07+psbs7YD8SMyaeU9nMgxuDGLEVltayiCq:pLr07+6g7wnaecMgwDGLEPYyBq
          MD5:4E8344A5DC2DBCC8A862436792F50965
          SHA1:6DC315CA22D243D3F5686EE3D9B165A08C6C2562
          SHA-256:80077465795E5449E2F746283252A42A9870DBFBE0F277FAE88787EBA32E42DE
          SHA-512:595EEF87EED89AB8F227A416103F0B484F3A67E3B38E20693315950144C97707152C0EBAEA112CF24F7C1717B48BC49C2DF5A0E3B4C4CF9984B7C517104A1B17
          Malicious:false
          Preview:...@IXOS.@.....@y.=T.@.....@.....@.....@.....@.....@......&.{8291D67C-2E0B-4E71-B034-09AFE03383E8}X.M.i.c.r.o.s.o.f.t... .V.i.s.u.a.l. .S.t.u.d.i.o... .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m.,.SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi.@.....@.....@.....@........&.{49C681E5-45C4-4467-92EE-456F1E355C5F}.....@.....@.....@.....@.......@.....@.....@.......@....X.M.i.c.r.o.s.o.f.t... .V.i.s.u.a.l. .S.t.u.d.i.o... .-. .U.N.R.E.G.I.S.T.E.R.E.D. .-. .W.r.a.p.p.e.d. .u.s.i.n.g. .M.S.I. .W.r.a.p.p.e.r. .f.r.o.m. .w.w.w...e.x.e.m.s.i...c.o.m.......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{EDE10F6C-30F4-42CA-B5C7-ADB905E45BFC}7.22:\SOFTWARE\EXEMSI.COM\MSI Wrapper\Installed\LogonUser.@.......@.....@.....@........WriteRegistryValues..Writing system registry values..Key: [1],

          C:\Windows\Installer\MSIAA7F.tmp

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):212992
          Entropy (8bit):6.513495229990427
          Encrypted:false
          SSDEEP:3072:9spAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLu2loHUvU1yGxr5nqM2a8:/tOdiRQYpgjpjew5JWyGxJqo8
          MD5:D8AD3B90E6F172C97F1A95678EC8E1A4
          SHA1:C33402EDEB359044309E01B2E8C4D1694B48C5E1
          SHA-256:2D4AFDF54F3CB2E602A23CD22F7223199F0E483D556CC8DF7A8DA72C7FE1336A
          SHA-512:64A2DC66A0056740BCF03065522962FFF847307F12545256817A7481A00025ECA9F0C097ECF660C17045729666D663137DEDC1B42E2FD14B587CEE242CCBE54F
          Malicious:false
          Antivirus:
          • Antivirus: Metadefender, Detection: 0%, Browse
          • Antivirus: ReversingLabs, Detection: 0%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L....k `...........!.....h..........K.....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

          C:\Windows\Installer\MSIBF62.tmp

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Category:modified
          Size (bytes):212992
          Entropy (8bit):6.513495229990427
          Encrypted:false
          SSDEEP:3072:9spAtOdmXwCGjtYNKbYO2gjpcm8rRuqpjCLu2loHUvU1yGxr5nqM2a8:/tOdiRQYpgjpjew5JWyGxJqo8
          MD5:D8AD3B90E6F172C97F1A95678EC8E1A4
          SHA1:C33402EDEB359044309E01B2E8C4D1694B48C5E1
          SHA-256:2D4AFDF54F3CB2E602A23CD22F7223199F0E483D556CC8DF7A8DA72C7FE1336A
          SHA-512:64A2DC66A0056740BCF03065522962FFF847307F12545256817A7481A00025ECA9F0C097ECF660C17045729666D663137DEDC1B42E2FD14B587CEE242CCBE54F
          Malicious:false
          Antivirus:
          • Antivirus: Metadefender, Detection: 0%, Browse
          • Antivirus: ReversingLabs, Detection: 0%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L....k `...........!.....h..........K.....................................................@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

          C:\Windows\Installer\SourceHash{8291D67C-2E0B-4E71-B034-09AFE03383E8}

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):20480
          Entropy (8bit):1.1819271031136984
          Encrypted:false
          SSDEEP:12:JSbX72Fje5TliAGiLIlHVRp/h/7777777777777777777777777vDHFun7gTriwV:JUTiQI57YiX8F
          MD5:6B8E60B59582EEC45CB1BE8561409AF8
          SHA1:B382E4CCA80B7BC1F8B5A60A3232D380F5E1BBD8
          SHA-256:E4A3C6060A3C2A97E6B2DEE4B0373EBA33A22929760934BC492342B77CD81D1D
          SHA-512:9CE17DEC719FB406ECF86DC5C582684BFB4F083C8E47BC4C116004E2D23BBB6CED1B88C29CE32D933E96B18675E1F446B3C3BA531C6CF8CC8E99AC8AFEE40BBC
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Installer\inprogressinstallinfo.ipi

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):20480
          Entropy (8bit):1.551188796700849
          Encrypted:false
          SSDEEP:48:GfO8PhBuRc06WX44nT5mvYpHAuesdASronfrXfdASB21r0Pyt:qBhB1InTWuq9qq9P
          MD5:3BE07B0E6ABD6F1380F26C49D20B4010
          SHA1:40F7AFCA7262E9823EF28D2FD5DDA8A71B943C67
          SHA-256:A54ECBCCC12DBB9710C4FED1EF5BFBB611B226C3C617C66C01331795C315BA5D
          SHA-512:C96A08F4DBC55BB2E2E81CCDE987B91CA5278012DC16C0DC0C56F2B1B5F79AE4FC5D7393FD0C52BEFE3C47E3266FE3A25A8719D74F0EEBA032FA1CC61B54A6E4
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Logs\DPX\setupact.log

          Download File
          Process:C:\Windows\SysWOW64\expand.exe
          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
          Category:dropped
          Size (bytes):933929
          Entropy (8bit):4.385952864024072
          Encrypted:false
          SSDEEP:192:kKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcKqKcKnKcKqKcKnKco:V
          MD5:FE27DC7691051218EA3D3E176EED977B
          SHA1:4E57DDC06C68966ADDFAD989F9EA2626AA4E1BF6
          SHA-256:4423838CB5079083E9649DD599ED8CE122851D8A5B339DFAA0480F160ECC8F39
          SHA-512:0AD274632DEAC3CE8836E23242DB6D3AAE27E2BBAD3235C74413179FE38CAD17BB816A337759E528DB64D209499D9C43617FFA5E7436E42155656F6DCCE669C5
          Malicious:false
          Preview:.2019-06-27 00:56:09, Info DPX Started DPX phase: Resume and Download Job..2019-06-27 00:56:09, Info DPX Started DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX Ended DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX Started DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX Ended DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX CJob::Resume completed with status: 0x0..2019-06-27 00:56:09, Info DPX Ended DPX phase: Resume and Download Job..2019-06-27 00:56:09, Info DPX Started DPX phase: Resume and Download Job..2019-06-27 00:56:09, Info DPX Started DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info DPX Ended DPX phase: Apply Deltas Provided In File..2019-06-27 00:56:09, Info

          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
          Category:dropped
          Size (bytes):79122
          Entropy (8bit):5.282115154928446
          Encrypted:false
          SSDEEP:192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyim:yXs9UogeWeH29qclhmwYyim
          MD5:66FE9B41903AB5D0184B35D63FC1621B
          SHA1:5E255F22B8783E489363A17C7268994DE2134197
          SHA-256:6F6D2465A3A3C067379B316FA13DF65D14BA30F7F11BA2721CDBF2BFA2A999E2
          SHA-512:B23059DB85693E64C2833DA7B5CCD02821381A84F0C677A30F7EC9E047040A9F18BEDCAE47718B31658CE6FCA36FCF9090F4CFA3995066EA3BAAE0BD5E43D93B
          Malicious:false
          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

          C:\Windows\System32\MsDtc\Trace\dtctrace.log

          Download File
          Process:C:\Windows\System32\msdtc.exe
          File Type:data
          Category:dropped
          Size (bytes):16384
          Entropy (8bit):0.32056240596048735
          Encrypted:false
          SSDEEP:6:QKt3dEX8ta/ygA5UMclSqlPMclX/7EJRD/tz8gYbOCzE5Zm3n+SkSJkJIOcuCjHF:zaX80y52xX/7En7q6CzE5Z2+fqjFhl
          MD5:7A141E48D07008633F69DE5A0962C3D7
          SHA1:427889058B5A3401D1F3028EACDA31BD8F88C0A7
          SHA-256:CFDDD10FED936C66EB0DA9D65478D057B26E6095976976CA95D85C1113A61FE7
          SHA-512:534413FB19E57EBA818C170EFAF5164A095A38D7A5948D329A315C90E3C199294ED1238EAC015FA16A6656B8161BA045F12B834223061DF15C04559AA0C21D07
          Malicious:false
          Preview:.@..X...X.......................................X...!...................................5._-.............@.......B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1...........................................................:......... ........w............M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.........5._-............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DF03391F73031C0A34.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DF22D398DA2AC0F842.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DF25DC81189B88B007.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DF4B4630A3D90165FC.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):32768
          Entropy (8bit):1.242111497633235
          Encrypted:false
          SSDEEP:48:2rA5upM+xFX4fT5gvYpHAuesdASronfrXfdASB21r0Pyt:2k5g8Touq9qq9P
          MD5:F947EC28BEE2D39A680021C0B666F034
          SHA1:83BBC3BA11BFE26D02ED764182CE1D046F3B7B81
          SHA-256:43F8A107692C45C619F0C6C7EE744833367441ABF09F73E47E3DC2B19E65DA10
          SHA-512:9E7B3C9D85141DD4B65DD13CDB179E1C3E3D8A2FCD9FD0CB7C36B783F7C7AD33B63325D8107412E3588B5DEA96DFF6ED0032EE6D10217B40C0A98D63F7BA5390
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DF51AB674798AB773E.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):20480
          Entropy (8bit):1.551188796700849
          Encrypted:false
          SSDEEP:48:GfO8PhBuRc06WX44nT5mvYpHAuesdASronfrXfdASB21r0Pyt:qBhB1InTWuq9qq9P
          MD5:3BE07B0E6ABD6F1380F26C49D20B4010
          SHA1:40F7AFCA7262E9823EF28D2FD5DDA8A71B943C67
          SHA-256:A54ECBCCC12DBB9710C4FED1EF5BFBB611B226C3C617C66C01331795C315BA5D
          SHA-512:C96A08F4DBC55BB2E2E81CCDE987B91CA5278012DC16C0DC0C56F2B1B5F79AE4FC5D7393FD0C52BEFE3C47E3266FE3A25A8719D74F0EEBA032FA1CC61B54A6E4
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DF580A4C0E4BCBE8F6.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):69632
          Entropy (8bit):0.13764522655708583
          Encrypted:false
          SSDEEP:24:8NctbPtwY+QJfAebfdAipV72XdAipVJV2BwGtplrkg9SkUn+IpHA0n:ntbPNrfdASB2XdASronfrXUnFpHA0n
          MD5:991167EEA182FCFB993E4E260943D1C5
          SHA1:0C4DCB947F0C06990A29C420A7B64193BFE0B5A8
          SHA-256:CFEFCB870FFC06DEF2042612E91FB61DF8FACDB1BA17A564B1FA4D3F96110BB9
          SHA-512:FB9013D258C8CDC5F63612F6033B4EB106E1D462E77D16990260A28A2D0D4811E37BE0437FC0E94E4040F58623DC876A25D3A18FF87734B9FE33FDC6BA4056E9
          Malicious:false
          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DF5D4C48B55B4BFC19.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):32768
          Entropy (8bit):1.242111497633235
          Encrypted:false
          SSDEEP:48:2rA5upM+xFX4fT5gvYpHAuesdASronfrXfdASB21r0Pyt:2k5g8Touq9qq9P
          MD5:F947EC28BEE2D39A680021C0B666F034
          SHA1:83BBC3BA11BFE26D02ED764182CE1D046F3B7B81
          SHA-256:43F8A107692C45C619F0C6C7EE744833367441ABF09F73E47E3DC2B19E65DA10
          SHA-512:9E7B3C9D85141DD4B65DD13CDB179E1C3E3D8A2FCD9FD0CB7C36B783F7C7AD33B63325D8107412E3588B5DEA96DFF6ED0032EE6D10217B40C0A98D63F7BA5390
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DF6CC46065D10C7A25.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):32768
          Entropy (8bit):0.08454305645594185
          Encrypted:false
          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOuUV6GQ3I2rQpTrTs14Vky6lwt/:2F0i8n0itFzDHFun7gTriw1
          MD5:C1ACC1C2E59C0C4C69DE5DAB0C357421
          SHA1:656C5B8159572325A6657AB1C62A424EB5AEBF47
          SHA-256:C394492BEE24556C4BD45CD20090CE5DD6E9AFFD84330D9066A3FF7B497EAA87
          SHA-512:B5E818E035671A5660C98EDCB1C1C791C4C8570E161C1E39EC03DAD8BE97B39B1CA56DDB31482AD664D234987AE85410E229A84DE8CD28216AEDC8618B6D2D35
          Malicious:false
          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DFB5C2126B1B76E891.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DFC6CBD75861280262.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):20480
          Entropy (8bit):1.551188796700849
          Encrypted:false
          SSDEEP:48:GfO8PhBuRc06WX44nT5mvYpHAuesdASronfrXfdASB21r0Pyt:qBhB1InTWuq9qq9P
          MD5:3BE07B0E6ABD6F1380F26C49D20B4010
          SHA1:40F7AFCA7262E9823EF28D2FD5DDA8A71B943C67
          SHA-256:A54ECBCCC12DBB9710C4FED1EF5BFBB611B226C3C617C66C01331795C315BA5D
          SHA-512:C96A08F4DBC55BB2E2E81CCDE987B91CA5278012DC16C0DC0C56F2B1B5F79AE4FC5D7393FD0C52BEFE3C47E3266FE3A25A8719D74F0EEBA032FA1CC61B54A6E4
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DFCF309A9E155014E3.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:data
          Category:dropped
          Size (bytes):512
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:3::
          MD5:BF619EAC0CDF3F68D496EA9344137E8B
          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
          Malicious:false
          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Windows\Temp\~DFFCD8D26BF9AB481A.TMP

          Download File
          Process:C:\Windows\System32\msiexec.exe
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):32768
          Entropy (8bit):1.242111497633235
          Encrypted:false
          SSDEEP:48:2rA5upM+xFX4fT5gvYpHAuesdASronfrXfdASB21r0Pyt:2k5g8Touq9qq9P
          MD5:F947EC28BEE2D39A680021C0B666F034
          SHA1:83BBC3BA11BFE26D02ED764182CE1D046F3B7B81
          SHA-256:43F8A107692C45C619F0C6C7EE744833367441ABF09F73E47E3DC2B19E65DA10
          SHA-512:9E7B3C9D85141DD4B65DD13CDB179E1C3E3D8A2FCD9FD0CB7C36B783F7C7AD33B63325D8107412E3588B5DEA96DFF6ED0032EE6D10217B40C0A98D63F7BA5390
          Malicious:false
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          \Device\ConDrv

          Download File
          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          File Type:ASCII text, with CRLF, LF line terminators
          Category:dropped
          Size (bytes):414
          Entropy (8bit):5.058268497021542
          Encrypted:false
          SSDEEP:12:zKLLDkOA4BFNY1RI5gYXH8fvfKwZGRrsTACF7Bjmpv:zKLXkb4DO1RGTcSwZursMCrmB
          MD5:6D96D5AD1A844AE8D1CBA8B2D0D3AEED
          SHA1:1FE3C841A8B52C534D5BD7375B2427E13BBEBF76
          SHA-256:81ECD2B22E988559B583F2A5D1389B9036CC325F8BF97BDBA7B6D81137366E20
          SHA-512:8841FF1E18A425AAE729330DB74BEA5E24339296D3DF2F76EF8DAF024ED790496E03FB0B2EF1736A66779F4C9714014BAFD2C909B111200BC88F0BD2FED01B34
          Malicious:false
          Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved......An unknown exception occurred during installation:..1: System.IO.FileLoadException - Could not load file or assembly 'C:\\Windows\\Microsoft.NET\\Framework' or one of its dependencies. The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)..

          Static File Info

          General

          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.6.255.35071, Subject: Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft Corporation, Keywords: Installer, Template: x64;1033, Revision Number: {49C681E5-45C4-4467-92EE-456F1E355C5F}, Create Time/Date: Sun Feb 7 22:37:14 2021, Last Saved Time/Date: Sun Feb 7 22:37:14 2021, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (10.0.50.0), Security: 2
          Entropy (8bit):7.70038526988355
          TrID:
          • Microsoft Windows Installer (77509/1) 90.64%
          • Generic OLE2 / Multistream Compound File (8008/1) 9.36%
          File name:SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi
          File size:921600
          MD5:1d59589778c525aadcb645270cee737c
          SHA1:ad4584c1b7734854939c59674cbbf22a99618285
          SHA256:1f95063441e9d231e0e2b15365a8722c5136c2a6fe2716f3653c260093026354
          SHA512:11d4394566efe3bc75336d90371017ea0e4e9edc556736e2537201afb648e9c2167beb82ca87c3cc4a4b23603d49eb19bfc403c782858f0e781bb127771109d9
          SSDEEP:24576:StZcpVJ78TNcjk8LKAj6h5E4Z9+SgzDOo7sv0yx3FXyoUc:Rpz78OI/i4nhgzDOo3yLC+
          File Content Preview:........................>......................................................................................................................................................................................................................................

          File Icon

          Icon Hash:a2a0b496b2caca72

          Static OLE Info

          General

          Document Type:OLE
          Number of OLE Files:1

          OLE File "SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi"

          Indicators
          Has Summary Info:True
          Application Name:MSI Wrapper (10.0.50.0)
          Encrypted Document:False
          Contains Word Document Stream:False
          Contains Workbook/Book Stream:False
          Contains PowerPoint Document Stream:False
          Contains Visio Document Stream:False
          Contains ObjectPool Stream:
          Flash Objects Count:
          Contains VBA Macros:False
          Summary
          Code Page:1252
          Title:Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 16.6.255.35071
          Subject:Microsoft Visual Studio - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
          Author:Microsoft Corporation
          Keywords:Installer
          Template:x64;1033
          Revion Number:{49C681E5-45C4-4467-92EE-456F1E355C5F}
          Create Time:2021-02-07 22:37:14
          Last Saved Time:2021-02-07 22:37:14
          Number of Pages:200
          Number of Words:2
          Creating Application:MSI Wrapper (10.0.50.0)
          Security:2
          Document Summary
          Document Code Page:1252
          Company:Microsoft Corporation

          Streams

          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 136
          General
          Stream Path:\x5DocumentSummaryInformation
          File Type:data
          Stream Size:136
          Entropy:3.23907469015
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . X . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t C o r p o r a t i o n . . .
          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 58 00 00 00 03 00 00 00 01 00 00 00 28 00 00 00 00 00 00 80 30 00 00 00 0f 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 13 00 00 00 09 04 00 00 1e 00 00 00 16 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72
          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 588
          General
          Stream Path:\x5SummaryInformation
          File Type:data
          Stream Size:588
          Entropy:4.89141384854
          Base64 Encoded:True
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . x . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I n s t a l l e r . . . . . . . . . . . x 6 4 ; 1 0 3 3 . . . . . . . . ' . . . { 4 9 C 6 8 1 E 5 - 4 5 C 4 - 4 4 6 7 - 9 2 E E - 4 5 6 F 1 E 3
          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 1c 02 00 00 0d 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 28 01 00 00 03 00 00 00 98 01 00 00 04 00 00 00 08 01 00 00 05 00 00 00 80 00 00 00 07 00 00 00 94 00 00 00 09 00 00 00 a8 00 00 00 0c 00 00 00 d8 00 00 00 0d 00 00 00 e4 00 00 00
          Stream Path: \x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480, File Type: Microsoft Cabinet archive data, 669935 bytes, 1 file, Stream Size: 669935
          General
          Stream Path:\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480
          File Type:Microsoft Cabinet archive data, 669935 bytes, 1 file
          Stream Size:669935
          Entropy:7.95796937333
          Base64 Encoded:True
          Data ASCII:M S C F . . . . . 8 . . . . . . , . . . . . . . . . . . . . . . . . . . G . . . . . . . . 8 . . . . . . . . < T W . . s e r v e r . e x e . . . 3 . . . . . M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . P E . . L . . . . b ) . . . . . . . . . . . . . . . 0 . @ , . . . . . . . . . . : L . . . . . .
          Data Raw:4d 53 43 46 00 00 00 00 ef 38 0a 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 9b 8e 00 00 47 00 00 00 15 00 00 00 00 38 0a 00 00 00 00 00 00 00 3c 54 57 80 20 00 73 65 72 76 65 72 2e 65 78 65 00 99 0a 33 f0 00 80 00 80 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Stream Path: \x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 212992
          General
          Stream Path:\x17163\x16689\x18229\x16766\x18365\x17932\x17910\x17458\x16778\x17207\x17522\x17357\x18479
          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
          Stream Size:212992
          Entropy:6.51349522999
          Base64 Encoded:True
          Data ASCII:M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . . . . . p . . . p . . . p . . . . . . . p . . . . . . . p . . . . . / . p . . . . . . . p . . . q . % . p . . . . . . . p . . . . . . . p . . . . . . . p . R i c h . . p . . . . . . . . . . . . . . . . . . . . . . . . . P E . . L . . . . k ` . . . .
          Data Raw:4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
          Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 672
          General
          Stream Path:\x18496\x15167\x17394\x17464\x17841
          File Type:data
          Stream Size:672
          Entropy:4.76447414203
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . / . / . / . / . / . / . 5 . 5 . 5 . = . = . = . = . = . M . M . M . M . M . M . M . M . \\ . \\ . a . a . a . a . a . a . a . a . o . o . r . r . r . s . s . s . t . t . w . w . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 35 00 35 00 35 00 3d 00 3d 00 3d 00 3d 00 3d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 5c 00 5c 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 6f 00 6f 00 72 00 72 00 72 00 73 00 73 00 73 00 74 00 74 00 77 00
          Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ISO-8859 text, with very long lines, with no line terminators, Stream Size: 8555
          General
          Stream Path:\x18496\x16191\x17783\x17516\x15210\x17892\x18468
          File Type:ISO-8859 text, with very long lines, with no line terminators
          Stream Size:8555
          Entropy:5.07763841758
          Base64 Encoded:True
          Data ASCII:N a m e T a b l e T y p e C o l u m n _ V a l i d a t i o n V a l u e N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y
          Data Raw:4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 5f 56 61 6c 69 64 61 74 69 6f 6e 56 61 6c 75 65 4e 50 72 6f 70 65 72 74 79 49 64 5f 53 75 6d 6d 61 72 79 49 6e 66 6f 72 6d 61 74 69 6f 6e 44 65 73 63 72 69 70 74 69 6f 6e 53 65 74 43 61 74 65 67 6f 72 79 4b 65 79 43 6f 6c 75 6d 6e 4d 61 78 56 61 6c 75 65 4e 75 6c 6c 61 62 6c 65 4b 65 79 54 61 62 6c 65 4d 69 6e 56 61 6c 75 65
          Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 1216
          General
          Stream Path:\x18496\x16191\x17783\x17516\x15978\x17586\x18479
          File Type:data
          Stream Size:1216
          Entropy:3.08768728885
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . . . 6 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . . o . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . ; . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . S . . . ^ . . .
          Data Raw:00 00 00 00 04 00 06 00 05 00 02 00 00 00 00 00 04 00 02 00 06 00 02 00 0b 00 15 00 05 00 05 00 01 00 2c 00 0a 00 01 00 13 00 02 00 0b 00 06 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0a 00 19 00 0d 00 01 00 0e 00 01 00 03 00 01 00 1e 00 01 00 01 00 2a 00 15 00 01 00 15 00 01 00 36 00 01 00 24 00 01 00 f5 00 01 00 0f 00 01 00 04 00 09 00
          Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 38
          General
          Stream Path:\x18496\x16255\x16740\x16943\x18486
          File Type:data
          Stream Size:38
          Entropy:3.12396375672
          Base64 Encoded:False
          Data ASCII:. . " . ) . * . + . / . 5 . = . M . \\ . a . o . r . s . t . w . . . . . . .
          Data Raw:06 00 22 00 29 00 2a 00 2b 00 2f 00 35 00 3d 00 4d 00 5c 00 61 00 6f 00 72 00 73 00 74 00 77 00 82 00 86 00 90 00
          Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2064
          General
          Stream Path:\x18496\x16383\x17380\x16876\x17892\x17580\x18481
          File Type:data
          Stream Size:2064
          Entropy:2.38126922111
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . " . " . " . ) . ) . ) . * . * . * . + . + . / . / . / . / . / . / . 5 . 5 . 5 . = . = . = . = . = . M . M . M . M . M . M . M . M . \\ . \\ . a . a . a . a . a . a . a . a . o . o . r . r . r . s . s . s . t . t . w . w . w . w . w . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . % . ' . # . % . ' . # . % . ' . . . - . % . / . 1 . 4 . 7 . : . 5 . I . K . . . # . @ . C . F . . . 4 . 7 . M . O .
          Data Raw:06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 0a 00 0a 00 22 00 22 00 22 00 29 00 29 00 29 00 2a 00 2a 00 2a 00 2b 00 2b 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 35 00 35 00 35 00 3d 00 3d 00 3d 00 3d 00 3d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 4d 00 5c 00 5c 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 6f 00 6f 00 72 00 72 00 72 00 73 00 73 00 73 00 74 00
          Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 4
          General
          Stream Path:\x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
          File Type:data
          Stream Size:4
          Entropy:1.5
          Base64 Encoded:False
          Data ASCII:. . . .
          Data Raw:e1 00 e2 00
          Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48
          General
          Stream Path:\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
          File Type:data
          Stream Size:48
          Entropy:3.06842109407
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . < . . . . .
          Data Raw:9d 00 9e 00 9f 00 a0 00 a1 00 a2 00 a3 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 78 85 dc 85 3c 8f a0 8f c8 99
          Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24
          General
          Stream Path:\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
          File Type:data
          Stream Size:24
          Entropy:2.59436093777
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:9d 00 9e 00 9f 00 a5 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85
          Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42
          General
          Stream Path:\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
          File Type:data
          Stream Size:42
          Entropy:2.9135675273
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . .
          Data Raw:9d 00 9f 00 a0 00 a1 00 a4 00 a6 00 a7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 e8 83 78 85 dc 85 c8 99 9c 98 00 99
          Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 4
          General
          Stream Path:\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
          File Type:data
          Stream Size:4
          Entropy:1.5
          Base64 Encoded:False
          Data ASCII:. . . .
          Data Raw:cc 00 aa 00
          Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: 386 compact demand paged pure executable, Stream Size: 16
          General
          Stream Path:\x18496\x16911\x17892\x17784\x18472
          File Type:386 compact demand paged pure executable
          Stream Size:16
          Entropy:1.9197367178
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . .
          Data Raw:cc 00 00 00 cd 00 00 00 02 80 01 80 00 00 00 80
          Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14
          General
          Stream Path:\x18496\x16918\x17191\x18468
          File Type:MIPSEB Ucode
          Stream Size:14
          Entropy:0.946372935985
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . .
          Data Raw:01 80 00 00 00 80 00 00 00 00 00 00 00 00
          Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 60
          General
          Stream Path:\x18496\x16923\x17194\x17910\x18229
          File Type:data
          Stream Size:60
          Entropy:3.52924126798
          Base64 Encoded:False
          Data ASCII:. . . . " . % . ( . . . . . . . . . . . . . . . . . . . . . . . . # . & . ) . . . ! . $ . ' . * . . . . . . . . . . .
          Data Raw:ad 00 1f 01 22 01 25 01 28 01 ff 7f ff 7f ff 7f ff 7f ff 7f 1c 01 1c 01 1c 01 1c 01 1c 01 1d 01 20 01 23 01 26 01 29 01 1e 01 21 01 24 01 27 01 2a 01 aa 00 aa 00 aa 00 aa 00 aa 00
          Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 8
          General
          Stream Path:\x18496\x17163\x16689\x18229
          File Type:data
          Stream Size:8
          Entropy:1.75
          Base64 Encoded:False
          Data ASCII:. . . . . . . .
          Data Raw:a8 00 a9 00 01 00 01 00
          Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18
          General
          Stream Path:\x18496\x17165\x16949\x17894\x17778\x18492
          File Type:data
          Stream Size:18
          Entropy:2.10218717095
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . .
          Data Raw:ac 00 c7 00 c9 00 c7 00 c9 00 00 00 c8 00 ca 00 cb 00
          Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 216
          General
          Stream Path:\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
          File Type:data
          Stream Size:216
          Entropy:4.29485555194
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d . . . . . @ . . . ( . . . p . . . ! . y . . .
          Data Raw:9d 00 9e 00 9f 00 a0 00 a1 00 a3 00 a4 00 a6 00 a7 00 ae 00 b0 00 b1 00 b4 00 b6 00 b7 00 b9 00 ba 00 bb 00 bd 00 bf 00 c0 00 c2 00 c3 00 cf 00 d0 00 d1 00 d2 00 d3 00 d4 00 d5 00 d6 00 d7 00 d8 00 d9 00 db 00 df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 dc 00 dc 00 dc 00 de 00 de 00 de 00 de 00 de 00 da 00 dd 00 dd 00 dd 00 dd 00 dd 00 00 00 00 00 00 00 00 00 00 00
          Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 48
          General
          Stream Path:\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
          File Type:data
          Stream Size:48
          Entropy:3.11008776073
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d . . . . .
          Data Raw:9d 00 9e 00 9f 00 a5 00 cf 00 d0 00 d1 00 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 83 84 83 e8 83 14 85 19 80 64 80 bc 82 b0 84
          Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: Dyalog APL aplcore version 171.0, Stream Size: 12
          General
          Stream Path:\x18496\x17548\x17648\x17522\x17512\x18487
          File Type:Dyalog APL aplcore version 171.0
          Stream Size:12
          Entropy:2.29248125036
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . .
          Data Raw:aa 00 ab 00 ac 00 04 81 00 00 ad 00
          Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32
          General
          Stream Path:\x18496\x17630\x17770\x16868\x18472
          File Type:data
          Stream Size:32
          Entropy:2.1983911108
          Base64 Encoded:False
          Data ASCII:/ . / . . . - . - . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:2f 01 2f 01 00 00 2d 01 2d 01 00 00 00 00 00 00 01 00 00 80 02 00 00 80 00 00 00 00 19 01 18 01
          Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 80
          General
          Stream Path:\x18496\x17753\x17650\x17768\x18231
          File Type:data
          Stream Size:80
          Entropy:3.89623018849
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . .
          Data Raw:91 00 e3 00 e5 00 e6 00 f1 00 f3 00 f6 00 f7 00 f9 00 fb 00 fd 00 ff 00 01 01 03 01 10 01 11 01 13 01 15 01 17 01 1a 01 2f 01 e4 00 e4 00 e4 00 02 01 f4 00 f0 00 f8 00 fa 00 fc 00 fe 00 00 01 02 01 02 01 2e 01 12 01 14 01 16 01 2d 01 1b 01
          Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 180
          General
          Stream Path:\x18496\x17932\x17910\x17458\x16778\x17207\x17522
          File Type:data
          Stream Size:180
          Entropy:2.77261833239
          Base64 Encoded:False
          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . . . 3 . . . 3 . . . . . . . 3 . . . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
          Data Raw:ae 00 b0 00 b1 00 b4 00 b6 00 b7 00 b9 00 ba 00 bb 00 bd 00 bf 00 c0 00 c2 00 c3 00 c5 00 01 80 33 80 01 80 01 80 33 80 01 8c 33 80 01 8c 01 80 01 80 33 80 01 8c 33 80 01 84 01 80 a9 00 b1 00 a9 00 a9 00 b7 00 a9 00 ba 00 a9 00 a9 00 a9 00 c0 00 a9 00 c3 00 a9 00 a9 00 af 00 b2 00 b3 00 b5 00 b2 00 b8 00 b2 00 b3 00 bc 00 be 00 b2 00 c1 00 b2 00 c4 00 c6 00 00 00 00 00 00 00 00 00

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          01/29/22-00:11:56.214088UDP254DNS SPOOF query response with TTL of 1 min. and no authority53623898.8.8.8192.168.2.4

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 29, 2022 00:11:56.219197989 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:11:56.417572021 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:11:56.418525934 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:11:57.600756884 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:11:57.966366053 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:11:57.966490030 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:11:58.366198063 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:02.634665012 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:02.637063026 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:02.980595112 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:03.211981058 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:03.480596066 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:11.634632111 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:11.980432034 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:19.760725021 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:20.168732882 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:20.777785063 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:20.780415058 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:21.172262907 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:36.795154095 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:37.167376041 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:38.889597893 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:38.890038967 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:39.168204069 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:45.340825081 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:45.666985989 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:53.466917038 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:53.879239082 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:56.972980976 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:12:56.973484993 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:12:57.270128012 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:13:09.939162970 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:13:10.182445049 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:13:15.037537098 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:13:15.038743019 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:13:15.365333080 CET19004977566.154.111.162192.168.2.4
          Jan 29, 2022 00:13:18.064316988 CET497751900192.168.2.466.154.111.162
          Jan 29, 2022 00:13:18.365268946 CET19004977566.154.111.162192.168.2.4

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 29, 2022 00:11:56.106125116 CET6238953192.168.2.48.8.8.8
          Jan 29, 2022 00:11:56.214087963 CET53623898.8.8.8192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Jan 29, 2022 00:11:56.106125116 CET192.168.2.48.8.8.80x7081Standard query (0)njlove.duckdns.orgA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Jan 29, 2022 00:11:56.214087963 CET8.8.8.8192.168.2.40x7081No error (0)njlove.duckdns.org66.154.111.162A (IP address)IN (0x0001)

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:00:11:19
          Start date:29/01/2022
          Path:C:\Windows\System32\msiexec.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.MSIL.Kryptik.AECS.24576.msi"
          Imagebase:0x7ff777c90000
          File size:66048 bytes
          MD5 hash:4767B71A318E201188A0D0A420C8B608
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:2
          Start time:00:11:19
          Start date:29/01/2022
          Path:C:\Windows\System32\msiexec.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\msiexec.exe /V
          Imagebase:0x7ff777c90000
          File size:66048 bytes
          MD5 hash:4767B71A318E201188A0D0A420C8B608
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:5
          Start time:00:11:21
          Start date:29/01/2022
          Path:C:\Windows\SysWOW64\msiexec.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 8427D5518DE818285DF2E5650B3C2701
          Imagebase:0x200000
          File size:59904 bytes
          MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:6
          Start time:00:11:26
          Start date:29/01/2022
          Path:C:\Windows\SysWOW64\icacls.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
          Imagebase:0x1220000
          File size:29696 bytes
          MD5 hash:FF0D1D4317A44C951240FAE75075D501
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:8
          Start time:00:11:26
          Start date:29/01/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:9
          Start time:00:11:27
          Start date:29/01/2022
          Path:C:\Windows\SysWOW64\expand.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
          Imagebase:0xd70000
          File size:52736 bytes
          MD5 hash:8F8C20238C1194A428021AC62257436D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:10
          Start time:00:11:28
          Start date:29/01/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:11
          Start time:00:11:31
          Start date:29/01/2022
          Path:C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files\server.exe"
          Imagebase:0xeb0000
          File size:669696 bytes
          MD5 hash:CD4D919B4FC88C9D6F03C864A181E40F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.721799355.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.721299654.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000002.720255310.0000000003695000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.721129681.0000000004371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.721342787.0000000004613000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: INDICATOR_SUSPICIOUS_DisableWinDefender, Description: Detects executables containing artifcats associated with disabling Widnows Defender, Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD, Description: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF, Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste, Description: Detects executables potentially checking for WinJail sandbox window, Source: 0000000B.00000002.721704181.0000000005720000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: njrat1, Description: Identify njRat, Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000B.00000002.717043543.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:low

          General

          Target ID:12
          Start time:00:11:39
          Start date:29/01/2022
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
          Imagebase:0x1f195890000
          File size:42080 bytes
          MD5 hash:11D8A500C4C0FBAF20EBDB8CDF6EA452
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:13
          Start time:00:11:39
          Start date:29/01/2022
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          Imagebase:0x2d0000
          File size:41064 bytes
          MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:14
          Start time:00:11:40
          Start date:29/01/2022
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
          Imagebase:0x24a101b0000
          File size:42080 bytes
          MD5 hash:11D8A500C4C0FBAF20EBDB8CDF6EA452
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:15
          Start time:00:11:41
          Start date:29/01/2022
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Imagebase:0x9a0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000000.709022701.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000000.708532058.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000000.709256674.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000000.708790888.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000002.927280027.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
          • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000002.926559345.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:high

          General

          Target ID:18
          Start time:00:11:48
          Start date:29/01/2022
          Path:C:\Windows\SysWOW64\icacls.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          Imagebase:0x1220000
          File size:29696 bytes
          MD5 hash:FF0D1D4317A44C951240FAE75075D501
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:19
          Start time:00:11:49
          Start date:29/01/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:20
          Start time:00:11:51
          Start date:29/01/2022
          Path:C:\Windows\SysWOW64\netsh.exe
          Wow64 process (32bit):true
          Commandline:netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
          Imagebase:0x9f0000
          File size:82944 bytes
          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:21
          Start time:00:11:52
          Start date:29/01/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:22
          Start time:00:11:55
          Start date:29/01/2022
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-71322570-7008-46b5-bb73-77098af1b752\files"
          Imagebase:0x11d0000
          File size:232960 bytes
          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:23
          Start time:00:11:56
          Start date:29/01/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:24
          Start time:00:12:03
          Start date:29/01/2022
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
          Imagebase:0xdf0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET

          General

          Target ID:25
          Start time:00:12:03
          Start date:29/01/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:26
          Start time:00:12:06
          Start date:29/01/2022
          Path:C:\Windows\System32\msdtc.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\msdtc.exe
          Imagebase:0x7ff739d10000
          File size:148480 bytes
          MD5 hash:9A94F32C1DC90A7E5A35D0F820A8FB1D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language

          General

          Target ID:28
          Start time:00:12:11
          Start date:29/01/2022
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
          Imagebase:0x6c0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET

          General

          Target ID:29
          Start time:00:12:13
          Start date:29/01/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:30
          Start time:00:12:19
          Start date:29/01/2022
          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" ..
          Imagebase:0xa40000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET

          General

          Target ID:31
          Start time:00:12:20
          Start date:29/01/2022
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff724c50000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:14.5%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:11%
            Total number of Nodes:155
            Total number of Limit Nodes:6
            execution_graph 13833 6b93ec8 13834 6b93ee8 13833->13834 13836 6b94050 13833->13836 13837 6b94033 13836->13837 13837->13836 13838 6b940be 13837->13838 13841 6b96018 13837->13841 13845 6b96028 13837->13845 13838->13834 13842 6b9604d 13841->13842 13849 6b96059 13841->13849 13853 6b96068 13841->13853 13842->13837 13847 6b96059 10 API calls 13845->13847 13848 6b96068 10 API calls 13845->13848 13846 6b9604d 13846->13837 13847->13846 13848->13846 13850 6b9607e 13849->13850 13851 6b96168 13850->13851 13857 6b961cb 13850->13857 13851->13842 13855 6b9607e 13853->13855 13854 6b96168 13854->13842 13855->13854 13856 6b961cb 10 API calls 13855->13856 13856->13855 13864 6b961fd 13857->13864 13871 6b97158 13857->13871 13876 6b98204 13857->13876 13880 6b96aa3 13857->13880 13885 6b98723 13857->13885 13889 6b96a20 13857->13889 13894 6b980ee 13857->13894 13898 6b96a6e 13857->13898 13903 6b97875 13857->13903 13907 6b976d3 13857->13907 13911 6b96a10 13857->13911 13916 6b97a51 13857->13916 13920 6b97bdb 13857->13920 13864->13850 13872 6b97175 13871->13872 13873 6b971cc 13872->13873 13925 6b9a040 13872->13925 13929 6b9a037 13872->13929 13873->13864 13933 6b9a728 13876->13933 13937 6b9a722 13876->13937 13877 6b9826c 13877->13864 13881 6b96a4c 13880->13881 13881->13880 13882 6b971cc 13881->13882 13883 6b9a040 CreateProcessA 13881->13883 13884 6b9a037 CreateProcessA 13881->13884 13882->13864 13883->13882 13884->13882 13941 6b9a3c0 13885->13941 13945 6b9a3c8 13885->13945 13886 6b98734 13890 6b96a4c 13889->13890 13891 6b971cc 13890->13891 13892 6b9a040 CreateProcessA 13890->13892 13893 6b9a037 CreateProcessA 13890->13893 13891->13864 13892->13891 13893->13891 13949 6b9a57a 13894->13949 13953 6b9a580 13894->13953 13895 6b98145 13899 6b96a4c 13898->13899 13900 6b971cc 13899->13900 13901 6b9a040 CreateProcessA 13899->13901 13902 6b9a037 CreateProcessA 13899->13902 13900->13864 13901->13900 13902->13900 13905 6b9a57a WriteProcessMemory 13903->13905 13906 6b9a580 WriteProcessMemory 13903->13906 13904 6b9789c 13905->13904 13906->13904 13957 6b9a7e8 13907->13957 13961 6b9a7e0 13907->13961 13908 6b976e4 13912 6b96a4c 13911->13912 13913 6b971cc 13912->13913 13914 6b9a040 CreateProcessA 13912->13914 13915 6b9a037 CreateProcessA 13912->13915 13913->13864 13914->13913 13915->13913 13918 6b9a3c8 SetThreadContext 13916->13918 13919 6b9a3c0 SetThreadContext 13916->13919 13917 6b97a68 13917->13864 13918->13917 13919->13917 13921 6b97c20 13920->13921 13923 6b9a57a WriteProcessMemory 13921->13923 13924 6b9a580 WriteProcessMemory 13921->13924 13922 6b97c54 13922->13864 13923->13922 13924->13922 13926 6b9a0c9 CreateProcessA 13925->13926 13928 6b9a28b 13926->13928 13928->13928 13930 6b9a040 CreateProcessA 13929->13930 13932 6b9a28b 13930->13932 13932->13932 13934 6b9a768 VirtualAllocEx 13933->13934 13936 6b9a7a5 13934->13936 13936->13877 13938 6b9a728 VirtualAllocEx 13937->13938 13940 6b9a7a5 13938->13940 13940->13877 13942 6b9a3c8 SetThreadContext 13941->13942 13944 6b9a455 13942->13944 13944->13886 13946 6b9a40d SetThreadContext 13945->13946 13948 6b9a455 13946->13948 13948->13886 13950 6b9a580 WriteProcessMemory 13949->13950 13952 6b9a61f 13950->13952 13952->13895 13954 6b9a5c8 WriteProcessMemory 13953->13954 13956 6b9a61f 13954->13956 13956->13895 13958 6b9a828 ResumeThread 13957->13958 13960 6b9a859 13958->13960 13960->13908 13962 6b9a7e8 ResumeThread 13961->13962 13964 6b9a859 13962->13964 13964->13908 13801 6b90d21 13802 6b90d32 13801->13802 13803 6b90d42 13802->13803 13805 6b91257 13802->13805 13806 6b9126a 13805->13806 13808 6b912a9 13805->13808 13807 6b91283 13806->13807 13810 6b91aa8 13806->13810 13807->13803 13811 6b91acb 13810->13811 13813 6b91ce1 13810->13813 13811->13807 13817 6b91d18 13813->13817 13821 6b91d20 13813->13821 13814 6b91d08 13814->13811 13818 6b91d68 SetKernelObjectSecurity 13817->13818 13820 6b91dad 13818->13820 13820->13814 13822 6b91d68 SetKernelObjectSecurity 13821->13822 13824 6b91dad 13822->13824 13824->13814 13825 6b92d51 13828 1662a08 VirtualProtect 13825->13828 13829 1666630 13825->13829 13826 6b92d7c 13828->13826 13830 1666638 VirtualProtect 13829->13830 13832 16666ba 13830->13832 13832->13826 13753 1660468 13754 1660470 13753->13754 13755 1660478 13754->13755 13758 1660490 13754->13758 13763 1660481 13754->13763 13759 166049e 13758->13759 13768 1666093 13759->13768 13773 16660a0 13759->13773 13760 166051c 13760->13755 13764 166049e 13763->13764 13766 1666093 2 API calls 13764->13766 13767 16660a0 2 API calls 13764->13767 13765 166051c 13765->13755 13766->13765 13767->13765 13769 16660a0 13768->13769 13777 16661c0 13769->13777 13785 16661d0 13769->13785 13770 16660b3 13770->13760 13775 16661c0 2 API calls 13773->13775 13776 16661d0 2 API calls 13773->13776 13774 16660b3 13774->13760 13775->13774 13776->13774 13778 16661ea 13777->13778 13793 16629f0 13778->13793 13780 166621e 13781 1662a08 VirtualProtect 13780->13781 13782 16662f3 13781->13782 13783 1662a08 VirtualProtect 13782->13783 13784 1666323 13783->13784 13784->13770 13786 16661ea 13785->13786 13787 16629f0 LoadLibraryA 13786->13787 13788 166621e 13787->13788 13797 1662a08 13788->13797 13791 1662a08 VirtualProtect 13792 1666323 13791->13792 13792->13770 13796 1666350 13793->13796 13794 1666412 LoadLibraryA 13795 1666451 13794->13795 13796->13794 13796->13796 13798 1666638 VirtualProtect 13797->13798 13800 16662f3 13798->13800 13800->13791

            Executed Functions

            Function 01661008 Relevance: 10.4, Strings: 8, Instructions: 436COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 1661008-1661046 1 166106b-1661089 0->1 2 1661048-166104f 0->2 8 1661094-16610a5 1->8 9 166108b-1661091 1->9 3 1661055-1661060 2->3 4 1661909-1661914 2->4 3->1 10 166191b-166198f 4->10 12 1661154-166116a 8->12 13 16610ab-16610bc 8->13 9->8 54 1661996-1661a02 10->54 135 166116d call 1661a70 12->135 136 166116d call 1661a80 12->136 20 16610be-16610d7 13->20 21 1661119-166111c 13->21 15 1661173-1661177 18 16613c4-16613f1 15->18 19 166117d-166118a 15->19 30 16614d7-16614fa 18->30 31 16613f7-1661405 18->31 19->18 32 1661190-1661196 19->32 28 16610dd-16610e2 20->28 29 1661a09-1661a1b 20->29 22 166111e-1661125 21->22 23 166112a-166113c 21->23 22->18 23->29 34 1661142-166114f 23->34 28->18 35 16610e8-1661114 28->35 132 16614fd call 1661de0 30->132 133 16614fd call 1661dd0 30->133 134 16614fd call 1661f2e 30->134 31->30 47 166140b-1661418 31->47 37 166119c-16611a8 32->37 38 1661198-166119a 32->38 34->18 35->18 42 16611aa-16611b9 37->42 38->42 40 1661503 45 16618fa-1661901 40->45 42->10 50 16611bf-16611c3 42->50 56 1661904 47->56 57 166141e-1661421 47->57 50->54 55 16611c9-16611d0 50->55 54->29 55->54 60 16611d6-16611dd 55->60 56->4 57->56 59 1661427-1661444 57->59 74 1661446-166144c 59->74 75 1661487-16614b1 59->75 62 16612d2-16612d9 60->62 63 16611e3-16611ea 60->63 62->18 67 16612df-1661303 62->67 63->29 68 16611f0-166120b 63->68 76 1661305-166130b 67->76 77 166133c-1661350 67->77 78 1661211-166122b 68->78 79 166120d-166120f 68->79 74->29 81 1661452-1661458 74->81 75->45 108 16614b7-16614c3 75->108 82 1661311-166131d 76->82 83 166130d-166130f 76->83 94 1661354-1661360 77->94 95 1661352 77->95 84 166122d-166123b 78->84 79->84 87 166145a-166145d 81->87 88 166146b-1661473 81->88 89 166131f-1661328 82->89 83->89 92 1661260-1661290 84->92 93 166123d-166124c 84->93 87->29 96 1661463-1661469 87->96 102 166147a-166147d 88->102 89->77 111 166132a-166133a 89->111 93->92 107 166124e-166125e 93->107 100 1661362-1661374 94->100 95->100 96->102 118 16613ae-16613c1 100->118 102->56 110 1661483-1661485 102->110 107->92 121 1661293-16612cf 107->121 108->30 122 16614c5 108->122 110->74 110->75 111->77 119 1661376-16613ac 111->119 119->118 122->45 132->40 133->40 134->40 135->15 136->15
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID: Xczl$Xczl$Xczl$Xczl$Xczl$Xczl$]$d wl
            • API String ID: 0-1249909703
            • Opcode ID: 26134825306571bb7921546b0fbe924840765a9dceb55bdf28dbbdb6b0420e92
            • Instruction ID: 95851f940d1cad0cfe32c217b403429e5c6f01f068b72f6955234ee2c2aeb200
            • Opcode Fuzzy Hash: 26134825306571bb7921546b0fbe924840765a9dceb55bdf28dbbdb6b0420e92
            • Instruction Fuzzy Hash: 01028F34B00118CFDB25DF68C954BAE77B6AFC6315F1580A9D90AAB395CB31DC81CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B91257 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: `~vl$Izl
            • API String ID: 0-2564696654
            • Opcode ID: 5a2150b2e808e7feb19e105f141cc5e7b08a60ef54a98c210225176f17efd1e2
            • Instruction ID: a9aa66241dab3d8b330e1fa1a105ba7be9e861da308ef94e2b675db97f3342c0
            • Opcode Fuzzy Hash: 5a2150b2e808e7feb19e105f141cc5e7b08a60ef54a98c210225176f17efd1e2
            • Instruction Fuzzy Hash: FD811876F051158FDB18CE69DC512ADB6F3ABC9210F19917AE106EB790DE38CC068B80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B93AD9 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: 01)
            • API String ID: 0-2050922466
            • Opcode ID: 19e2404542c64192d0fd090e6346cfa8ca59c62cd6e5c89ba399e4c7e72163f2
            • Instruction ID: a584a6c1f834187ab4b810b8a505c6b0ca6106c1c32bbda7e9b02a25c628b986
            • Opcode Fuzzy Hash: 19e2404542c64192d0fd090e6346cfa8ca59c62cd6e5c89ba399e4c7e72163f2
            • Instruction Fuzzy Hash: 5C515A72F552258FCB44CBA8CD526EE7BF6AB8832071955A6E405FF350DA38CC028BD1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B94050 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: N]%c
            • API String ID: 0-44281332
            • Opcode ID: e181f263f3e3ef929f6b3b4452978797803c4cbf03d19dd11d6cfa08be90256c
            • Instruction ID: a67b38df63d6ed22e4a4db2064dfa9798ca9dd59e0c5a96af90ca9f5488a836f
            • Opcode Fuzzy Hash: e181f263f3e3ef929f6b3b4452978797803c4cbf03d19dd11d6cfa08be90256c
            • Instruction Fuzzy Hash: 69515937F541348BEB58857CCC962AAA9E7A7D866470A517BE903DB384DD74CC0343D0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B93B10 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: 01)
            • API String ID: 0-2050922466
            • Opcode ID: d615de2344bc3be31b591423e0ce346a1a6d94045023ba536394c916d8324d62
            • Instruction ID: 48e743bfcfcb86864989f92b7943bbb4ad16fc2a75cb2a898cacc062dcda2013
            • Opcode Fuzzy Hash: d615de2344bc3be31b591423e0ce346a1a6d94045023ba536394c916d8324d62
            • Instruction Fuzzy Hash: BE511C72F512258F9B54CFA9CC916EEB6F6AB8C320715556AD415FB340DB38CC028BE1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B93B0E Relevance: 1.4, Strings: 1, Instructions: 165COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: 01)
            • API String ID: 0-2050922466
            • Opcode ID: a8fe41a4939ad67bcf5b68f2c45193e23824b5fe96329dd05b43662411132e75
            • Instruction ID: 48f41239e61108043a814bc3a3209d0bb7d2a99bd73d9579e49667aadc5fa4d9
            • Opcode Fuzzy Hash: a8fe41a4939ad67bcf5b68f2c45193e23824b5fe96329dd05b43662411132e75
            • Instruction Fuzzy Hash: 5B512972F502258F8B54CFA9CC926EEB6F6AB8C320715556AD415FB340DB38CC028BE0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01661DE0 Relevance: .7, Instructions: 726COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 76a468fd055119712d5a6da7072013ad11e6522f095dabdb9a5dfb7327567d5d
            • Instruction ID: 04dcf1bba9b7687a5bcf8f61dbdcd008a612534ea819c4017d520c9ff7028294
            • Opcode Fuzzy Hash: 76a468fd055119712d5a6da7072013ad11e6522f095dabdb9a5dfb7327567d5d
            • Instruction Fuzzy Hash: 6C52B035B001158FCB15DF68C8A8AADBBBABF88314F15806DE906DB364CB31EC41CB91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01664D69 Relevance: .6, Instructions: 550COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 54d22b664731e3e03e80acad04580c991b8e59fcd56cc19317f78c4e73a8c07d
            • Instruction ID: 3414f25ad8fd4625b00e94221c6a665a4b16064baf8e47bd2dce2291910afaff
            • Opcode Fuzzy Hash: 54d22b664731e3e03e80acad04580c991b8e59fcd56cc19317f78c4e73a8c07d
            • Instruction Fuzzy Hash: 4142EC74A012198FCB65DF64C998AEDB7B2BF89304F1181E9D509AB394CF31AE81CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01669E80 Relevance: .5, Instructions: 537COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fa66b070f7e6825de71eae20fe6c73ad530285579efe6df0d6f2779dda058ffa
            • Instruction ID: d941b97219bec2fcfc981ef65cea34cf9820a01efbe94cff618884a48b2abaf6
            • Opcode Fuzzy Hash: fa66b070f7e6825de71eae20fe6c73ad530285579efe6df0d6f2779dda058ffa
            • Instruction Fuzzy Hash: AE2207756001149FCB45DFA8C948E69BBB6FF8D314B1680A8E60A9F372CB32EC51DB51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0166847A Relevance: .5, Instructions: 521COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 95afa8642a0b25dd94f1ba5024f9d9eb29d07cc4255a5aa53e0aeb838606081b
            • Instruction ID: d03995e3e5a50bf886abab37989c35dff3c6c2b1a6517fc12ea31a35bf253e01
            • Opcode Fuzzy Hash: 95afa8642a0b25dd94f1ba5024f9d9eb29d07cc4255a5aa53e0aeb838606081b
            • Instruction Fuzzy Hash: FD225A74A10609CFCB15CF68C988AAEBBFAFF88310B158568D546A7755DB30F841CF94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0166BA8E Relevance: .4, Instructions: 378COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f2697b82b5cfd25627a992a3c37c6e3e4d5e7b2fb7c3b3f13d77e19a81d94f3
            • Instruction ID: e900231c2177f676351c87632335a44227660f7a6aa8b26662113e079f8eed13
            • Opcode Fuzzy Hash: 1f2697b82b5cfd25627a992a3c37c6e3e4d5e7b2fb7c3b3f13d77e19a81d94f3
            • Instruction Fuzzy Hash: 8BC1E875F10225CBD708DA6DCD512AE79EB9BC8315B19D53AE906FB354EE78CC024B80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0166BA98 Relevance: .4, Instructions: 377COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 22b99d916c611c837d65fad50b252075c95ed40ac97f89b7d7a71f57fffd72b5
            • Instruction ID: 6d26e509aa2d790ccad7e859fa1fbdf2415852854df8eaf4195a8b2d008f9664
            • Opcode Fuzzy Hash: 22b99d916c611c837d65fad50b252075c95ed40ac97f89b7d7a71f57fffd72b5
            • Instruction Fuzzy Hash: F1C1E775F10225CBD708DA6DCC512AE79E79BC8315B19D52AE906FB354EE78CC024B80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B98EF0 Relevance: .3, Instructions: 268COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 74234598f9e476ced12396bb25ca7c94e3fa031a01ee28c9a87c9fa8d59a9fb7
            • Instruction ID: 8e047ecd4deda000debfc98466f0519389c4e9ba419e4de4638c4ac4e86fd3b1
            • Opcode Fuzzy Hash: 74234598f9e476ced12396bb25ca7c94e3fa031a01ee28c9a87c9fa8d59a9fb7
            • Instruction Fuzzy Hash: 24815AF5B142218FEF8899A4D85536A3693EBC9214F1C947EE507DB384DA79CC02C7D2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B92FA8 Relevance: .3, Instructions: 253COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1b95291cacaa152ef01463c63aff0f89a5c63268e30ec34d6749b664f50c65b1
            • Instruction ID: 60e0ab21e5cecbd7d74519bf5277b9356be8f6c04e154b6b0aa7d907558ee552
            • Opcode Fuzzy Hash: 1b95291cacaa152ef01463c63aff0f89a5c63268e30ec34d6749b664f50c65b1
            • Instruction Fuzzy Hash: D7812BB5B54214CFDB84CEA9D89966E7AE3ABC8310F18947AE506DB350CF74CC418BD1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B92F98 Relevance: .3, Instructions: 252COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4fc702c5b773c7e50aa5367e92719dfa97ff7cafd7252454cb05772a1400d41e
            • Instruction ID: 1b759d848c2825e49b8cf5d5d2c99c35a0fef6345c47755aaab388196b98f9f6
            • Opcode Fuzzy Hash: 4fc702c5b773c7e50aa5367e92719dfa97ff7cafd7252454cb05772a1400d41e
            • Instruction Fuzzy Hash: DF814AB5F54214CFDB84CEA9D89966E7AE3ABC8310F14847AE506DB350CF34CC418B91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B98F00 Relevance: .3, Instructions: 252COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bbe5e82ee77f87787e44a3e5eb478f29f3ca5cacc1eb8bbac742de0fadce5c01
            • Instruction ID: 966f07b673f85b7d2fa097408ff98aa3bd168e6d0a9c2d4326366814e9470a9a
            • Opcode Fuzzy Hash: bbe5e82ee77f87787e44a3e5eb478f29f3ca5cacc1eb8bbac742de0fadce5c01
            • Instruction Fuzzy Hash: D0816AB4B102258BEF889AA4DC5436E36D3ABC9215F1C947EE503DB384DA78CC02C7D6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B96A20 Relevance: .2, Instructions: 157COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b8a886f4c4f23412729bd04416481eda3a9e43ecd473374c678cdcedaa3e45ab
            • Instruction ID: 10c2c67a1dc0a8d89e83f3849dca1a6385c411c1392f11ff3e78ba6cb323af1e
            • Opcode Fuzzy Hash: b8a886f4c4f23412729bd04416481eda3a9e43ecd473374c678cdcedaa3e45ab
            • Instruction Fuzzy Hash: EA5190B5E102298FDB20CF68CC54799BBBAEB89310F1585E6DA4DE7340DB305E818F91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B97BDB Relevance: .1, Instructions: 114COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f734cb479860003f84703812796bd3c908dc37ae089996c6f77c7b7cc253eaa6
            • Instruction ID: e30a812bd6554cf5c52c34a7624e8851577c10268f218c6c6f89e18a6daa81da
            • Opcode Fuzzy Hash: f734cb479860003f84703812796bd3c908dc37ae089996c6f77c7b7cc253eaa6
            • Instruction Fuzzy Hash: DC417FB6F401698FDB60CF68CD94699B7F6AB48300F1585E6DA0DE7300D7359E828F80
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A037 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 137 6b9a037-6b9a0d5 140 6b9a10e-6b9a12e 137->140 141 6b9a0d7-6b9a0e1 137->141 146 6b9a130-6b9a13a 140->146 147 6b9a167-6b9a196 140->147 141->140 142 6b9a0e3-6b9a0e5 141->142 144 6b9a108-6b9a10b 142->144 145 6b9a0e7-6b9a0f1 142->145 144->140 148 6b9a0f3 145->148 149 6b9a0f5-6b9a104 145->149 146->147 151 6b9a13c-6b9a13e 146->151 155 6b9a198-6b9a1a2 147->155 156 6b9a1cf-6b9a289 CreateProcessA 147->156 148->149 149->149 150 6b9a106 149->150 150->144 152 6b9a161-6b9a164 151->152 153 6b9a140-6b9a14a 151->153 152->147 157 6b9a14c 153->157 158 6b9a14e-6b9a15d 153->158 155->156 159 6b9a1a4-6b9a1a6 155->159 169 6b9a28b-6b9a291 156->169 170 6b9a292-6b9a318 156->170 157->158 158->158 160 6b9a15f 158->160 161 6b9a1c9-6b9a1cc 159->161 162 6b9a1a8-6b9a1b2 159->162 160->152 161->156 164 6b9a1b4 162->164 165 6b9a1b6-6b9a1c5 162->165 164->165 165->165 166 6b9a1c7 165->166 166->161 169->170 180 6b9a328-6b9a32c 170->180 181 6b9a31a-6b9a31e 170->181 183 6b9a33c-6b9a340 180->183 184 6b9a32e-6b9a332 180->184 181->180 182 6b9a320 181->182 182->180 186 6b9a350-6b9a354 183->186 187 6b9a342-6b9a346 183->187 184->183 185 6b9a334 184->185 185->183 189 6b9a366-6b9a36d 186->189 190 6b9a356-6b9a35c 186->190 187->186 188 6b9a348 187->188 188->186 191 6b9a36f-6b9a37e 189->191 192 6b9a384 189->192 190->189 191->192 194 6b9a385 192->194 194->194
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B9A276
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID: 8-i$8-i
            • API String ID: 963392458-2263009324
            • Opcode ID: 41f19aa0057c76e145bdcbf606db57acb1a9e3638b40aeeb23f49e2c3e29b3aa
            • Instruction ID: 51f561798314628d12784e0679c60b6b6fb6d646e8d18a6d92d0e5c2c9c32e70
            • Opcode Fuzzy Hash: 41f19aa0057c76e145bdcbf606db57acb1a9e3638b40aeeb23f49e2c3e29b3aa
            • Instruction Fuzzy Hash: 6EA16DB1D04229DFDF60CFA9C8457DEBBB2FB46314F0485A9D809A7280DB749985CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 195 6b9a040-6b9a0d5 197 6b9a10e-6b9a12e 195->197 198 6b9a0d7-6b9a0e1 195->198 203 6b9a130-6b9a13a 197->203 204 6b9a167-6b9a196 197->204 198->197 199 6b9a0e3-6b9a0e5 198->199 201 6b9a108-6b9a10b 199->201 202 6b9a0e7-6b9a0f1 199->202 201->197 205 6b9a0f3 202->205 206 6b9a0f5-6b9a104 202->206 203->204 208 6b9a13c-6b9a13e 203->208 212 6b9a198-6b9a1a2 204->212 213 6b9a1cf-6b9a289 CreateProcessA 204->213 205->206 206->206 207 6b9a106 206->207 207->201 209 6b9a161-6b9a164 208->209 210 6b9a140-6b9a14a 208->210 209->204 214 6b9a14c 210->214 215 6b9a14e-6b9a15d 210->215 212->213 216 6b9a1a4-6b9a1a6 212->216 226 6b9a28b-6b9a291 213->226 227 6b9a292-6b9a318 213->227 214->215 215->215 217 6b9a15f 215->217 218 6b9a1c9-6b9a1cc 216->218 219 6b9a1a8-6b9a1b2 216->219 217->209 218->213 221 6b9a1b4 219->221 222 6b9a1b6-6b9a1c5 219->222 221->222 222->222 223 6b9a1c7 222->223 223->218 226->227 237 6b9a328-6b9a32c 227->237 238 6b9a31a-6b9a31e 227->238 240 6b9a33c-6b9a340 237->240 241 6b9a32e-6b9a332 237->241 238->237 239 6b9a320 238->239 239->237 243 6b9a350-6b9a354 240->243 244 6b9a342-6b9a346 240->244 241->240 242 6b9a334 241->242 242->240 246 6b9a366-6b9a36d 243->246 247 6b9a356-6b9a35c 243->247 244->243 245 6b9a348 244->245 245->243 248 6b9a36f-6b9a37e 246->248 249 6b9a384 246->249 247->246 248->249 251 6b9a385 249->251 251->251
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B9A276
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID: 8-i$8-i
            • API String ID: 963392458-2263009324
            • Opcode ID: c460e43ae8b07a4f5e00272cd247daae7bf53f6af17301ba4efd3b8920d2995f
            • Instruction ID: 8a733ae34e0275869b4ba3108468f38e68bf9fc37e409f6e75b1334a999afff3
            • Opcode Fuzzy Hash: c460e43ae8b07a4f5e00272cd247daae7bf53f6af17301ba4efd3b8920d2995f
            • Instruction Fuzzy Hash: 47915CB1D04229CFDF60CFA9C8457DEBBB2FB46314F1485A9D809A7280DB749985CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 016629F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 252 16629f0-16663af 255 1666403-166644f LoadLibraryA 252->255 256 16663b1-16663d6 252->256 259 1666451-1666457 255->259 260 1666458-1666489 255->260 256->255 261 16663d8-16663da 256->261 259->260 266 166648b-166648f 260->266 267 1666499 260->267 263 16663dc-16663e6 261->263 264 16663fd-1666400 261->264 268 16663ea-16663f9 263->268 269 16663e8 263->269 264->255 266->267 271 1666491 266->271 272 166649a 267->272 268->268 270 16663fb 268->270 269->268 270->264 271->267 272->272
            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 0166643F
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: 8-i$8-i
            • API String ID: 1029625771-2263009324
            • Opcode ID: 317c8bdf21f1514704459d59571ebd10fe0bf84a89e28cba5f9bcff3cadaa9d3
            • Instruction ID: 0d084cda56e8c5f62ff2ffda6a416a95436902e45339b28ed275f254395b9185
            • Opcode Fuzzy Hash: 317c8bdf21f1514704459d59571ebd10fe0bf84a89e28cba5f9bcff3cadaa9d3
            • Instruction Fuzzy Hash: EC4148B0E002589FDB10CFA9D88579EFBF5FB48314F14812AE815AB380D774A846CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01666347 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 273 1666347-16663af 275 1666403-166644f LoadLibraryA 273->275 276 16663b1-16663d6 273->276 279 1666451-1666457 275->279 280 1666458-1666489 275->280 276->275 281 16663d8-16663da 276->281 279->280 286 166648b-166648f 280->286 287 1666499 280->287 283 16663dc-16663e6 281->283 284 16663fd-1666400 281->284 288 16663ea-16663f9 283->288 289 16663e8 283->289 284->275 286->287 291 1666491 286->291 292 166649a 287->292 288->288 290 16663fb 288->290 289->288 290->284 291->287 292->292
            APIs
            • LoadLibraryA.KERNELBASE(?), ref: 0166643F
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID: 8-i$8-i
            • API String ID: 1029625771-2263009324
            • Opcode ID: 4a4800ab6513494ca8503341a7fe47a524ea291a9a8eb31c4a7d09e07415c0bf
            • Instruction ID: 70af1debb0696b4185bb48a3528bf1e6770df63b3979eb6107070b67127e8ce1
            • Opcode Fuzzy Hash: 4a4800ab6513494ca8503341a7fe47a524ea291a9a8eb31c4a7d09e07415c0bf
            • Instruction Fuzzy Hash: 384148B0D002588FDB14CFA9D88579EFBF5EB48314F14852AD815AB380D7B49846CF91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A57A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 351 6b9a57a-6b9a5ce 354 6b9a5de-6b9a61d WriteProcessMemory 351->354 355 6b9a5d0-6b9a5dc 351->355 357 6b9a61f-6b9a625 354->357 358 6b9a626-6b9a656 354->358 355->354 357->358
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B9A610
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID: 8-i
            • API String ID: 3559483778-1874642161
            • Opcode ID: 4af8e548e65da20d458ae6aff0f314dddc63d08a084ea7a2bf0bffa7a89a2253
            • Instruction ID: ae94d8ab4268070a3d460ca467153004d53854a366d40677010d8a8406504832
            • Opcode Fuzzy Hash: 4af8e548e65da20d458ae6aff0f314dddc63d08a084ea7a2bf0bffa7a89a2253
            • Instruction Fuzzy Hash: 342148B19003099FCF10CFA9C884BDEBBF4FF48324F00842AE919A7240CB789955DBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 362 6b9a580-6b9a5ce 364 6b9a5de-6b9a61d WriteProcessMemory 362->364 365 6b9a5d0-6b9a5dc 362->365 367 6b9a61f-6b9a625 364->367 368 6b9a626-6b9a656 364->368 365->364 367->368
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B9A610
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID: 8-i
            • API String ID: 3559483778-1874642161
            • Opcode ID: 5ac25c5ac82cffd9c9616e16542a5f471e1e9f53832b62240c7f9aff2144332e
            • Instruction ID: f0ec1044e6266b61646cd6ab98a529bde6d9e999c76fcebfd4d362ceca20abf1
            • Opcode Fuzzy Hash: 5ac25c5ac82cffd9c9616e16542a5f471e1e9f53832b62240c7f9aff2144332e
            • Instruction Fuzzy Hash: F62127B19003599FCF50CFA9C884BDEBBF5FF48324F00842AE959A7240CB789954CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A3C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadinjectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 372 6b9a3c0-6b9a413 375 6b9a423-6b9a453 SetThreadContext 372->375 376 6b9a415-6b9a421 372->376 378 6b9a45c-6b9a48c 375->378 379 6b9a455-6b9a45b 375->379 376->375 379->378
            APIs
            • SetThreadContext.KERNELBASE(?,00000000), ref: 06B9A446
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: ContextThread
            • String ID: 8-i
            • API String ID: 1591575202-1874642161
            • Opcode ID: f6a1f9c47a569bc4f5995dbe37fa011b7ade777827f1056390934e7e907844b6
            • Instruction ID: 9b070af497f59be8a4aaba6adf12b3230e90e3ecd1b99e79d984ff9157360727
            • Opcode Fuzzy Hash: f6a1f9c47a569bc4f5995dbe37fa011b7ade777827f1056390934e7e907844b6
            • Instruction Fuzzy Hash: 61216AB1D002098FDB50DFAAC4847EEBBF4EF48224F108429D519A7340CB789945CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B91D18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 383 6b91d18-6b91d6e 385 6b91d7e-6b91dab SetKernelObjectSecurity 383->385 386 6b91d70-6b91d7c 383->386 387 6b91dad-6b91db3 385->387 388 6b91db4-6b91ddc 385->388 386->385 387->388
            APIs
            • SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 06B91D9E
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: KernelObjectSecurity
            • String ID: 8-i
            • API String ID: 3015937269-1874642161
            • Opcode ID: 7cd9a476d48f5f814771dc718e884bff59c1028e0c5ebcc8831e4328f93817c1
            • Instruction ID: 28a2a9d277b7dc082aa2ee064b416af1279dada2a8d60dd31b2bccf3b9693321
            • Opcode Fuzzy Hash: 7cd9a476d48f5f814771dc718e884bff59c1028e0c5ebcc8831e4328f93817c1
            • Instruction Fuzzy Hash: 642107B2D002098FDB10CF99C585BDEBBF4EF48324F15852AD559A7340D778A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A3C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadinjectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 391 6b9a3c8-6b9a413 393 6b9a423-6b9a453 SetThreadContext 391->393 394 6b9a415-6b9a421 391->394 396 6b9a45c-6b9a48c 393->396 397 6b9a455-6b9a45b 393->397 394->393 397->396
            APIs
            • SetThreadContext.KERNELBASE(?,00000000), ref: 06B9A446
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: ContextThread
            • String ID: 8-i
            • API String ID: 1591575202-1874642161
            • Opcode ID: 7c8b90065446e89afd3944bfe7c3e6d3ff66ae611e205bf921140f755084443e
            • Instruction ID: 55b59f661cc5740cc66909b4303194e3680c5b0d79bcfb45968814fafda561b8
            • Opcode Fuzzy Hash: 7c8b90065446e89afd3944bfe7c3e6d3ff66ae611e205bf921140f755084443e
            • Instruction Fuzzy Hash: C22138B1D002098FDB50DFAAC4887EEBBF4EF48224F54842AD559A7340CB78A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B91D20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 401 6b91d20-6b91d6e 403 6b91d7e-6b91dab SetKernelObjectSecurity 401->403 404 6b91d70-6b91d7c 401->404 405 6b91dad-6b91db3 403->405 406 6b91db4-6b91ddc 403->406 404->403 405->406
            APIs
            • SetKernelObjectSecurity.KERNELBASE(?,?,00000000), ref: 06B91D9E
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: KernelObjectSecurity
            • String ID: 8-i
            • API String ID: 3015937269-1874642161
            • Opcode ID: 956d5676d55e2a5df401a459d1c75f5e08d65157d62eb6d965769a1d519c759a
            • Instruction ID: f0f60806090c85aaebfc4d44b3060c8b897d92b7adaf69d552205282f001d9f7
            • Opcode Fuzzy Hash: 956d5676d55e2a5df401a459d1c75f5e08d65157d62eb6d965769a1d519c759a
            • Instruction Fuzzy Hash: E62115B19002098FDB10CFAAC589BDEBBF4EF88324F14842AD559A7340D778A944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01666630 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 415 1666630-16666b8 VirtualProtect 418 16666c1-16666e2 415->418 419 16666ba-16666c0 415->419 419->418
            APIs
            • VirtualProtect.KERNELBASE(00000000,00000000,?,?), ref: 016666AB
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: 8-i
            • API String ID: 544645111-1874642161
            • Opcode ID: 28a3ad7c59aaf9c9cdeca19c3c0a826e0b7508e201579912da5cca5e8178c3aa
            • Instruction ID: a1ebc321f49016ac28c58876c5f2c02f553affb17fbfac0a9ef1a72717c17bfc
            • Opcode Fuzzy Hash: 28a3ad7c59aaf9c9cdeca19c3c0a826e0b7508e201579912da5cca5e8178c3aa
            • Instruction Fuzzy Hash: 092129719006199FDB10CF9AD885BDEFBF8FB48320F108429E958A7340D378A945CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 01662A08 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 409 1662a08-16666b8 VirtualProtect 412 16666c1-16666e2 409->412 413 16666ba-16666c0 409->413 413->412
            APIs
            • VirtualProtect.KERNELBASE(00000000,00000000,?,?), ref: 016666AB
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID: ProtectVirtual
            • String ID: 8-i
            • API String ID: 544645111-1874642161
            • Opcode ID: d76291b631853fda999d2356daea3dae21c82177799171c2129cec68bfc71756
            • Instruction ID: 423152146c2e93b362e4d521d7de96d42551e5c32d2185f67bfc4e2d1d969d96
            • Opcode Fuzzy Hash: d76291b631853fda999d2356daea3dae21c82177799171c2129cec68bfc71756
            • Instruction Fuzzy Hash: E72117719002199FDB10CF9AD884BDEFBF8FB48320F108429E968E7250D374A945CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A722 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 421 6b9a722-6b9a7a3 VirtualAllocEx 425 6b9a7ac-6b9a7d1 421->425 426 6b9a7a5-6b9a7ab 421->426 426->425
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B9A796
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID: 8-i
            • API String ID: 4275171209-1874642161
            • Opcode ID: de184ccb208a3fd5ff5fa5762e825c40b3db3861158c6729c781e339da62f931
            • Instruction ID: ba3be7c01da405015dfbcb0adb6b3d8ca8c0b60c9d79bd5b3d161c8a5f9cda58
            • Opcode Fuzzy Hash: de184ccb208a3fd5ff5fa5762e825c40b3db3861158c6729c781e339da62f931
            • Instruction Fuzzy Hash: C01159719002089FCF10DFA9C845BDFBBF5AB88324F108819E515A7250CB359954CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A728 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B9A796
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID: 8-i
            • API String ID: 4275171209-1874642161
            • Opcode ID: 2da9f53760eb3c99a0d14fd9d89fd0be072da0c01bf92b53bc81fc3f43f6e943
            • Instruction ID: 6ff92ca01f37f6a3e2ad79b688c93ae75c8bc41787eda7c51bf4658d257fd10d
            • Opcode Fuzzy Hash: 2da9f53760eb3c99a0d14fd9d89fd0be072da0c01bf92b53bc81fc3f43f6e943
            • Instruction Fuzzy Hash: 4D1156729002089FCF10DFAAC844BDEBBF5AB88324F10882AD515A7240CB359954CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A7E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID: 8-i
            • API String ID: 947044025-1874642161
            • Opcode ID: fc03e9f09fc82910362aed54cd15c641af174955e11ba4bd01fffc2c83d457dc
            • Instruction ID: 2e9556debd8b26ab15cccbdf3d4232bdceef59b46e41cc1607e14341ea8698ac
            • Opcode Fuzzy Hash: fc03e9f09fc82910362aed54cd15c641af174955e11ba4bd01fffc2c83d457dc
            • Instruction Fuzzy Hash: BA115BB1D002498FDB10DFAAD4497DFFFF8EB88224F148829D555A7240CB74A545CBA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B9A7E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID: 8-i
            • API String ID: 947044025-1874642161
            • Opcode ID: 52a718722026913e732e495dcacb9c0f9387b02d9f0e57b8524c17bcf5c736f6
            • Instruction ID: 9d847421769315bda258009fcd3a62214e4699cf2f0092e0fc87964d4698f825
            • Opcode Fuzzy Hash: 52a718722026913e732e495dcacb9c0f9387b02d9f0e57b8524c17bcf5c736f6
            • Instruction Fuzzy Hash: D3113AB1D002488BDB14DFAAC4487DEFBF8AB88224F148829C515A7240CB74A945CBA5
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 01665AC0 Relevance: 2.8, Strings: 2, Instructions: 337COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID: Xczl$Xczl
            • API String ID: 0-2809427747
            • Opcode ID: cb42142b7ce31c02cb607deb5347c06b6e03b60a567f086bc1885bda698aeaa5
            • Instruction ID: f50d36f7b891eb634237b1587934ca0beaa45cf8a65bc62c78a786962ced7e36
            • Opcode Fuzzy Hash: cb42142b7ce31c02cb607deb5347c06b6e03b60a567f086bc1885bda698aeaa5
            • Instruction Fuzzy Hash: 03C1FB31B042158FC725CF6DCC9562E7BA6BF91244B1A846DC5079B791CB31EC42CBD6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B91288 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: `~vl$Izl
            • API String ID: 0-2564696654
            • Opcode ID: 5e0aefdeda82c8ed1c73833a4084be20b18488f04af39b457d0decad14117235
            • Instruction ID: f32378e3fdab450e6981b65e16e77bf8f343d249ea56104f074af464283e86a1
            • Opcode Fuzzy Hash: 5e0aefdeda82c8ed1c73833a4084be20b18488f04af39b457d0decad14117235
            • Instruction Fuzzy Hash: F0711976F011198BDB18CE6DDD512ADB6F3ABC8210F19913AE506EB750DE38DC068B91
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B91298 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: `~vl$Izl
            • API String ID: 0-2564696654
            • Opcode ID: 1fe126b5f048f100111f1c2857efd64a488158d47321eb49af62920768070cf4
            • Instruction ID: 70fbb7130641cea774b21ae37bda0270d9270e08e8c1254bbb840b6196f10e24
            • Opcode Fuzzy Hash: 1fe126b5f048f100111f1c2857efd64a488158d47321eb49af62920768070cf4
            • Instruction Fuzzy Hash: B1711976F051198FDB18CE69DC512ADB6F7ABC8320F19903AD506EB790DE38DC068B90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B91EB0 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: `~vl$Izl
            • API String ID: 0-2564696654
            • Opcode ID: 3c10537175c737e4860cd5cab5296822736fbebad29a562e8b6cbeca45497cee
            • Instruction ID: 5bf804b8a2a6155c24964353281f1ad962458c94c479de9904229abc1e432bdb
            • Opcode Fuzzy Hash: 3c10537175c737e4860cd5cab5296822736fbebad29a562e8b6cbeca45497cee
            • Instruction Fuzzy Hash: 85611971F1012A9BDB14CE69DD513AEBAB3ABC9300F18913AE506EB754DB74CD068BD0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B91EC0 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID: `~vl$Izl
            • API String ID: 0-2564696654
            • Opcode ID: 2a375d916edc9d7201bb3d62febd5dd7d22f0ee0a9341555d9ec2ed37727308f
            • Instruction ID: a33896d4678f01d4c4aae32003ded2f935ab2c5c6d32f3ade69d89f689d5ad68
            • Opcode Fuzzy Hash: 2a375d916edc9d7201bb3d62febd5dd7d22f0ee0a9341555d9ec2ed37727308f
            • Instruction Fuzzy Hash: 38610B71F1012A9BDB14CE69DD513AEBAB7ABC9200F18913AE502EB754DB74CD068BD0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00F4AD45 Relevance: .9, Instructions: 870COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 78%
            			E00F4AD45(intOrPtr* __eax, signed int* __ebx, signed char __ecx, void* __edx, signed int* __edi, signed int __esi, signed long long __fp0) {
				intOrPtr* _t1654;
				signed char _t1655;
				signed int _t1656;
				intOrPtr* _t1657;
				intOrPtr* _t1658;
				signed char _t1659;
				signed int _t1660;
				signed char _t1661;
				intOrPtr* _t1662;
				signed char _t1663;
				signed char _t1664;
				intOrPtr* _t1666;
				signed char _t1667;
				signed char _t1668;
				signed char _t1669;
				void* _t1671;
				signed char _t1673;
				signed char _t1676;
				signed char _t1677;
				signed int _t1679;
				signed int _t1680;
				signed int _t1681;
				signed char _t1682;
				signed char _t1683;
				signed char _t1684;
				signed char _t1685;
				intOrPtr* _t1690;
				intOrPtr* _t1691;
				signed int _t1693;
				signed int _t1694;
				signed int _t1695;
				signed char _t1696;
				intOrPtr* _t1700;
				signed char _t1702;
				signed char _t1703;
				signed char _t1704;
				signed char _t1705;
				signed char _t1706;
				signed char _t1707;
				signed int _t1710;
				signed char _t1713;
				signed char _t1717;
				intOrPtr* _t1718;
				signed char _t1719;
				signed char _t1720;
				signed char _t1721;
				signed char _t1722;
				signed char _t1723;
				signed char _t1725;
				signed int _t1726;
				signed char _t1727;
				signed char _t1728;
				signed char _t1729;
				signed char _t1730;
				signed int _t1731;
				signed char _t1732;
				signed char _t1733;
				signed char _t1734;
				signed char _t1735;
				signed char _t1736;
				signed char _t1737;
				signed char _t2901;
				signed char _t2902;
				signed char _t2903;
				signed char _t2904;
				signed char _t2906;
				signed char _t2908;
				signed char _t2909;
				signed char _t2910;
				signed char _t2911;
				signed char _t2912;
				signed char _t2913;
				signed char _t2914;
				signed char _t2915;
				signed char _t2916;
				signed char _t2917;
				signed char _t2918;
				signed char _t2919;
				signed char _t2921;
				signed char _t2922;
				signed char _t2923;
				signed char _t2924;
				signed char _t2925;
				signed char _t2926;
				signed char _t2927;
				intOrPtr* _t2928;
				signed char _t2929;
				signed char _t2930;
				signed char _t2932;
				signed char _t2935;
				signed char _t2937;
				signed char _t2938;
				signed char _t2939;
				signed char _t2941;
				intOrPtr* _t2942;
				signed char _t2943;
				signed char _t2947;
				signed int _t2948;
				signed int _t2949;
				signed int _t2952;
				intOrPtr* _t2954;
				signed char _t2956;
				signed int* _t2958;
				signed int _t2960;
				intOrPtr* _t2962;
				signed char _t2963;
				signed char _t2966;
				signed char _t2967;
				signed char _t2968;
				void* _t2970;
				void* _t3217;
				void* _t3222;
				signed char _t3223;
				signed char _t3225;
				signed char _t3228;
				signed char _t3229;
				signed char _t3230;
				signed char _t3233;
				signed char _t3332;
				signed char _t3340;
				signed char _t3342;
				signed char _t3343;
				signed char _t3344;
				signed char _t3345;
				signed int* _t3346;
				signed char _t3347;
				signed char _t3413;
				signed int* _t3414;
				intOrPtr* _t3415;
				signed int _t3430;
				signed int _t3431;
				signed int _t3445;
				signed int _t3446;
				signed int _t3447;
				signed int _t3448;
				void* _t3470;
				signed int _t3473;
				signed char _t3553;
				signed long long _t4311;
				void* _t4312;

				_t4311 = __fp0;
				_t3430 = __esi;
				_t3414 = __edi;
				_t3223 = __ecx;
				_t2958 = __ebx;
				_t1654 = __eax;
				 *_t1654 =  *_t1654 + _t1654;
				 *__ecx =  *__ecx + _t1654;
				_t1655 = _t1654 + _t1654;
				asm("loope 0x2");
				_pop(es);
				_t3342 = __edx + 1;
				 *_t1655 =  *_t1655 + _t1655;
				 *__ebx =  *__ebx + _t3342;
				 *(_t1655 + _t1655) =  *(_t1655 + _t1655) ^ _t1655;
				_t1656 = _t1655 - 0x6000000;
				 *_t1656 =  *_t1656 + _t1656;
				asm("adc [eax], eax");
				if( *_t1656 < 0) {
					 *_t1656 =  *_t1656 + _t1656;
					_push(es);
					_t2956 = _t1656 |  *__esi;
					 *_t2956 =  *_t2956 + _t2956;
					 *_t2956 =  *_t2956 + _t2956;
					 *_t2956 =  *_t2956 + _t2956;
					asm("adc [esi+0x3a8d0009], al");
					 *_t2956 =  *_t2956 + _t2956;
					 *0x11d0 =  *0x11d0 + _t3470;
					_t1656 = _t2956 + 0x00000028 &  *(_t2956 + 0x28);
					 *_t3342 =  *_t3342 + __ecx;
					__edi[8] = __edi[8] + __ecx;
					 *_t1656 =  *_t1656 + _t1656;
				}
				_push(es);
				_t3446 = _t3445 |  *_t2958;
				 *_t3414 =  *_t3414 + _t1656;
				_t1657 = _t1656 -  *_t1656;
				 *_t1657 =  *_t1657 + _t1657;
				asm("adc esi, [eax]");
				_t1658 = _t1657 +  *_t1657;
				_push(_t3414);
				 *_t1658 =  *_t1658 + _t1658;
				 *_t3414 =  *_t3414 + _t1658;
				 *_t1658 =  *_t1658 + _t1658;
				asm("adc [eax], eax");
				if( *_t1658 >= 0) {
					asm("sbb al, 0x72");
					_pop( *__edx);
					 *((intOrPtr*)(_t1658 + 0x6f)) =  *((intOrPtr*)(_t1658 + 0x6f)) + _t3342;
					_t1659 = _t1658 - 0xa0000;
					_push(es);
					_push(ds);
					if(_t1659 < 0) {
						L14:
						 *_t1659 =  *_t1659 + _t1659;
						 *_t3430 =  *_t3430 + _t1659;
						_t1660 = _t1659 |  *_t3430;
						_t2958 = _t2958 +  *_t3342;
						asm("outsd");
						 *[cs:eax] =  *[cs:eax] + _t1660;
						_t3342 = _t3342 |  *(_t3342 - 0x7b);
						_push(es);
						 *((intOrPtr*)(_t1660 + 0x17)) =  *((intOrPtr*)(_t1660 + 0x17)) + _t3342;
						 *_t1660 =  *_t1660 + _t1660;
						 *0x28a20216 =  *0x28a20216 + _t3430;
					} else {
						_t1660 = _t1659;
						if(_t1660 >= 0) {
							_t2952 = _t1660 - 0xa0000;
							 *_t2958 =  *_t2958 - _t2958;
							 *_t2952 =  *_t2952 + _t2952;
							_push(es);
							 *0x60000 =  *0x60000 - _t2958;
							_t2954 = (_t2952 |  *_t3414) -  *(_t2952 |  *_t3414);
							asm("adc esi, [eax]");
							es = es;
							 *((intOrPtr*)(_t3223 + 0x8000000)) =  *((intOrPtr*)(_t3223 + 0x8000000)) + _t3223;
							 *_t2954 =  *_t2954 + _t2954;
							asm("adc [eax], eax");
							 *_t3342 =  *_t3342 - _t2958;
							 *_t2954 =  *_t2954 + _t2954;
							_push(es);
							_t1659 = _t2954 +  *[es:ebx];
							_push(ss);
							asm("outsd");
							 *[cs:eax] =  *[cs:eax] + _t1659;
							_t3413 = _t3342 |  *(_t3342 - 0x7b);
							_push(es);
							 *((intOrPtr*)(_t1659 + 0x16)) =  *((intOrPtr*)(_t1659 + 0x16)) + _t3413;
							 *_t1659 =  *_t1659 + _t1659;
							 *_t1659 =  *_t1659 + _t3446;
							 *_t1659 =  *_t1659 - _t1659;
							 *_t1659 =  *_t1659 + _t1659;
							_push(es);
							_t2958 = _t2958 +  *_t1659;
							asm("outsd");
							 *[cs:eax] =  *[cs:eax] + _t1659;
							_t3342 = _t3413 |  *(_t3413 - 0x7b);
							 *((intOrPtr*)(_t1659 + 0x16)) =  *((intOrPtr*)(_t1659 + 0x16)) + _t3342;
							 *_t1659 =  *_t1659 + _t1659;
							 *_t1659 =  *_t1659 + _t3446;
							 *_t1659 =  *_t1659 & _t1659;
							goto L14;
						}
					}
				} else {
					 *_t1658 =  *_t1658 + _t1658;
					_t3223 = _t3223 |  *_t3342;
					_push(es);
					_push(ss);
					if(_t3223 >= 0) {
						 *_t1658 =  *_t1658 + _t1658;
					}
					 *((intOrPtr*)(_t1658 + 0x6f)) =  *((intOrPtr*)(_t1658 + 0x6f)) + _t3342;
				}
				 *_t1660 =  *_t1660 - _t1660;
				 *_t1660 =  *_t1660 + _t1660;
				_push(es);
				 *[cs:eax] =  *[cs:eax] + _t1660;
				_t3343 = _t3342 |  *(_t3342 - 0x7b);
				_push(es);
				 *((intOrPtr*)(_t1660 + 0x16)) =  *((intOrPtr*)(_t1660 + 0x16)) + _t3343;
				 *_t1660 =  *_t1660 + _t1660;
				 *_t1660 =  *_t1660 + _t3446;
				 *_t1660 =  *_t1660 & _t1660;
				 *_t3430 =  *_t3430 + _t1660;
				_t1661 = _t1660 |  *_t3414;
				_t2960 = _t2958 +  *((intOrPtr*)(_t3414 + _t3446 * 2)) +  *_t3430;
				asm("outsd");
				 *[cs:eax] =  *[cs:eax] + _t1661;
				_t3344 = _t3343 |  *(_t3343 - 0x47);
				_push(es);
				 *((intOrPtr*)(_t1661 + 0x18)) =  *((intOrPtr*)(_t1661 + 0x18)) + _t3344;
				_t3473 = _t3430;
				 *_t1661 =  *_t1661 + _t1661;
				 *0x28a20316 =  *0x28a20316 + _t3473;
				 *_t1661 =  *_t1661 & _t1661;
				 *_t3430 =  *_t3430 + _t1661;
				_t1662 = _t1661 -  *[es:eax];
				 *_t1662 =  *_t1662 + _t1662;
				asm("adc esi, [eax]");
				_t1663 = _t1662 +  *_t1662;
				asm("adc [eax], eax");
				 *_t1663 =  *_t1663 + _t1663;
				 *_t1663 =  *_t1663 | _t1663;
				 *_t3223 =  *_t3223 + _t3344;
				 *_t1663 =  *_t1663 + _t3223;
				_t1664 = _t1663 &  *_t1663;
				 *_t3344 =  *_t3344 + _t3223;
				 *_t1664 =  *_t1664 + _t1664;
				_t3225 = _t3223 + _t3414[9] |  *_t3344;
				_push(es);
				_t1666 = _t1664 -  *_t1664 -  *((intOrPtr*)(_t1664 -  *_t1664));
				 *_t1666 =  *_t1666 + _t1666;
				asm("sbb esi, [eax]");
				_t1667 = _t1666 +  *_t1666;
				if (_t1667 < 0) goto L17;
				 *_t1667 =  *_t1667 + _t1667;
				_t1668 = _t1667 |  *_t1667;
				 *_t3225 =  *_t3225 + _t3344;
				 *((intOrPtr*)(_t3344 - 7)) =  *((intOrPtr*)(_t3344 - 7)) + _t3344;
				_push(es);
				do {
					_t33 = _t1668 + 0xa;
					 *_t33 =  *((intOrPtr*)(_t1668 + 0xa)) + _t3344;
				} while ( *_t33 < 0);
				_push(es);
				 *((intOrPtr*)(_t1668 + 0x20)) =  *((intOrPtr*)(_t1668 + 0x20)) + _t3344;
				asm("adc eax, [edx]");
				 *_t1668 =  *_t1668 + _t1668;
				if( *_t1668 >= 0) {
					L22:
					 *_t1668 =  *_t1668 + _t1668;
					 *_t1668 =  *_t1668 + _t1668;
					 *[ss:eax] =  *[ss:eax] + _t1668;
					_t3228 = _t3225 | _t3414[0xd] |  *_t1668 |  *_t3344;
					 *_t3228 =  *_t3228 + _t3228;
					asm("outsd");
					asm("aaa");
					 *_t1668 =  *_t1668 + _t1668;
					_t3229 = _t3228 |  *0x915ded0;
					if(_t3229 == 0) {
						 *_t1668 =  *_t1668 + _t1668;
						 *_t2960 =  *_t2960 + _t3344;
						asm("adc [0x1a6f], eax");
						_t4311 = _t4311 +  *_t3430;
						asm("adc eax, [esi]");
						asm("adc [esi], eax");
						_t2947 = (_t1668 + 0x082c0511 |  *(_t1668 + 0x82c0511)) -  *(_t1668 + 0x082c0511 |  *(_t1668 + 0x82c0511)) -  *_t3229;
						goto L24;
					}
				} else {
					 *_t1668 =  *_t1668 + _t1668;
					_pop(es);
					 *_t1668 =  *_t1668 + _t1668;
					_t3340 = (_t3225 |  *_t2960) + _t3414[0xc] |  *(_t1668 + _t1668);
					_t3414[0xc] = _t3414[0xc] | _t3340;
					 *_t1668 =  *_t1668 + _t1668;
					_t3229 = _t3340 |  *0x6f09282b;
					_t2947 = _t1668 ^  *_t1668;
					 *_t3344 =  *_t3344 + _t3229;
					if( *_t3344 == 0) {
						L24:
						_t2948 = _t2947;
						 *_t3344 =  *_t3344 + _t2948;
						 *_t3414 =  *_t3414 + _t2948;
						 *((intOrPtr*)(_t2960 + _t2960 * 2)) =  *((intOrPtr*)(_t2960 + _t2960 * 2)) + _t3344;
						 *0 =  *0 + _t3344;
						asm("adc esi, [eax]");
						_t2949 = _t2948;
						es =  *_t2949;
						 *_t2949 =  *_t2949 + _t2949;
						_t1668 = _t2949 |  *_t2949;
						 *_t3229 =  *_t3229 + _t3344;
						 *_t2960 =  *_t2960 + _t1668;
					} else {
						 *_t2947 =  *_t2947 + _t2947;
						 *_t2960 =  *_t2960 + _t3344;
						asm("adc [edi+ebp*2], eax");
						 *_t3344 =  *_t3344 + _t3229;
						ss = es;
						asm("outsd");
						_t1668 = _t2947 ^  *_t2947 ^ 0x00000000;
						goto L22;
					}
				}
				_t3447 = _t3446 +  *_t1668;
				_pop(ds);
				 *_t1668 =  *_t1668 + _t1668;
				_push(es);
				asm("adc [ecx], al");
				_t1669 = _t1668 |  *(_t3344 + _t3430 * 2);
				 *((intOrPtr*)(_t1669 + 0x28)) =  *((intOrPtr*)(_t1669 + 0x28)) + _t3344;
				 *_t3344 =  *_t3344 + _t3229;
				_t1671 = (_t1669 | 0x00000008) - 8;
				 *_t3430 =  *_t3430 + _t1671;
				asm("sbb [eax+0xa], bl");
				 *_t2960 =  *_t2960 + _t3229;
				asm("sbb eax, 0x7137204");
				 *((intOrPtr*)(_t1671 + 0x28)) =  *((intOrPtr*)(_t1671 + 0x28)) + _t3344;
				 *_t3344 =  *_t3344 + _t3229;
				_t1673 = ds;
				 *_t3430 =  *_t3430 + (_t1673 |  *_t1673) -  *_t3430;
				ss = es;
				_t1676 = ss;
				_t1677 = _t1676 |  *_t1676;
				if(_t1677 >= 0) {
					L28:
					 *_t3344 =  *_t3344 + _t3229;
					asm("movsd");
					_t3430 = _t3430 - 1;
					 *_t1677 =  *_t1677 + _t1677;
					 *0x3c28 =  *0x3c28 + _t1677;
					_t3345 = _t3344 |  *_t2960;
					 *_t3229 =  *_t3229 + _t3345;
					_t1679 = _t1677 + 0x55;
					 *_t1679 =  *_t1679 + _t1679;
					asm("adc esi, [eax]");
					 *_t1679 =  *_t1679 + _t1679;
					asm("adc [eax], al");
					 *_t1679 =  *_t1679 + _t1679;
					L29:
					_t1680 = _t1679;
					 *_t3229 =  *_t3229 + _t3345;
					 *((intOrPtr*)(_t3345 + 0x2d)) =  *((intOrPtr*)(_t3345 + 0x2d)) + _t3345;
					_pop(es);
					 *((intOrPtr*)(_t1680 + 0x28)) =  *((intOrPtr*)(_t1680 + 0x28)) + _t3345;
					 *[ds:eax] =  *[ds:eax] + _t1680;
					_t3230 = _t3229 |  *_t3345;
					_t1681 = _t1680 -  *_t1680;
					L30:
					_t3345 = _t3345 -  *_t2960;
					 *_t3230 =  *_t3230 ^ _t1681;
					 *_t1681 =  *_t1681 + _t3345;
					 *_t1681 =  *_t1681 + _t1681;
					 *((intOrPtr*)(_t1681 + _t1681)) =  *((intOrPtr*)(_t1681 + _t1681)) + _t3230;
					 *_t3230 =  *_t3230 + _t3345;
					 *((intOrPtr*)(_t3345 - 0x79)) =  *((intOrPtr*)(_t3345 - 0x79)) + _t3345;
					es = es;
					 *((intOrPtr*)(_t1681 + 0x28)) =  *((intOrPtr*)(_t1681 + 0x28)) + _t3345;
				} else {
					 *_t1677 =  *_t1677 + _t1677;
					_pop(es);
					_t3230 = (_t3229 |  *_t2960) + _t3414[0xe];
					 *_t1677 =  *_t1677 + _t1677;
					_t2943 = _t1677 |  *_t1677;
					_pop(es);
					_t3447 = _t3447 + _t3414[0xe];
					 *_t2943 =  *_t2943 + _t2943;
					_t1681 = _t2943 |  *_t2943;
					_pop(es);
					 *_t3447 = cs;
					 *_t3230 =  *_t3230 + _t1681;
					asm("outsd");
					 *_t3344 =  *_t3344 + _t3230;
					 *_t3414 =  *_t3414 + _t1681;
					asm("outsd");
					 *_t3344 =  *_t3344 + _t3230;
					es = ss;
					ss = es;
					asm("outsd");
					 *_t3344 =  *_t3344 + _t3230;
					if( *_t3344 != 0) {
						 *_t1681 =  *_t1681 + _t1681;
						 *_t3414 =  *_t3414 + _t1681;
						asm("sbb [edi+0x3b], ch");
						 *_t1681 =  *_t1681 + _t1681;
						goto L28;
					}
				}
				 *_t3430 =  *_t3430 - _t2960;
				 *_t1681 =  *_t1681 + _t1681;
				_t3230 = _t3230 |  *_t3345;
				_t1679 = _t1681 -  *_t1681;
				_push(es);
				_t2960 = _t2960 -  *_t2960;
				 *_t1679 =  *_t1679 ^ _t3230;
				 *0xd000001 =  *0xd000001 + _t3230;
				 *_t1679 =  *_t1679 + _t1679;
				asm("adc [eax], eax");
				if( *_t1679 >= 0) {
					L37:
					_t1681 = _t1679 & 0x21280216;
					 *_t1681 =  *_t1681 + _t1681;
					_push(es);
					 *0x2028 = _t1681;
					_push(es);
					_push(es);
					if( *_t1681 < 0) {
						goto L30;
					} else {
						 *_t1681 =  *_t1681 | _t1681;
						if( *_t1681 < 0) {
							goto L46;
						} else {
							asm("adc eax, [edi]");
							 *((intOrPtr*)(_t1681 + 0x17)) =  *((intOrPtr*)(_t1681 + 0x17)) + _t3345;
							_t3473 = _t3430;
							 *_t1681 =  *_t1681 + _t1681;
							 *0x22280216 =  *0x22280216 + _t3473;
							 *_t1681 =  *_t1681 + _t1681;
							gs =  *((intOrPtr*)(_t3230 + 0x1e));
							_t3346 = es;
							 *_t3447 = cs;
							 *_t3230 =  *_t3230 + _t1681;
							 *0x2028 = _t1681;
							_push(es);
							_push(es);
							if( *_t3230 < 0) {
								goto L34;
							} else {
								_t1685 = _t1681 |  *_t1681;
								if(_t1685 >= 0) {
									asm("adc eax, [edi]");
									 *((intOrPtr*)(_t1685 + 0x17)) =  *((intOrPtr*)(_t1685 + 0x17)) + _t3346;
									_t3473 = _t3430;
									 *_t1685 =  *_t1685 + _t1685;
									goto L42;
								}
							}
						}
					}
				} else {
					 *_t1679 =  *_t1679 + _t1679;
					_t3229 = _t3230 |  *_t3345;
					 *_t3430 =  *_t3430 + _t1679;
					if( *_t3430 < 0) {
						goto L29;
					} else {
						_pop(es);
						 *((intOrPtr*)(_t1679 + 0x72)) =  *((intOrPtr*)(_t1679 + 0x72)) + _t3345;
						asm("adc eax, [edi]");
						 *((intOrPtr*)(_t1679 + 0x17)) =  *((intOrPtr*)(_t1679 + 0x17)) + _t3345;
						L34:
						_t3473 = _t3430;
						 *_t1681 =  *_t1681 + _t1681;
						 *0x21280216 =  *0x21280216 + _t3473;
						 *_t1681 =  *_t1681 + _t1681;
						gs =  *((intOrPtr*)(_t3230 + 0x1e));
						_t3346 = es;
						 *_t3447 = cs;
						 *_t3230 =  *_t3230 + _t1681;
						 *0x2028 = _t1681;
						_push(es);
						_push(es);
						if( *_t3230 < 0) {
							L42:
							 *0x22280216 =  *0x22280216 + _t3473;
							 *_t1681 =  *_t1681 + _t1681;
							_push(es);
							 *0x2028 = _t1681;
							_push(es);
							_push(es);
							asm("outsd");
							_t1682 = _t1681 + 1;
							 *_t1682 =  *_t1682 + _t1682;
							_t3230 = _t3230 |  *_t2960;
							 *_t2960 =  *_t2960 + _t1682;
							if( *_t2960 >= 0) {
								goto L47;
							} else {
								 *_t1682 =  *_t1682 + _t1682;
								_t3230 = _t3230 |  *(_t1682 + _t1682);
								goto L44;
							}
							goto L48;
						} else {
							 *_t1681 =  *_t1681 | _t1681;
							if( *_t1681 < 0) {
								L44:
								 *_t3414 =  *_t3414 | _t1682;
								_push(ss);
								if( *_t3414 < 0) {
									 *_t1682 =  *_t1682 + _t1682;
									_t3414 = _t3346;
									 *_t1682 =  *_t1682 + _t1682;
									 *_t2960 = _t3346 +  *_t2960;
									_t1681 = _t1682 + 9;
									asm("adc [esi+edx], eax");
									_t3230 = (_t3230 |  *0x698e0300) +  *((intOrPtr*)(_t3430 + 0x436f69));
									 *_t3346 =  *_t3346 + _t3230;
									L46:
									asm("adc eax, [0x5110411]");
									 *0x282b0000 =  *0x282b0000 - _t1681;
									_push(es);
									 *_t1681 =  *_t1681 + _t1681;
									_t3346 = _t3345 -  *_t2960;
									_push(es);
									asm("fisubr word [ecx+ecx]");
									_t1682 = _t1681 - 7;
									_t3414[6] = _t3414[6] | _t3447;
									 *_t1682 =  *_t1682 + _t1682;
									L47:
									_t1683 = _t1682 |  *_t1682;
									_t4311 = _t4311 *  *_t1683;
									_t1684 = _t1683 - 7;
									_t3414[6] = _t3414[6] | _t3230;
									 *_t1684 =  *_t1684 + _t1684;
								}
								L48:
								_t1685 = _t1684 |  *_t1684;
							} else {
								asm("adc eax, [edi]");
								 *((intOrPtr*)(_t1681 + 0x17)) =  *((intOrPtr*)(_t1681 + 0x17)) + _t3346;
								_t3473 = _t3430;
								 *_t1681 =  *_t1681 + _t1681;
								 *0x21280216 =  *0x21280216 + _t3473;
								goto L37;
							}
						}
					}
				}
				_t4312 = _t4311 +  *_t3414;
				_pop(es);
				asm("outsd");
				asm("sbb al, [eax]");
				 *_t3346 =  *_t3346 + _t3230;
				_push(es);
				_push(es);
				asm("outsd");
				asm("sbb al, [eax]");
				 *_t3346 =  *_t3346 + _t3230;
				asm("adc [esi], eax");
				_t1690 = _t1685 - 7 + _t2960 - 7 + _t2960 -  *((intOrPtr*)(_t1685 - 7 + _t2960 - 7 + _t2960));
				 *_t1690 =  *_t1690 + _t1690;
				 *_t1690 =  *_t1690 + _t3430;
				 *_t1690 =  *_t1690 + _t1690;
				_t1691 = _t1690 +  *_t1690;
				_t2962 = 0 - _t3430;
				 *_t2962 =  *_t2962 + _t3230;
				 *_t1691 =  *_t1691 + _t1691;
				 *_t1691 =  *_t1691 + _t1691;
				_t1693 = _t1691 +  *_t1691 |  *(_t1691 +  *_t1691);
				 *_t1693 =  *_t1693 + _t1693;
				 *_t3346 =  *_t3346 + _t1693;
				 *((intOrPtr*)(_t3230 + 0xf45300)) =  *((intOrPtr*)(_t3230 + 0xf45300)) + _t1693;
				_t1694 = _t1693 |  *_t1693;
				 *_t1694 =  *_t1694 + _t1694;
				 *_t3346 =  *_t3346 + _t1694;
				 *_t3414 =  *_t3414 + _t1694;
				_t1695 = _t1694 + _t2962;
				 *_t1695 =  *_t1695 + 1;
				_t1696 = _t1695 |  *_t1695;
				 *_t1696 =  *_t1696 + _t1696;
				 *_t2962 =  *_t2962 + _t3346;
				 *_t3346 =  *_t3346 ^ _t1696;
				 *_t2962 =  *_t2962 + _t3230;
				 *_t1696 =  *_t1696 + _t1696;
				 *_t3430 =  *_t3430 + _t3230;
				 *_t1696 =  *_t1696 + _t1696;
				asm("adc [eax], eax");
				_t3448 = _t3447 +  *((intOrPtr*)(_t2962 + _t3230));
				_t2963 = _t2962 +  *((intOrPtr*)(_t2962 + 0x12));
				 *_t1696 =  *_t1696 + _t1696;
				 *_t2963 =  *_t2963 + 1;
				_push(ss);
				_t1700 = (_t1696 + 0x00000014 -  *_t3230 |  *_t3430) - 0xe;
				 *_t3346 =  *_t3346 + _t1700;
				if( *_t3346 == 0) {
					 *_t1700 =  *_t1700 + _t1700;
					_t2942 = _t1700 + 0x6f;
					asm("sbb al, [eax]");
					 *_t3346 =  *_t3346 + _t3230;
					 *_t2942 =  *_t2942 + _t2942;
					_t1700 = _t2942 +  *_t2963;
					 *_t3414 =  *_t3414 - _t1700;
					 *_t3346 =  *_t3346 + _t3230;
					 *_t3346 =  *_t3346 + _t3230;
				}
				asm("adc esi, [eax]");
				_t1702 = _t1700 -  *_t1700 +  *((intOrPtr*)(_t1700 -  *_t1700));
				asm("out 0x0, al");
				 *_t1702 =  *_t1702 + _t1702;
				 *_t1702 =  *_t1702 + _t1702;
				 *_t1702 =  *_t1702 + _t1702;
				 *_t3346 =  *_t3346 + _t1702;
				if( *_t3346 < 0) {
					 *_t1702 =  *_t1702 + _t1702;
					_t2963 = _t2963 |  *(_t3448 + 0x13);
					 *_t1702 =  *_t1702 + _t1702;
					_t2938 = _t1702 + 2;
					 *_t3230 =  *_t3230 - _t3230;
					 *_t3346 =  *_t3346 + _t3230;
					 *_t3346 =  *_t3346 + _t2938;
					if( *_t3346 == 0) {
						 *_t2938 =  *_t2938 + _t2938;
						_t2941 = _t2938 + 0x0000001f | 0x4a730d1f;
						 *_t2941 =  *_t2941 + _t2941;
						_t3230 = _t3230 | _t3414[0x12];
						 *_t2941 =  *_t2941 + _t2941;
						_t2938 = _t2941 |  *_t2941;
						_t2963 = _t2963 +  *((intOrPtr*)(_t2963 + 0x13));
						_t3553 = _t2963;
					}
					if(_t3553 == 0) {
						 *_t2938 =  *_t2938 + _t2938;
						_t2939 = _t2938 + 0x72;
						_t3230 = _t3230 -  *_t2963;
						 *((intOrPtr*)(_t2939 + 0x6f)) =  *((intOrPtr*)(_t2939 + 0x6f)) + _t3346;
						_t3473 = _t3473 - 1;
						 *_t2939 =  *_t2939 + _t2939;
						_t2938 = _t2939 |  *_t2939;
						_t2963 = _t2963 +  *((intOrPtr*)(_t2963 + 0x13));
						 *_t2938 =  *_t2938 + _t2938;
					}
					_t1702 = _t2938 + 0x20;
					_t3230 = _t3230 - 1;
					 *_t1702 =  *_t1702 + _t1702;
					 *_t1702 =  *_t1702 + _t1702;
					asm("stosd");
					 *_t1702 =  *_t1702 + _t1702;
					 *((intOrPtr*)(_t2963 + 0x4d)) =  *((intOrPtr*)(_t2963 + 0x4d)) + _t3346;
					 *_t1702 =  *_t1702 + _t1702;
				}
				 *_t3346 =  *_t3346 + _t3230;
				asm("outsd");
				_t3431 = _t3430 - 1;
				 *_t1702 =  *_t1702 + _t1702;
				_t1703 = _t1702 |  *_t1702;
				 *_t1703 =  *_t1703 + _t1703;
				_t1704 = _t1703 + 0x16;
				asm("outsd");
				_t3415 = _t3414 - 1;
				 *_t1704 =  *_t1704 + _t1704;
				_t1705 = _t1704 |  *_t1704;
				 *_t1705 =  *_t1705 + _t1705;
				_t1706 = _t1705 + 0x16;
				asm("outsd");
				_push(_t1706);
				 *_t1706 =  *_t1706 + _t1706;
				_t1707 = _t1706 |  *_t1706;
				_t2966 = _t2963 +  *((intOrPtr*)(_t2963 + 0x13)) +  *((intOrPtr*)(_t2963 +  *((intOrPtr*)(_t2963 + 0x13)) + 0x13)) +  *((intOrPtr*)(_t2963 +  *((intOrPtr*)(_t2963 + 0x13)) +  *((intOrPtr*)(_t2963 +  *((intOrPtr*)(_t2963 + 0x13)) + 0x13)) + 0x13));
				 *_t1707 =  *_t1707 + _t1707;
				_t1710 = _t1707 + 0x00000072 - 0x00000001 |  *(_t1707 + 0x72 - 1);
				if(_t1710 < 0) {
					L66:
					 *_t3346 =  *_t3346 ^ _t1710;
					 *_t2966 =  *_t2966 + _t3346;
					 *_t1710 =  *_t1710 + _t1710;
					 *_t3415 =  *_t3415 + _t3230;
					asm("sldt word [eax]");
					asm("adc [eax], eax");
					goto L68;
				} else {
					_push(_t3230);
					 *_t1710 =  *_t1710 + _t1710;
					_t1710 = (_t1710 |  *_t1710) +  *_t3346;
					 *_t1710 =  *_t1710 + _t1710;
					asm("rol byte [eax+0x22], 0x0");
					_t101 = _t1710 + 0x41;
					 *_t101 =  *((intOrPtr*)(_t1710 + 0x41)) + _t3346;
					if( *_t101 >= 0) {
						L65:
						_push(ss);
						 *_t1710 =  *_t1710 - _t2966;
						 *_t3346 =  *_t3346 + _t3233;
						 *_t3346 =  *_t3346 + _t3233;
						 *_t1710 =  *_t1710 + _t1710;
						asm("adc esi, [eax]");
						goto L66;
					} else {
						 *_t1710 =  *_t1710 + _t1710;
						_push(_t2966);
						 *_t1710 =  *_t1710 + _t1710;
						_t2935 = _t1710 |  *_t1710;
						_t3346 = _t3346 +  *_t3415;
						 *((intOrPtr*)(_t2935 + _t2935)) =  *((intOrPtr*)(_t2935 + _t2935)) - _t3346;
						_t2937 = (_t2935 |  *_t2935) +  *(_t2935 |  *_t2935);
						asm("bound eax, [ecx]");
						 *_t2937 =  *_t2937 + _t2937;
						_t1713 = _t2937 & _t2937;
						 *_t1713 =  *_t1713 + _t1713;
						 *((intOrPtr*)(_t2966 + 0x4d)) =  *((intOrPtr*)(_t2966 + 0x4d)) + _t3346;
						 *_t1713 =  *_t1713 + _t1713;
						_t3233 = _t3230 |  *_t1710 |  *_t1713;
						_push(_t3448);
						 *_t1713 =  *_t1713 + _t1713;
						_t2929 = _t1713 |  *_t1713;
						_t3233 = _t3233 +  *_t2929;
						_push(_t3431);
						 *_t2929 =  *_t2929 + _t2929;
						_t2930 = _t2929 |  *_t3346;
						if(_t2930 != 0) {
							L63:
							_t3346 = _t3346 +  *((intOrPtr*)(_t3346 - 0x7e));
							_t1717 = _t2930 |  *_t2930 |  *(_t2930 |  *_t2930);
							if(_t1717 >= 0) {
								_push(_t3233);
								 *_t1717 =  *_t1717 + _t1717;
								_t1710 = _t1717 |  *_t1717;
								_t3346 = _t3346 +  *_t3431;
								goto L65;
							}
						} else {
							 *_t2930 =  *_t2930 + _t2930;
							_t2932 = _t2930 + 0x6f;
							_push(_t3415);
							 *_t2932 =  *_t2932 + _t2932;
							_t3346 = _t3346 + _t3346[0x1b];
							_t1710 = _t2932 |  *_t2932 |  *(_t2932 |  *_t2932);
							if(_t1710 < 0) {
								L68:
								 *((intOrPtr*)(_t3346 - 7)) =  *((intOrPtr*)(_t3346 - 7)) + _t3346;
							} else {
								_t3473 = _t3473 - 1;
								 *_t1710 =  *_t1710 + _t1710;
								goto L63;
							}
						}
					}
				}
				_push(cs);
				 *_t3346 =  *_t3346 + _t1717;
				if( *_t3346 == 0) {
					 *_t1717 =  *_t1717 + _t1717;
					_t2928 = _t1717 + 0x6f;
					asm("sbb al, [eax]");
					 *_t3346 =  *_t3346 + _t3233;
					 *_t2928 =  *_t2928 + _t2928;
					_t1717 = _t2928 +  *_t2966;
					 *_t3415 =  *_t3415 - _t1717;
					 *_t3346 =  *_t3346 + _t3233;
					 *_t3346 =  *_t3346 + _t3233;
					 *_t2966 =  *_t2966 + _t3346;
				}
				asm("adc esi, [eax]");
				_t1718 = _t1717 + 0x31b00;
				 *_t1718 =  *_t1718 + _t1718;
				 *_t1718 =  *_t1718 + _t1718;
				 *_t1718 =  *_t1718 + _t1718;
				_t3347 = _t3346 +  *((intOrPtr*)(_t2966 + 0x48));
				 *_t1718 =  *_t1718 + _t1718;
				_t2967 = _t2966 |  *(_t3448 + 0x15);
				 *_t1718 =  *_t1718 + _t1718;
				_t1719 = _t1718 + 2;
				if(_t1719 >= 0) {
					L86:
					 *_t1719 =  *_t1719 + _t1719;
					_t1720 = _t1719 |  *_t1719;
					_t2968 = _t2967 +  *((intOrPtr*)(_t2967 + 0x15));
					 *_t1720 =  *_t1720 + _t1720;
					_t1721 = _t1720 + 0x6f;
					_push(_t3431);
					goto L87;
				} else {
					 *_t1719 =  *_t1719 + _t1719;
					_t2968 = _t2967 |  *(_t3448 + 0x17);
					 *_t1719 =  *_t1719 + _t1719;
					_t1721 = _t1719 + 2;
					if(_t1721 >= 0) {
						L87:
						 *_t1721 =  *_t1721 + _t1721;
						_t1722 = _t1721 |  *_t3347;
						if (_t1722 != 0) goto L92;
						goto L88;
					} else {
						 *_t1721 =  *_t1721 + _t1721;
						_t2968 = _t2968 |  *(_t3448 + 0x16);
						 *_t1721 =  *_t1721 + _t1721;
						_t1723 = _t1721 + 2;
						if(_t1723 >= 0) {
							 *_t3347 =  *_t3347 + _t3233;
							 *_t3347 =  *_t3347 + _t1723;
							if( *_t3347 == 0) {
								 *_t1723 =  *_t1723 + _t1723;
								_t1722 = _t1723 + 0x0000001f | 0x4a730d1f;
								 *_t1722 =  *_t1722 + _t1722;
								_t3233 = _t3233 |  *(_t3415 + 0x4b);
								 *_t1722 =  *_t1722 + _t1722;
								_t1723 = _t1722 |  *_t1722;
								_t2968 = _t2968 +  *((intOrPtr*)(_t2968 + 0x15));
							}
						} else {
							 *_t1723 =  *_t1723 + _t1723;
							_t2967 = _t2968 |  *(_t3448 + 0x18);
							 *_t1723 =  *_t1723 + _t1723;
							_t2921 = _t1723 + 2;
							if(_t2921 == 0) {
								 *_t2921 =  *_t2921 + _t2921;
								_t2926 = _t2921 + 0x6f;
								 *_t2926 =  *_t2926 + _t2926;
								_t2927 = _t2926 |  *_t2926;
								_t3233 = _t3233 - 1 +  *_t2927 - 1;
								 *_t2927 =  *_t2927 + _t2927;
								_t2921 = _t2927 |  *_t2927;
								_t2967 = _t2967 +  *((intOrPtr*)(_t2967 + 0x15));
								 *_t2921 =  *_t2921 + _t2921;
							}
							_t2922 = _t2921 + 0x6f;
							_push(_t3431);
							 *_t2922 =  *_t2922 + _t2922;
							_t1719 = _t2922 |  *_t3347;
							if(_t1719 != 0) {
								L85:
								 *((intOrPtr*)(_t3415 + _t3448 * 2)) =  *((intOrPtr*)(_t3415 + _t3448 * 2)) + _t1719;
								_push(_t3415);
								goto L86;
							} else {
								 *_t1719 =  *_t1719 + _t1719;
								_t2923 = _t1719 + 0x6f;
								_push(_t3415);
								 *_t2923 =  *_t2923 + _t2923;
								_t2924 = _t2923 |  *_t2923;
								_t2968 = _t2967 +  *((intOrPtr*)(_t2967 + 0x15));
								 *_t2924 =  *_t2924 + _t2924;
								_t2925 = _t2924 + 0x6f;
								_push(_t3431);
								 *_t2925 =  *_t2925 + _t2925;
								_t1722 = _t2925 |  *_t3347;
								if(_t1722 == 0) {
									 *_t1722 =  *_t1722 + _t1722;
									goto L85;
								}
							}
							L88:
							_pop(ss);
						}
					}
				}
				 *_t1723 =  *_t1723 + _t1723;
				asm("movsb");
				_t1725 = _t1723 + 0x00000072 |  *(_t1723 + 0x72);
				if(_t1725 >= 0) {
					_t3473 = _t3473 - 1;
					 *_t1725 =  *_t1725 + _t1725;
					_t2906 = _t1725 |  *_t1725;
					_t3217 = _t2968 +  *((intOrPtr*)(_t2968 + 0x15));
					 *_t2906 =  *_t2906 + _t2906;
					_t2908 = _t2906 + 0x20 +  *_t3233;
					 *_t2908 =  *_t2908 + _t2908;
					_t2909 = _t2908 & _t3233;
					 *_t2909 =  *_t2909 + _t2909;
					 *((intOrPtr*)(_t3217 + 0x4d)) =  *((intOrPtr*)(_t3217 + 0x4d)) + _t3347;
					 *_t2909 =  *_t2909 + _t2909;
					_t3332 = _t3233 |  *(_t3415 + 0x4e);
					 *_t2909 =  *_t2909 + _t2909;
					_t2910 = _t2909 |  *_t2909;
					 *_t2910 =  *_t2910 + _t2910;
					_t2911 = _t2910 + 0x16;
					asm("outsd");
					_t3415 = _t3415 - 1;
					 *_t2911 =  *_t2911 + _t2911;
					_t2912 = _t2911 |  *_t2911;
					 *_t2912 =  *_t2912 + _t2912;
					_t2913 = _t2912 + 0x16;
					asm("outsd");
					 *_t2913 =  *_t2913 + _t2913;
					_t2914 = _t2913 |  *_t2913;
					 *_t2914 =  *_t2914 + _t2914;
					_t2915 = _t2914 + 0x72;
					 *_t2915 =  *_t2915 + _t2915;
					_t2916 = _t2915 |  *_t2915;
					 *_t2916 =  *_t2916 + _t2916;
					_t2917 = _t2916 + 0x17;
					asm("outsd");
					_t3431 = _t3332;
					 *_t2917 =  *_t2917 + _t2917;
					_t2918 = _t2917 |  *_t2917;
					_t3222 = _t3217 +  *((intOrPtr*)(_t3217 + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) + 0x15)) + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) + 0x15)) + 0x15)) + 0x17)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) + 0x15)) + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) +  *((intOrPtr*)(_t3217 +  *((intOrPtr*)(_t3217 + 0x15)) + 0x15)) + 0x15)) + 0x17)) + 0x17));
					 *_t2918 =  *_t2918 + _t2918;
					_t2919 = _t2918 + 0x1d;
					ds = _t2913;
					_t3347 = 0x6f70000b &  *(_t3222 + 0x4a);
					 *_t2919 =  *_t2919 + _t2919;
					_t3233 = _t3332 |  *(_t3415 + 0x4b);
					 *_t2919 =  *_t2919 + _t2919;
					_t1725 = _t2919 |  *_t2919;
					_t2968 = _t3222 +  *((intOrPtr*)(_t3222 + 0x17));
				}
				 *_t1725 =  *_t1725 + _t1725;
				_t1726 = _t1725 + 0x72;
				asm("retf 0xb");
				if(_t1726 >= 0) {
					_t3473 = _t3473 - 1;
					 *_t1726 =  *_t1726 + _t1726;
					_t2904 = _t1726 |  *_t1726;
					_t2968 = _t2968 +  *((intOrPtr*)(_t2968 + 0x17));
					 *_t2904 =  *_t2904 + _t2904;
					_t1727 = _t2904 + 0x0000001f | 0x00004d73;
					_t3233 = _t3233 |  *(_t3415 + 0x4e);
					L97:
					_t3431 = _t3431 - 1;
					 *_t1727 =  *_t1727 + _t1727;
					_t1728 = _t1727 |  *_t1727;
					 *_t1728 =  *_t1728 + _t1728;
					_t1729 = _t1728 + 0x16;
					asm("outsd");
					_t3415 = _t3415 - 1;
					 *_t1729 =  *_t1729 + _t1729;
					_t1730 = _t1729 |  *_t1729;
					_t2968 = _t2968 +  *((intOrPtr*)(_t2968 + 0x17)) +  *((intOrPtr*)(_t2968 +  *((intOrPtr*)(_t2968 + 0x17)) + 0x17));
					 *_t1730 =  *_t1730 + _t1730;
					_t1731 = _t1730 + 0x72;
					goto 0x51;
					 *_t3347 =  *_t3347 + _t3233;
					 *_t3347 =  *_t3347 + _t1731;
					if( *_t3347 == 0) {
						 *_t1731 =  *_t1731 + _t1731;
						_t1732 = _t1731 + 0x18;
						asm("outsd");
						_pop(_t3415);
						 *_t1732 =  *_t1732 + _t1732;
						_t1733 = _t1732 |  *_t1732;
						_t2968 = _t2968 +  *((intOrPtr*)(_t2968 + 0x16));
						 *_t1733 =  *_t1733 + _t1733;
						_t1734 = _t1733 + 0x17;
						asm("outsd");
						asm("pushad");
						 *_t1734 =  *_t1734 + _t1734;
						_t1731 = _t1734 |  *_t1734;
					}
					 *_t3347 =  *_t3347 + _t1731;
					if( *_t3347 == 0) {
						 *_t1731 =  *_t1731 + _t1731;
						_t1731 = _t1731 + 0x6f;
						asm("popad");
						 *_t1731 =  *_t1731 + _t1731;
						_t2968 = _t2968 |  *_t1731;
						_t3473 = _t3431;
						 *_t1731 =  *_t1731 + _t1731;
						 *0xb907216 =  *0xb907216 + _t3473;
						 *((intOrPtr*)(_t1731 - 0x5e)) =  *((intOrPtr*)(_t1731 - 0x5e)) + _t3347;
					}
					_t1726 = _t1731 & 0x0b967217;
				}
				_t1727 = _t1726 |  *_t1726;
				if(_t1727 < 0) {
					goto L97;
				}
				asm("outsd");
				asm("bound eax, [eax]");
				 *_t3347 =  *_t3347 + _t3233;
				 *_t3347 =  *_t3347 + _t1727;
				if( *_t3347 != 0) {
					L106:
					 *((intOrPtr*)(_t3347 + _t3431 * 2)) =  *((intOrPtr*)(_t3347 + _t3431 * 2)) + _t1727;
					 *_t2968 =  *_t2968 - 1;
					 *((intOrPtr*)(_t1727 + 0x6f)) =  *((intOrPtr*)(_t1727 + 0x6f)) + _t3347;
					_t3473 = _t3473 - 1;
					 *_t1727 =  *_t1727 + _t1727;
					_t1735 = _t1727 |  *_t1727;
					_t2970 = _t2968 +  *((intOrPtr*)(_t2968 + 0x16));
					 *_t1735 =  *_t1735 + _t1735;
					_t1736 = _t1735 + 0x1f;
					if(_t1736 < 0) {
						asm("adc eax, 0x4d73");
						_t3233 = _t3233 |  *(_t3415 + 0x4e);
						 *_t1736 =  *_t1736 + _t1736;
						_t2901 = _t1736 |  *_t1736;
						 *_t2901 =  *_t2901 + _t2901;
						_t2902 = _t2901 + 0x17;
						asm("outsd");
						_t3415 = _t3415 - 1;
						 *_t2902 =  *_t2902 + _t2902;
						_t2903 = _t2902 |  *_t2902;
						_t2970 = _t2970 +  *((intOrPtr*)(_t2970 + 0x16)) +  *((intOrPtr*)(_t2970 +  *((intOrPtr*)(_t2970 + 0x16)) + 0x16));
						 *_t2903 =  *_t2903 + _t2903;
						_t1736 = _t2903 + 2;
					}
					_t2968 = _t2970 + _t3347;
					_push(es);
					_t1737 = _t1736 -  *_t1736;
					 *_t3431 =  *_t3431 + _t1737;
					if ( *_t3431 >= 0) goto L111;
				} else {
					 *_t1727 =  *_t1727 + _t1727;
					_t1737 = _t1727 + 0x1f;
					_t3415 = _t3415 + 1;
					_pop(ds);
					_pop(ds);
					if(_t3415 < 0) {
						 *_t1737 =  *_t1737 + _t1737;
						_t3233 = _t3233 |  *(_t3415 + 0x4b);
						 *_t1737 =  *_t1737 + _t1737;
						_t1727 = _t1737 |  *_t1737;
						_t2968 = _t2968 +  *((intOrPtr*)(_t2968 + 0x16));
						 *_t1727 =  *_t1727 + _t1727;
						goto L106;
					}
				}
				_push(ss);
			}















































































































































            0x00f4ad45
            0x00f4ad45
            0x00f4ad45
            0x00f4ad45
            0x00f4ad45
            0x00f4ad45
            0x00f4ad47
            0x00f4ad49
            0x00f4ad4b
            0x00f4ad4d
            0x00f4ad4f
            0x00f4ad50
            0x00f4ad51
            0x00f4ad53
            0x00f4ad55
            0x00f4ad58
            0x00f4ad5d
            0x00f4ad5f
            0x00f4ad61
            0x00f4ad63
            0x00f4ad65
            0x00f4ad66
            0x00f4ad68
            0x00f4ad6a
            0x00f4ad6c
            0x00f4ad6e
            0x00f4ad74
            0x00f4ad76
            0x00f4ad7e
            0x00f4ad80
            0x00f4ad82
            0x00f4ad85
            0x00f4ad85
            0x00f4ad87
            0x00f4ad88
            0x00f4ad8a
            0x00f4ad8c
            0x00f4ad8e
            0x00f4ad90
            0x00f4ad92
            0x00f4ad94
            0x00f4ad95
            0x00f4ad97
            0x00f4ad99
            0x00f4ad9b
            0x00f4ad9d
            0x00f4adcb
            0x00f4adcd
            0x00f4adcf
            0x00f4add2
            0x00f4add7
            0x00f4add8
            0x00f4add9
            0x00f4ae33
            0x00f4ae33
            0x00f4ae34
            0x00f4ae36
            0x00f4ae38
            0x00f4ae3a
            0x00f4ae3b
            0x00f4ae3e
            0x00f4ae41
            0x00f4ae42
            0x00f4ae47
            0x00f4ae49
            0x00f4addb
            0x00f4addb
            0x00f4addd
            0x00f4addf
            0x00f4ade4
            0x00f4ade6
            0x00f4ade8
            0x00f4adec
            0x00f4adf2
            0x00f4adf4
            0x00f4adf6
            0x00f4adf7
            0x00f4adfd
            0x00f4adff
            0x00f4ae01
            0x00f4ae03
            0x00f4ae05
            0x00f4ae06
            0x00f4ae09
            0x00f4ae0a
            0x00f4ae0b
            0x00f4ae0e
            0x00f4ae11
            0x00f4ae12
            0x00f4ae17
            0x00f4ae19
            0x00f4ae1a
            0x00f4ae1c
            0x00f4ae1e
            0x00f4ae1f
            0x00f4ae21
            0x00f4ae22
            0x00f4ae25
            0x00f4ae29
            0x00f4ae2e
            0x00f4ae30
            0x00f4ae32
            0x00000000
            0x00f4ae32
            0x00f4addd
            0x00f4ad9f
            0x00f4ad9f
            0x00f4ada1
            0x00f4ada3
            0x00f4ada4
            0x00f4ada5
            0x00f4ada7
            0x00f4ada7
            0x00f4ada8
            0x00f4ada8
            0x00f4ae4e
            0x00f4ae50
            0x00f4ae52
            0x00f4ae56
            0x00f4ae59
            0x00f4ae5c
            0x00f4ae5d
            0x00f4ae62
            0x00f4ae64
            0x00f4ae66
            0x00f4ae68
            0x00f4ae6a
            0x00f4ae6c
            0x00f4ae6e
            0x00f4ae6f
            0x00f4ae72
            0x00f4ae75
            0x00f4ae76
            0x00f4ae79
            0x00f4ae7b
            0x00f4ae7d
            0x00f4ae83
            0x00f4ae85
            0x00f4ae87
            0x00f4ae8a
            0x00f4ae8c
            0x00f4ae8e
            0x00f4ae90
            0x00f4ae92
            0x00f4ae94
            0x00f4ae96
            0x00f4ae98
            0x00f4ae9a
            0x00f4ae9c
            0x00f4aea1
            0x00f4aea3
            0x00f4aea7
            0x00f4aea8
            0x00f4aeaa
            0x00f4aeac
            0x00f4aeae
            0x00f4aeb0
            0x00f4aeb2
            0x00f4aeb4
            0x00f4aeb6
            0x00f4aeb8
            0x00f4aebb
            0x00f4aebc
            0x00f4aebc
            0x00f4aebc
            0x00f4aebc
            0x00f4aec1
            0x00f4aec2
            0x00f4aec5
            0x00f4aec7
            0x00f4aec9
            0x00f4aefa
            0x00f4aefa
            0x00f4aeff
            0x00f4af03
            0x00f4af06
            0x00f4af08
            0x00f4af0a
            0x00f4af0b
            0x00f4af0c
            0x00f4af0e
            0x00f4af14
            0x00f4af16
            0x00f4af18
            0x00f4af1f
            0x00f4af27
            0x00f4af29
            0x00f4af2d
            0x00f4af2f
            0x00000000
            0x00f4af2f
            0x00f4aecb
            0x00f4aecb
            0x00f4aecf
            0x00f4aed3
            0x00f4aed5
            0x00f4aed8
            0x00f4aedb
            0x00f4aedd
            0x00f4aee3
            0x00f4aee5
            0x00f4aee7
            0x00f4af31
            0x00f4af31
            0x00f4af33
            0x00f4af35
            0x00f4af37
            0x00f4af3a
            0x00f4af40
            0x00f4af42
            0x00f4af44
            0x00f4af46
            0x00f4af48
            0x00f4af4a
            0x00f4af4c
            0x00f4aee9
            0x00f4aee9
            0x00f4aeeb
            0x00f4aef0
            0x00f4aef5
            0x00f4aef7
            0x00f4aef8
            0x00f4aef9
            0x00000000
            0x00f4aef9
            0x00f4aee7
            0x00f4af4d
            0x00f4af4f
            0x00f4af50
            0x00f4af52
            0x00f4af53
            0x00f4af56
            0x00f4af5b
            0x00f4af60
            0x00f4af64
            0x00f4af66
            0x00f4af68
            0x00f4af6b
            0x00f4af6d
            0x00f4af72
            0x00f4af77
            0x00f4af80
            0x00f4af85
            0x00f4af87
            0x00f4af88
            0x00f4af89
            0x00f4af8b
            0x00f4afc6
            0x00f4afc6
            0x00f4afc8
            0x00f4afc9
            0x00f4afca
            0x00f4afcc
            0x00f4afd2
            0x00f4afd6
            0x00f4afd8
            0x00f4afda
            0x00f4afdc
            0x00f4afde
            0x00f4afe0
            0x00f4afe2
            0x00f4afe4
            0x00f4afe4
            0x00f4afe6
            0x00f4afe8
            0x00f4afeb
            0x00f4afec
            0x00f4afef
            0x00f4aff2
            0x00f4aff4
            0x00f4aff6
            0x00f4aff7
            0x00f4aff9
            0x00f4affb
            0x00f4affd
            0x00f4afff
            0x00f4b002
            0x00f4b004
            0x00f4b007
            0x00f4b008
            0x00f4af8d
            0x00f4af8d
            0x00f4af91
            0x00f4af92
            0x00f4af95
            0x00f4af97
            0x00f4af99
            0x00f4af9a
            0x00f4af9d
            0x00f4af9f
            0x00f4afa1
            0x00f4afa3
            0x00f4afa6
            0x00f4afa8
            0x00f4afab
            0x00f4afad
            0x00f4afb0
            0x00f4afb3
            0x00f4afb5
            0x00f4afb6
            0x00f4afb7
            0x00f4afba
            0x00f4afbc
            0x00f4afbe
            0x00f4afc0
            0x00f4afc2
            0x00f4afc5
            0x00000000
            0x00f4afc5
            0x00f4afbc
            0x00f4b00a
            0x00f4b00c
            0x00f4b00e
            0x00f4b010
            0x00f4b012
            0x00f4b013
            0x00f4b015
            0x00f4b017
            0x00f4b01d
            0x00f4b01f
            0x00f4b021
            0x00f4b062
            0x00f4b062
            0x00f4b067
            0x00f4b069
            0x00f4b06a
            0x00f4b06f
            0x00f4b070
            0x00f4b072
            0x00000000
            0x00f4b074
            0x00f4b074
            0x00f4b076
            0x00000000
            0x00f4b078
            0x00f4b078
            0x00f4b07a
            0x00f4b07d
            0x00f4b07f
            0x00f4b081
            0x00f4b087
            0x00f4b08a
            0x00f4b08d
            0x00f4b08e
            0x00f4b091
            0x00f4b093
            0x00f4b098
            0x00f4b099
            0x00f4b09b
            0x00000000
            0x00f4b09d
            0x00f4b09d
            0x00f4b09f
            0x00f4b0a1
            0x00f4b0a3
            0x00f4b0a6
            0x00f4b0a8
            0x00000000
            0x00f4b0a8
            0x00f4b09f
            0x00f4b09b
            0x00f4b076
            0x00f4b023
            0x00f4b023
            0x00f4b025
            0x00f4b027
            0x00f4b029
            0x00000000
            0x00f4b02b
            0x00f4b02b
            0x00f4b02c
            0x00f4b02f
            0x00f4b031
            0x00f4b034
            0x00f4b034
            0x00f4b036
            0x00f4b038
            0x00f4b03e
            0x00f4b041
            0x00f4b044
            0x00f4b045
            0x00f4b048
            0x00f4b04a
            0x00f4b04f
            0x00f4b050
            0x00f4b052
            0x00f4b0aa
            0x00f4b0aa
            0x00f4b0b0
            0x00f4b0b2
            0x00f4b0b3
            0x00f4b0b8
            0x00f4b0b9
            0x00f4b0bb
            0x00f4b0bc
            0x00f4b0bd
            0x00f4b0bf
            0x00f4b0c1
            0x00f4b0c3
            0x00000000
            0x00f4b0c5
            0x00f4b0c5
            0x00f4b0c7
            0x00000000
            0x00f4b0c7
            0x00000000
            0x00f4b054
            0x00f4b054
            0x00f4b056
            0x00f4b0ca
            0x00f4b0ca
            0x00f4b0cc
            0x00f4b0cd
            0x00f4b0cf
            0x00f4b0d7
            0x00f4b0d9
            0x00f4b0db
            0x00f4b0dd
            0x00f4b0df
            0x00f4b0e2
            0x00f4b0e8
            0x00f4b0ea
            0x00f4b0ea
            0x00f4b0f0
            0x00f4b0f6
            0x00f4b0f7
            0x00f4b0f9
            0x00f4b0fb
            0x00f4b0fc
            0x00f4b0ff
            0x00f4b101
            0x00f4b104
            0x00f4b106
            0x00f4b106
            0x00f4b108
            0x00f4b10a
            0x00f4b10c
            0x00f4b10f
            0x00f4b10f
            0x00f4b111
            0x00f4b111
            0x00f4b058
            0x00f4b058
            0x00f4b05a
            0x00f4b05d
            0x00f4b05f
            0x00f4b061
            0x00000000
            0x00f4b061
            0x00f4b056
            0x00f4b052
            0x00f4b029
            0x00f4b113
            0x00f4b117
            0x00f4b118
            0x00f4b119
            0x00f4b11b
            0x00f4b11f
            0x00f4b122
            0x00f4b123
            0x00f4b124
            0x00f4b126
            0x00f4b12a
            0x00f4b12c
            0x00f4b12e
            0x00f4b130
            0x00f4b132
            0x00f4b134
            0x00f4b138
            0x00f4b13a
            0x00f4b13c
            0x00f4b13e
            0x00f4b147
            0x00f4b149
            0x00f4b14b
            0x00f4b14d
            0x00f4b153
            0x00f4b155
            0x00f4b157
            0x00f4b159
            0x00f4b15b
            0x00f4b15d
            0x00f4b15f
            0x00f4b161
            0x00f4b163
            0x00f4b165
            0x00f4b167
            0x00f4b169
            0x00f4b16b
            0x00f4b16d
            0x00f4b16f
            0x00f4b171
            0x00f4b174
            0x00f4b177
            0x00f4b17b
            0x00f4b17f
            0x00f4b182
            0x00f4b184
            0x00f4b186
            0x00f4b188
            0x00f4b18a
            0x00f4b18c
            0x00f4b18e
            0x00f4b190
            0x00f4b192
            0x00f4b194
            0x00f4b197
            0x00f4b199
            0x00f4b199
            0x00f4b19c
            0x00f4b19e
            0x00f4b1a0
            0x00f4b1a2
            0x00f4b1a4
            0x00f4b1a6
            0x00f4b1a8
            0x00f4b1aa
            0x00f4b1ac
            0x00f4b1ae
            0x00f4b1b1
            0x00f4b1b3
            0x00f4b1b5
            0x00f4b1b8
            0x00f4b1ba
            0x00f4b1bc
            0x00f4b1be
            0x00f4b1c2
            0x00f4b1c7
            0x00f4b1c9
            0x00f4b1cc
            0x00f4b1ce
            0x00f4b1d0
            0x00f4b1d0
            0x00f4b1d0
            0x00f4b1d1
            0x00f4b1d3
            0x00f4b1d5
            0x00f4b1d7
            0x00f4b1d9
            0x00f4b1dc
            0x00f4b1dd
            0x00f4b1df
            0x00f4b1e1
            0x00f4b1e4
            0x00f4b1e4
            0x00f4b1e6
            0x00f4b1e8
            0x00f4b1e9
            0x00f4b1eb
            0x00f4b1ed
            0x00f4b1ee
            0x00f4b1f0
            0x00f4b1f3
            0x00f4b1f3
            0x00f4b1f4
            0x00f4b1f6
            0x00f4b1f7
            0x00f4b1f8
            0x00f4b1fa
            0x00f4b1ff
            0x00f4b201
            0x00f4b203
            0x00f4b204
            0x00f4b205
            0x00f4b207
            0x00f4b20c
            0x00f4b20e
            0x00f4b210
            0x00f4b211
            0x00f4b212
            0x00f4b214
            0x00f4b216
            0x00f4b219
            0x00f4b21e
            0x00f4b220
            0x00f4b291
            0x00f4b291
            0x00f4b293
            0x00f4b295
            0x00f4b297
            0x00f4b298
            0x00f4b29b
            0x00000000
            0x00f4b222
            0x00f4b222
            0x00f4b223
            0x00f4b227
            0x00f4b229
            0x00f4b22b
            0x00f4b22f
            0x00f4b22f
            0x00f4b232
            0x00f4b286
            0x00f4b286
            0x00f4b287
            0x00f4b28a
            0x00f4b28c
            0x00f4b28e
            0x00f4b290
            0x00000000
            0x00f4b234
            0x00f4b234
            0x00f4b238
            0x00f4b239
            0x00f4b23b
            0x00f4b23d
            0x00f4b23f
            0x00f4b245
            0x00f4b247
            0x00f4b249
            0x00f4b24b
            0x00f4b24d
            0x00f4b24f
            0x00f4b252
            0x00f4b254
            0x00f4b256
            0x00f4b257
            0x00f4b259
            0x00f4b25b
            0x00f4b25d
            0x00f4b25e
            0x00f4b260
            0x00f4b262
            0x00f4b277
            0x00f4b279
            0x00f4b27c
            0x00f4b27e
            0x00f4b280
            0x00f4b281
            0x00f4b283
            0x00f4b285
            0x00000000
            0x00f4b285
            0x00f4b264
            0x00f4b264
            0x00f4b266
            0x00f4b268
            0x00f4b269
            0x00f4b26d
            0x00f4b270
            0x00f4b272
            0x00f4b29c
            0x00f4b29c
            0x00f4b274
            0x00f4b274
            0x00f4b275
            0x00000000
            0x00f4b275
            0x00f4b272
            0x00f4b262
            0x00f4b232
            0x00f4b2ef
            0x00f4b2f0
            0x00f4b2f2
            0x00f4b2f4
            0x00f4b2f6
            0x00f4b2f8
            0x00f4b2fa
            0x00f4b2fc
            0x00f4b2fe
            0x00f4b300
            0x00f4b303
            0x00f4b305
            0x00f4b307
            0x00f4b307
            0x00f4b308
            0x00f4b30a
            0x00f4b30f
            0x00f4b311
            0x00f4b313
            0x00f4b315
            0x00f4b318
            0x00f4b31a
            0x00f4b31d
            0x00f4b31f
            0x00f4b321
            0x00f4b37e
            0x00f4b37e
            0x00f4b380
            0x00f4b382
            0x00f4b385
            0x00f4b387
            0x00f4b389
            0x00000000
            0x00f4b323
            0x00f4b323
            0x00f4b325
            0x00f4b328
            0x00f4b32a
            0x00f4b32c
            0x00f4b38a
            0x00f4b38a
            0x00f4b38c
            0x00f4b38e
            0x00000000
            0x00f4b32e
            0x00f4b32e
            0x00f4b330
            0x00f4b333
            0x00f4b335
            0x00f4b337
            0x00f4b396
            0x00f4b398
            0x00f4b39a
            0x00f4b39c
            0x00f4b3a0
            0x00f4b3a5
            0x00f4b3a7
            0x00f4b3aa
            0x00f4b3ac
            0x00f4b3ae
            0x00f4b3ae
            0x00f4b339
            0x00f4b339
            0x00f4b33b
            0x00f4b33e
            0x00f4b340
            0x00f4b342
            0x00f4b344
            0x00f4b346
            0x00f4b349
            0x00f4b34b
            0x00f4b34f
            0x00f4b350
            0x00f4b352
            0x00f4b354
            0x00f4b357
            0x00f4b357
            0x00f4b359
            0x00f4b35b
            0x00f4b35c
            0x00f4b35e
            0x00f4b360
            0x00f4b37a
            0x00f4b37a
            0x00f4b37d
            0x00000000
            0x00f4b362
            0x00f4b362
            0x00f4b364
            0x00f4b366
            0x00f4b367
            0x00f4b369
            0x00f4b36b
            0x00f4b36e
            0x00f4b370
            0x00f4b372
            0x00f4b373
            0x00f4b375
            0x00f4b377
            0x00f4b379
            0x00000000
            0x00f4b379
            0x00f4b377
            0x00f4b38f
            0x00f4b38f
            0x00f4b38f
            0x00f4b337
            0x00f4b32c
            0x00f4b3b1
            0x00f4b3b5
            0x00f4b3b6
            0x00f4b3b8
            0x00f4b3ba
            0x00f4b3bb
            0x00f4b3bd
            0x00f4b3bf
            0x00f4b3c2
            0x00f4b3c6
            0x00f4b3c8
            0x00f4b3ca
            0x00f4b3cc
            0x00f4b3ce
            0x00f4b3d1
            0x00f4b3d3
            0x00f4b3d6
            0x00f4b3d8
            0x00f4b3dd
            0x00f4b3df
            0x00f4b3e1
            0x00f4b3e2
            0x00f4b3e3
            0x00f4b3e5
            0x00f4b3ea
            0x00f4b3ec
            0x00f4b3ee
            0x00f4b3f0
            0x00f4b3f2
            0x00f4b3f7
            0x00f4b3f9
            0x00f4b401
            0x00f4b403
            0x00f4b408
            0x00f4b40a
            0x00f4b40c
            0x00f4b40d
            0x00f4b40e
            0x00f4b410
            0x00f4b412
            0x00f4b415
            0x00f4b417
            0x00f4b419
            0x00f4b41a
            0x00f4b41d
            0x00f4b41f
            0x00f4b422
            0x00f4b424
            0x00f4b426
            0x00f4b426
            0x00f4b429
            0x00f4b42b
            0x00f4b42d
            0x00f4b430
            0x00f4b432
            0x00f4b433
            0x00f4b435
            0x00f4b437
            0x00f4b43a
            0x00f4b440
            0x00f4b445
            0x00f4b447
            0x00f4b447
            0x00f4b448
            0x00f4b44a
            0x00f4b44f
            0x00f4b451
            0x00f4b453
            0x00f4b454
            0x00f4b455
            0x00f4b457
            0x00f4b459
            0x00f4b45c
            0x00f4b45e
            0x00f4b460
            0x00f4b467
            0x00f4b469
            0x00f4b46b
            0x00f4b46d
            0x00f4b46f
            0x00f4b471
            0x00f4b472
            0x00f4b473
            0x00f4b475
            0x00f4b477
            0x00f4b47a
            0x00f4b47c
            0x00f4b47e
            0x00f4b47f
            0x00f4b480
            0x00f4b482
            0x00f4b482
            0x00f4b483
            0x00f4b485
            0x00f4b487
            0x00f4b489
            0x00f4b48b
            0x00f4b48c
            0x00f4b48e
            0x00f4b490
            0x00f4b492
            0x00f4b494
            0x00f4b49a
            0x00f4b49a
            0x00f4b49d
            0x00f4b49d
            0x00f4b4a1
            0x00f4b4a3
            0x00000000
            0x00000000
            0x00f4b4a5
            0x00f4b4a6
            0x00f4b4a8
            0x00f4b4aa
            0x00f4b4ac
            0x00f4b4c4
            0x00f4b4c4
            0x00f4b4c7
            0x00f4b4c9
            0x00f4b4cc
            0x00f4b4cd
            0x00f4b4cf
            0x00f4b4d1
            0x00f4b4d4
            0x00f4b4d6
            0x00f4b4d8
            0x00f4b4da
            0x00f4b4df
            0x00f4b4e2
            0x00f4b4e4
            0x00f4b4e9
            0x00f4b4eb
            0x00f4b4ed
            0x00f4b4ee
            0x00f4b4ef
            0x00f4b4f1
            0x00f4b4f3
            0x00f4b4f6
            0x00f4b4f8
            0x00f4b4f8
            0x00f4b4f9
            0x00f4b4fb
            0x00f4b4fc
            0x00f4b4fe
            0x00f4b500
            0x00f4b4ae
            0x00f4b4ae
            0x00f4b4b0
            0x00f4b4b2
            0x00f4b4b3
            0x00f4b4b4
            0x00f4b4b5
            0x00f4b4b7
            0x00f4b4b9
            0x00f4b4bc
            0x00f4b4be
            0x00f4b4c0
            0x00f4b4c3
            0x00000000
            0x00f4b4c3
            0x00f4b4b5
            0x00f4b501

            Memory Dump Source
            • Source File: 0000000B.00000002.716580185.0000000000EB2000.00000002.00000001.01000000.00000004.sdmp, Offset: 00EB0000, based on PE: true
            • Associated: 0000000B.00000002.716573174.0000000000EB0000.00000002.00000001.01000000.00000004.sdmpDownload File
            • Associated: 0000000B.00000002.716662100.0000000000F56000.00000002.00000001.01000000.00000004.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_eb0000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c312ead9f6a49b8c2f9dac4fa08c6643a7d7d14abe3f671ef460bed0124228e8
            • Instruction ID: 44bc805511474277d0e21d28e6d411c820e953a71d51587bb1a650a65d7ed3c6
            • Opcode Fuzzy Hash: c312ead9f6a49b8c2f9dac4fa08c6643a7d7d14abe3f671ef460bed0124228e8
            • Instruction Fuzzy Hash: FD72F32140E7C19FCB138B789CB55D27FB1AE5721431E49CBD4C0CF0A3D619AA6AE762
            Uniqueness

            Uniqueness Score: -1.00%

            Function 016672E8 Relevance: .4, Instructions: 384COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.716787431.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_1660000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aa4d4b549d508a2945c26958a61e8411e6d864ca9d5596bfaab10d02b420cced
            • Instruction ID: cc2aea792f95fb0cf5dcd57acb6e0cc0cdeb0d1c3c2bcd397a1e3e00a660d9d4
            • Opcode Fuzzy Hash: aa4d4b549d508a2945c26958a61e8411e6d864ca9d5596bfaab10d02b420cced
            • Instruction Fuzzy Hash: 1AE1D631B002198FDB05CFA8CC95BEEBBB6FB88314F158529D545AB395CB74AC45CBA0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B99C08 Relevance: .3, Instructions: 266COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 98aab4a4527eefa762a7614ee41bd150aef6a88d13712049be5a8b07bbe6ae05
            • Instruction ID: 195948571bb6aa063260cae69702e48b83c87420db8038ab70bc8d7f49801976
            • Opcode Fuzzy Hash: 98aab4a4527eefa762a7614ee41bd150aef6a88d13712049be5a8b07bbe6ae05
            • Instruction Fuzzy Hash: DB8127F5B652158BEFC8E974CD613AE6193ABC8214F0C947EA107DB394DA78CC0187E5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B99C18 Relevance: .3, Instructions: 252COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5f1082ec1122c83a815ce202d0d6df1385086b58741414361279fedae9bb773a
            • Instruction ID: 93d9bba82106ebc6590d0cee091cc1b92b2723919e01fe8e5c3b6b43a7920a20
            • Opcode Fuzzy Hash: 5f1082ec1122c83a815ce202d0d6df1385086b58741414361279fedae9bb773a
            • Instruction Fuzzy Hash: 177126F4B652158BEFC8E974CD5136E2593ABD8214F0C947EA106DB394EA78CC02C7E2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B90446 Relevance: .2, Instructions: 241COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bb0ead4e393be3c650f29ef55cfe12537eb15695a1bc59b91b9214daa90b10e1
            • Instruction ID: 7536f277a645a17da02a4532cae0e7958f5fb506df7831940285d921a01a1178
            • Opcode Fuzzy Hash: bb0ead4e393be3c650f29ef55cfe12537eb15695a1bc59b91b9214daa90b10e1
            • Instruction Fuzzy Hash: 59717D77F502254FD704DA78DD631BA7AE79BD9610706A1AB9906EF388ED34CC0287D0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B90448 Relevance: .2, Instructions: 240COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 68e37812d699cadb8f7ac0dc282cf93d504fdc20c53460bd2878b8d02cd6fb68
            • Instruction ID: 059948e18be096f150e2a59510c8d701f03a67dbf69ba02c8d392400e33d233a
            • Opcode Fuzzy Hash: 68e37812d699cadb8f7ac0dc282cf93d504fdc20c53460bd2878b8d02cd6fb68
            • Instruction Fuzzy Hash: DC717D77F502254FD704DA78DD6317A79E79BD9610706A1AB9906EF388ED34CC0287D0
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B94760 Relevance: .2, Instructions: 231COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 38b94ec3a587c861e716f5abca56637e4dba58ae5bb9b8b553e53f98d63e4714
            • Instruction ID: da4c52da316b3bfba771a443a5336b78dde451899a1b605d93ab3f92da521d79
            • Opcode Fuzzy Hash: 38b94ec3a587c861e716f5abca56637e4dba58ae5bb9b8b553e53f98d63e4714
            • Instruction Fuzzy Hash: FE71F5B1B042148FDB48CFA8D8956AD73F3EBC8318F15417AE906EB750DA749C428B95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 06B94B83 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000B.00000002.721986058.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_11_2_6b90000_server.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9ac416da213c44c2d3daf1102bc6bf9939f5c03bd23f84d597ac2bb3b8d339c4
            • Instruction ID: fc54d29cee2591caf0f612a0b865fa939e549d0e33b551041fff5cb282f79f49
            • Opcode Fuzzy Hash: 9ac416da213c44c2d3daf1102bc6bf9939f5c03bd23f84d597ac2bb3b8d339c4
            • Instruction Fuzzy Hash: F051B3B1B041048FDB48CFA8D89566D73F3EBC8318B25817AE906EB750DA749C428B94
            Uniqueness

            Uniqueness Score: -1.00%

            Execution Graph

            Execution Coverage:8%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:159
            Total number of Limit Nodes:12
            execution_graph 27931 2b55f57 27932 2b55f68 27931->27932 27933 2b55ff2 27932->27933 27938 2b56769 27932->27938 27944 2b56a60 27932->27944 27950 2b56a10 27932->27950 27956 2b56778 27932->27956 27939 2b56788 27938->27939 27940 2b56782 27938->27940 27939->27933 27940->27939 27962 2b572f5 27940->27962 27967 2b57248 27940->27967 27972 2b57238 27940->27972 27945 2b56a6b 27944->27945 27946 2b56b17 27945->27946 27947 2b572f5 CreateProcessW 27945->27947 27948 2b57238 CreateProcessW 27945->27948 27949 2b57248 CreateProcessW 27945->27949 27946->27933 27947->27946 27948->27946 27949->27946 27951 2b56a1b 27950->27951 27952 2b56b17 27951->27952 27953 2b572f5 CreateProcessW 27951->27953 27954 2b57238 CreateProcessW 27951->27954 27955 2b57248 CreateProcessW 27951->27955 27952->27933 27953->27952 27954->27952 27955->27952 27957 2b56788 27956->27957 27958 2b56782 27956->27958 27957->27933 27958->27957 27959 2b572f5 CreateProcessW 27958->27959 27960 2b57238 CreateProcessW 27958->27960 27961 2b57248 CreateProcessW 27958->27961 27959->27957 27960->27957 27961->27957 27963 2b572fc 27962->27963 27966 2b57562 27963->27966 27977 2b56fd8 27963->27977 27966->27939 27968 2b57273 27967->27968 27969 2b56fd8 CreateProcessW 27968->27969 27971 2b57562 27968->27971 27970 2b57362 27969->27970 27971->27939 27973 2b57248 27972->27973 27974 2b56fd8 CreateProcessW 27973->27974 27976 2b57562 27973->27976 27975 2b57362 27974->27975 27976->27939 27979 2b578f0 CreateProcessW 27977->27979 27980 2b57af3 27979->27980 27981 2b55ed0 27982 2b55efe 27981->27982 27983 2b55ff2 27981->27983 27982->27983 27984 2b56a10 CreateProcessW 27982->27984 27985 2b56a60 CreateProcessW 27982->27985 27986 2b56769 CreateProcessW 27982->27986 27987 2b56778 CreateProcessW 27982->27987 27984->27983 27985->27983 27986->27983 27987->27983 28011 2b57680 28012 2b576c1 FindCloseChangeNotification 28011->28012 28013 2b576ee 28012->28013 28014 2b57c20 28015 2b57c6c WaitForInputIdle 28014->28015 28017 2b57cb2 28015->28017 28017->28017 28018 2b588e2 28020 2b587d7 28018->28020 28019 2b58902 28020->28019 28023 2b58d70 28020->28023 28031 2b58d5f 28020->28031 28024 2b58da3 28023->28024 28039 2b59520 28024->28039 28047 2b59510 28024->28047 28025 2b58db4 28027 2b59520 2 API calls 28025->28027 28028 2b59510 2 API calls 28025->28028 28026 2b58df0 28026->28020 28027->28026 28028->28026 28032 2b58d70 28031->28032 28035 2b59520 2 API calls 28032->28035 28036 2b59510 2 API calls 28032->28036 28033 2b58db4 28037 2b59520 2 API calls 28033->28037 28038 2b59510 2 API calls 28033->28038 28034 2b58df0 28034->28020 28035->28033 28036->28033 28037->28034 28038->28034 28040 2b59531 28039->28040 28041 2b59586 28040->28041 28055 2b5ade8 28040->28055 28060 2b5adda 28040->28060 28042 2b595d2 28041->28042 28065 2b5b532 28041->28065 28069 2b5b538 28041->28069 28042->28025 28048 2b59520 28047->28048 28049 2b59586 28048->28049 28053 2b5ade8 DuplicateHandle 28048->28053 28054 2b5adda DuplicateHandle 28048->28054 28050 2b595d2 28049->28050 28051 2b5b532 DuplicateHandle 28049->28051 28052 2b5b538 DuplicateHandle 28049->28052 28050->28025 28051->28050 28052->28050 28053->28049 28054->28049 28056 2b5ae79 DuplicateHandle 28055->28056 28057 2b5adf9 28055->28057 28059 2b5af36 28056->28059 28057->28041 28059->28041 28061 2b5ae79 DuplicateHandle 28060->28061 28064 2b5adf9 28060->28064 28063 2b5af36 28061->28063 28063->28041 28064->28041 28066 2b5b538 28065->28066 28067 2b5ade8 DuplicateHandle 28066->28067 28068 2b5b551 28066->28068 28067->28068 28068->28042 28070 2b5b56b 28069->28070 28072 2b5b551 28069->28072 28071 2b5ade8 DuplicateHandle 28070->28071 28070->28072 28071->28072 28072->28042 28073 127d0f0 28074 127d108 28073->28074 28075 127d162 28074->28075 28078 51d697c 28074->28078 28086 51dc2e8 28074->28086 28079 51d6987 28078->28079 28080 51dc359 28079->28080 28082 51dc349 28079->28082 28083 51dc357 28080->28083 28102 51dbef4 28080->28102 28094 51dc470 28082->28094 28098 51dc480 28082->28098 28088 51dc2f8 28086->28088 28087 51dc359 28089 51dbef4 CallWindowProcW 28087->28089 28091 51dc357 28087->28091 28088->28087 28090 51dc349 28088->28090 28089->28091 28092 51dc470 CallWindowProcW 28090->28092 28093 51dc480 CallWindowProcW 28090->28093 28092->28091 28093->28091 28096 51dc494 28094->28096 28095 51dc520 28095->28083 28106 51dc538 28096->28106 28100 51dc494 28098->28100 28099 51dc520 28099->28083 28101 51dc538 CallWindowProcW 28100->28101 28101->28099 28103 51dbeff 28102->28103 28104 51dd81a CallWindowProcW 28103->28104 28105 51dd7c9 28103->28105 28104->28105 28105->28083 28107 51dc549 28106->28107 28109 51dd75b 28106->28109 28107->28095 28110 51dbef4 CallWindowProcW 28109->28110 28111 51dd76a 28110->28111 28111->28107 28112 2b5046c 28113 2b5042a 28112->28113 28114 2b5047a 28112->28114 28117 2b52fb2 KiUserExceptionDispatcher 28113->28117 28115 2b50468 28118 2b53008 28117->28118 28118->28115 27988 2b5a7b8 GetCurrentProcess 27989 2b5a832 GetCurrentThread 27988->27989 27990 2b5a82b 27988->27990 27991 2b5a86f GetCurrentProcess 27989->27991 27992 2b5a868 27989->27992 27990->27989 27993 2b5a8a5 27991->27993 27992->27991 27999 2b5ad80 27993->27999 28002 2b5b2f8 27993->28002 28004 2b5ad70 27993->28004 27994 2b5a8cd GetCurrentThreadId 27995 2b5a8fe 27994->27995 28008 2b59e44 27999->28008 28003 2b5b316 28002->28003 28003->27994 28005 2b5ad80 28004->28005 28006 2b59e44 DuplicateHandle 28005->28006 28007 2b5adae 28006->28007 28007->27994 28009 2b5aea0 DuplicateHandle 28008->28009 28010 2b5adae 28009->28010 28010->27994 28119 2b58748 28120 2b5876b 28119->28120 28121 2b58902 28120->28121 28122 2b58d70 2 API calls 28120->28122 28123 2b58d5f 2 API calls 28120->28123 28122->28120 28123->28120

            Executed Functions

            Function 02B56FD8 Relevance: 1.7, APIs: 1, Instructions: 218processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1153 2b56fd8-2b57964 1156 2b57966-2b5796c 1153->1156 1157 2b5796f-2b57976 1153->1157 1156->1157 1158 2b57981-2b57988 1157->1158 1159 2b57978-2b5797e 1157->1159 1160 2b579a7-2b579ab 1158->1160 1161 2b5798a-2b579a6 1158->1161 1159->1158 1162 2b579ad-2b579c3 1160->1162 1163 2b579cb-2b579db 1160->1163 1161->1160 1162->1163 1164 2b579dd-2b579f9 1163->1164 1165 2b579fa-2b579fe 1163->1165 1164->1165 1166 2b57a00-2b57a17 1165->1166 1167 2b57a1f-2b57a38 1165->1167 1166->1167 1168 2b57a46-2b57a4f 1167->1168 1169 2b57a3a-2b57a43 1167->1169 1170 2b57a51-2b57a68 1168->1170 1171 2b57a6a-2b57a6e 1168->1171 1169->1168 1170->1171 1172 2b57a70-2b57a81 1171->1172 1173 2b57a89-2b57a9d 1171->1173 1172->1173 1174 2b57aa2-2b57af1 CreateProcessW 1173->1174 1175 2b57a9f 1173->1175 1176 2b57af3-2b57af9 1174->1176 1177 2b57afa-2b57b2b 1174->1177 1175->1174 1176->1177 1180 2b57b40-2b57b44 1177->1180 1181 2b57b2d-2b57b31 1177->1181 1183 2b57b46-2b57b4a 1180->1183 1184 2b57b59-2b57b5d 1180->1184 1181->1180 1182 2b57b33-2b57b36 1181->1182 1182->1180 1183->1184 1185 2b57b4c-2b57b4f 1183->1185 1186 2b57b72-2b57b76 1184->1186 1187 2b57b5f-2b57b63 1184->1187 1185->1184 1188 2b57b87 1186->1188 1189 2b57b78-2b57b84 1186->1189 1187->1186 1190 2b57b65-2b57b68 1187->1190 1192 2b57b88 1188->1192 1189->1188 1190->1186 1192->1192
            APIs
            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000,00000000,?), ref: 02B57AE1
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 00b6c078000a11a78abb4ecdddb05bd77a97e0d67c0a3ac49c1625b758d9760d
            • Instruction ID: 41e96b7b39d0cd5dc298ef30fccf02ec5614616f257787dce991426755f8e214
            • Opcode Fuzzy Hash: 00b6c078000a11a78abb4ecdddb05bd77a97e0d67c0a3ac49c1625b758d9760d
            • Instruction Fuzzy Hash: 76913571E006199FDB24CFA9C8947DEFBF2EF88304F25812AE915AB250DB70A945CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B578E6 Relevance: 1.7, APIs: 1, Instructions: 215processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1193 2b578e6-2b57964 1195 2b57966-2b5796c 1193->1195 1196 2b5796f-2b57976 1193->1196 1195->1196 1197 2b57981-2b57988 1196->1197 1198 2b57978-2b5797e 1196->1198 1199 2b579a7-2b579ab 1197->1199 1200 2b5798a-2b579a6 1197->1200 1198->1197 1201 2b579ad-2b579c3 1199->1201 1202 2b579cb-2b579db 1199->1202 1200->1199 1201->1202 1203 2b579dd-2b579f9 1202->1203 1204 2b579fa-2b579fe 1202->1204 1203->1204 1205 2b57a00-2b57a17 1204->1205 1206 2b57a1f-2b57a38 1204->1206 1205->1206 1207 2b57a46-2b57a4f 1206->1207 1208 2b57a3a-2b57a43 1206->1208 1209 2b57a51-2b57a68 1207->1209 1210 2b57a6a-2b57a6e 1207->1210 1208->1207 1209->1210 1211 2b57a70-2b57a81 1210->1211 1212 2b57a89-2b57a9d 1210->1212 1211->1212 1213 2b57aa2-2b57af1 CreateProcessW 1212->1213 1214 2b57a9f 1212->1214 1215 2b57af3-2b57af9 1213->1215 1216 2b57afa-2b57b2b 1213->1216 1214->1213 1215->1216 1219 2b57b40-2b57b44 1216->1219 1220 2b57b2d-2b57b31 1216->1220 1222 2b57b46-2b57b4a 1219->1222 1223 2b57b59-2b57b5d 1219->1223 1220->1219 1221 2b57b33-2b57b36 1220->1221 1221->1219 1222->1223 1224 2b57b4c-2b57b4f 1222->1224 1225 2b57b72-2b57b76 1223->1225 1226 2b57b5f-2b57b63 1223->1226 1224->1223 1227 2b57b87 1225->1227 1228 2b57b78-2b57b84 1225->1228 1226->1225 1229 2b57b65-2b57b68 1226->1229 1231 2b57b88 1227->1231 1228->1227 1229->1225 1231->1231
            APIs
            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000,00000000,?), ref: 02B57AE1
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 24502dba6f178362a56bb346099ea356c48ebacefba813191af45068c63b4095
            • Instruction ID: 2744df7c5da50e4c044756bdaeb8df4ac8f9e4c9dd06c08ef71465fa7e992adc
            • Opcode Fuzzy Hash: 24502dba6f178362a56bb346099ea356c48ebacefba813191af45068c63b4095
            • Instruction Fuzzy Hash: ED913471E002199FDB14CFA9C8947DEFBF2EF88304F25852AE914AB250DB709945CF51
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B5A7A9 Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 244 2b5a7a9-2b5a829 GetCurrentProcess 246 2b5a832-2b5a866 GetCurrentThread 244->246 247 2b5a82b-2b5a831 244->247 248 2b5a86f-2b5a8a3 GetCurrentProcess 246->248 249 2b5a868-2b5a86e 246->249 247->246 250 2b5a8a5-2b5a8ab 248->250 251 2b5a8ac-2b5a8c4 248->251 249->248 250->251 263 2b5a8c7 call 2b5ad80 251->263 264 2b5a8c7 call 2b5ad70 251->264 265 2b5a8c7 call 2b5b2f8 251->265 255 2b5a8cd-2b5a8fc GetCurrentThreadId 256 2b5a905-2b5a967 255->256 257 2b5a8fe-2b5a904 255->257 257->256 263->255 264->255 265->255
            APIs
            • GetCurrentProcess.KERNEL32 ref: 02B5A818
            • GetCurrentThread.KERNEL32 ref: 02B5A855
            • GetCurrentProcess.KERNEL32 ref: 02B5A892
            • GetCurrentThreadId.KERNEL32 ref: 02B5A8EB
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: 45e9fc5bdbbd0c45f20936ec346ef285d66de5798e723ab850c72da9332df064
            • Instruction ID: 451f643ba34b25167f65c0fe2bb4df435ce7782681a2dca8ceadcffe67791aa8
            • Opcode Fuzzy Hash: 45e9fc5bdbbd0c45f20936ec346ef285d66de5798e723ab850c72da9332df064
            • Instruction Fuzzy Hash: A95146B4D002598FEB14CFA9C6887DEBFF0EB48314F148599E459B7290DB346885CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B5A7B8 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 266 2b5a7b8-2b5a829 GetCurrentProcess 267 2b5a832-2b5a866 GetCurrentThread 266->267 268 2b5a82b-2b5a831 266->268 269 2b5a86f-2b5a8a3 GetCurrentProcess 267->269 270 2b5a868-2b5a86e 267->270 268->267 271 2b5a8a5-2b5a8ab 269->271 272 2b5a8ac-2b5a8c4 269->272 270->269 271->272 284 2b5a8c7 call 2b5ad80 272->284 285 2b5a8c7 call 2b5ad70 272->285 286 2b5a8c7 call 2b5b2f8 272->286 276 2b5a8cd-2b5a8fc GetCurrentThreadId 277 2b5a905-2b5a967 276->277 278 2b5a8fe-2b5a904 276->278 278->277 284->276 285->276 286->276
            APIs
            • GetCurrentProcess.KERNEL32 ref: 02B5A818
            • GetCurrentThread.KERNEL32 ref: 02B5A855
            • GetCurrentProcess.KERNEL32 ref: 02B5A892
            • GetCurrentThreadId.KERNEL32 ref: 02B5A8EB
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: c4ad767197402db8f6a2c3a291f47dc64ff0dc2a159d6ecb482254dd0baa996f
            • Instruction ID: 76caf95914622a4d9b28b28c54e7097ab2b629ae4bced4740ccb6a3585a17fe8
            • Opcode Fuzzy Hash: c4ad767197402db8f6a2c3a291f47dc64ff0dc2a159d6ecb482254dd0baa996f
            • Instruction Fuzzy Hash: CA5156B4D002598FEB14CFA9C6887DEBFF0EB48314F148599E419B7250DB346845CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B52FB2 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1232 2b52fb2-2b52ffc KiUserExceptionDispatcher 1272 2b53002 call 2b535c0 1232->1272 1273 2b53002 call 2b535ba 1232->1273 1233 2b53008-2b5301a 1236 2b53077-2b5309b 1233->1236 1237 2b5301c-2b5306f 1233->1237 1240 2b530a1-2b530a7 1236->1240 1241 2b5314a-2b53171 1236->1241 1237->1236 1242 2b530aa-2b530b2 1240->1242 1277 2b53174 call 2b55d40 1241->1277 1278 2b53174 call 2b55cb8 1241->1278 1279 2b53174 call 2b55ca8 1241->1279 1244 2b530b4-2b530ca 1242->1244 1245 2b5311f-2b53148 1242->1245 1251 2b53100-2b53106 1244->1251 1252 2b530cc-2b530e3 call 2b505e0 1244->1252 1263 2b5317a-2b53181 1245->1263 1254 2b53108-2b5310e 1251->1254 1255 2b5311a 1251->1255 1267 2b530f5-2b530f8 1252->1267 1268 2b530e5-2b530e8 1252->1268 1254->1255 1258 2b53110-2b53116 1254->1258 1255->1245 1258->1242 1261 2b53118 1258->1261 1261->1241 1267->1251 1274 2b530ed call 2b55990 1268->1274 1275 2b530ed call 2b5597f 1268->1275 1276 2b530ed call 2b55ca8 1268->1276 1271 2b530f3 1271->1251 1272->1233 1273->1233 1274->1271 1275->1271 1276->1271 1277->1263 1278->1263 1279->1263
            APIs
            • KiUserExceptionDispatcher.NTDLL ref: 02B52FF2
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: DispatcherExceptionUser
            • String ID:
            • API String ID: 6842923-0
            • Opcode ID: b2a7c8a9db2335652f64f42556854b002fdb25f2ee3153b09a76bcfa038f6a6b
            • Instruction ID: 45f890d60c164e6c41493c65205d65e7145b54cb0f4547e76d8636c5a6620b7b
            • Opcode Fuzzy Hash: b2a7c8a9db2335652f64f42556854b002fdb25f2ee3153b09a76bcfa038f6a6b
            • Instruction Fuzzy Hash: D3515C34A012149FDB04EF74E559AADBBF6FF88345F1185A9F806AB394DB319C41CB90
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B5ADE8 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1280 2b5ade8-2b5adf3 1281 2b5ae79-2b5af34 DuplicateHandle 1280->1281 1282 2b5adf9-2b5ae21 1280->1282 1287 2b5af36-2b5af3c 1281->1287 1288 2b5af3d-2b5af5a 1281->1288 1293 2b5ae23-2b5ae2c 1282->1293 1294 2b5ae5c-2b5ae60 1282->1294 1287->1288 1293->1294 1299 2b5ae2e-2b5ae3c 1293->1299 1295 2b5ae62-2b5ae65 1294->1295 1296 2b5ae6d 1294->1296 1295->1296 1298 2b5ae75-2b5ae78 1296->1298 1299->1294 1301 2b5ae3e-2b5ae56 1299->1301 1301->1294 1304 2b5ae58 1301->1304 1304->1294
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5ADAE,?,?,?,?,?), ref: 02B5AF27
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 0bdf3479442c545afce2a3addcf4cd8932f77ef6281ac65e6bbb4e8f07bd4993
            • Instruction ID: 7b9abbcb6a438882c449da8ddea1b2b379d3ec1b665504169bb7a7c8e85ac89e
            • Opcode Fuzzy Hash: 0bdf3479442c545afce2a3addcf4cd8932f77ef6281ac65e6bbb4e8f07bd4993
            • Instruction Fuzzy Hash: 0541B071A003088FDB10CFA9D548BEEBBF5EF88324F14895AE955A7350C774A944CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 051DBEF4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1305 51dbef4-51dd7bc 1308 51dd86c-51dd88c call 51d697c 1305->1308 1309 51dd7c2-51dd7c7 1305->1309 1316 51dd88f-51dd89c 1308->1316 1310 51dd7c9-51dd800 1309->1310 1311 51dd81a-51dd852 CallWindowProcW 1309->1311 1318 51dd809-51dd818 1310->1318 1319 51dd802-51dd808 1310->1319 1313 51dd85b-51dd86a 1311->1313 1314 51dd854-51dd85a 1311->1314 1313->1316 1314->1313 1318->1316 1319->1318
            APIs
            • CallWindowProcW.USER32(?,?,?,?,?), ref: 051DD841
            Memory Dump Source
            • Source File: 0000000F.00000002.927682773.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_51d0000_RegSvcs.jbxd
            Similarity
            • API ID: CallProcWindow
            • String ID:
            • API String ID: 2714655100-0
            • Opcode ID: bd1e499bd1216e6910cd6965048ded13a4f96185a0a564ceb5d215d983dde03c
            • Instruction ID: 666902e24fb46ec3bd64e43931506b8a95c878eb7daac8c0f2c27bed7a01542c
            • Opcode Fuzzy Hash: bd1e499bd1216e6910cd6965048ded13a4f96185a0a564ceb5d215d983dde03c
            • Instruction Fuzzy Hash: 394125B4A00205CFDB14CF99D488BAAFBF5FF88324F258459E519AB321D734A845CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B59E44 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5ADAE,?,?,?,?,?), ref: 02B5AF27
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 1980c7b1c2f92ce201fb1151578b1593550c1b7a2851013cd9fbed9578c50ebc
            • Instruction ID: 23d5e5212f261f2cd74024d24a5a70ef776440fb472be5687b78633af299c482
            • Opcode Fuzzy Hash: 1980c7b1c2f92ce201fb1151578b1593550c1b7a2851013cd9fbed9578c50ebc
            • Instruction Fuzzy Hash: 8D21D2B5900218AFDB10CFAAD984ADEBBF8EB48324F14845AE914B7310D374A954CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B57C14 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1322 2b57c14-2b57c74 1325 2b57c7c-2b57cb0 WaitForInputIdle 1322->1325 1326 2b57cb2-2b57cb8 1325->1326 1327 2b57cb9-2b57cf3 1325->1327 1326->1327 1331 2b57cf5 1327->1331 1332 2b57cfd 1327->1332 1331->1332 1333 2b57cfe 1332->1333 1333->1333
            APIs
            • WaitForInputIdle.USER32(00000000), ref: 02B57CA0
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: IdleInputWait
            • String ID:
            • API String ID: 2200289081-0
            • Opcode ID: 065add53c418188de921573edf5e9addca5e195ad5843b6ca0fbb89662d1369f
            • Instruction ID: 74fc6600a907706ce1afe8293150924e9dd904189e37985ddc7b7b2893e5d225
            • Opcode Fuzzy Hash: 065add53c418188de921573edf5e9addca5e195ad5843b6ca0fbb89662d1369f
            • Instruction Fuzzy Hash: C32112B0E002689FDB14CFA9D588B9EFBF4AF49214F14805AE819AB340CB745944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B57C20 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • WaitForInputIdle.USER32(00000000), ref: 02B57CA0
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: IdleInputWait
            • String ID:
            • API String ID: 2200289081-0
            • Opcode ID: 87e03c237edc9e5362ea268636e2be562eca4751a7b67939f17f41875d2f5dcd
            • Instruction ID: 9a1cdc2de1bd2efd3910ce7dbb857c46d763214db7a0fcdaf43a43f569d6c01b
            • Opcode Fuzzy Hash: 87e03c237edc9e5362ea268636e2be562eca4751a7b67939f17f41875d2f5dcd
            • Instruction Fuzzy Hash: 4721F4B0E102689FDB14CFAAD588B8EFBF4BF48314F14805AE819AB350CB745944CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B57680 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE ref: 02B576DF
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: c65eb0be2a163307cb4bc5c2c9c9eb093a1e9bde8f738a81d1e6570b1f5f9678
            • Instruction ID: 015a36f74c2e78368674f4efa2ab2a630a0b2b057356197a68e4e4cf45865fb8
            • Opcode Fuzzy Hash: c65eb0be2a163307cb4bc5c2c9c9eb093a1e9bde8f738a81d1e6570b1f5f9678
            • Instruction Fuzzy Hash: 9C1115B19002598FCB10DF9AD588BDEFBF8EF48324F14845AD959A7340CB74A944CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02B57678 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE ref: 02B576DF
            Memory Dump Source
            • Source File: 0000000F.00000002.927194898.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_2b50000_RegSvcs.jbxd
            Similarity
            • API ID: ChangeCloseFindNotification
            • String ID:
            • API String ID: 2591292051-0
            • Opcode ID: 68a4c4d70814fd54c693e2b2446229f8fb4d005bcd6903d63ff56b90ff15ccb7
            • Instruction ID: bafeba1a3bd94ef5e0413705af87f492394323f7f8e749ecd6aad6ac6d5376b0
            • Opcode Fuzzy Hash: 68a4c4d70814fd54c693e2b2446229f8fb4d005bcd6903d63ff56b90ff15ccb7
            • Instruction Fuzzy Hash: A71122B59002598FCB10CFA9D5897DEFBF4EB48324F14845AD959A7210CB74A944CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0126D608 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000F.00000002.927012969.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_126d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c3244374874c6f27ec944c48d1b858fcd05df53dbd77d73ec315946640d4bd23
            • Instruction ID: 1ed0bbb767ded112d6b4829ed72c3aa89cde01bae1359dc0d7ea7b5e00fe9e69
            • Opcode Fuzzy Hash: c3244374874c6f27ec944c48d1b858fcd05df53dbd77d73ec315946640d4bd23
            • Instruction Fuzzy Hash: 1C219A7161420CDFDB01CF54E9C4F26BB69FB88324F208569DA490B286C336DC86C7A2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0126D51C Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000F.00000002.927012969.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_126d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2167a2bb360877f590fdab09352df3300c2e7c1d7970f93464a9abe78eb2e1a8
            • Instruction ID: ceeebfa7653d0fe811005e6f8f514a630fd114d7e1086aa1912e79edeb61929c
            • Opcode Fuzzy Hash: 2167a2bb360877f590fdab09352df3300c2e7c1d7970f93464a9abe78eb2e1a8
            • Instruction Fuzzy Hash: 9B219A7161420CDFDB01DF54E9C0B26BF69FB84328F24856CE9454B686C336D886CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0127D0F0 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000F.00000002.927061791.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_127d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 699c575bd217f6b8fee15d5ab45b1299cdad74f3ccbf6e6ce5b7458c97e65aa0
            • Instruction ID: 386355ccd79031e7c044f88e9eb76ec9eef842627ae9bf64e586d252130cc33c
            • Opcode Fuzzy Hash: 699c575bd217f6b8fee15d5ab45b1299cdad74f3ccbf6e6ce5b7458c97e65aa0
            • Instruction Fuzzy Hash: B421F2B1614248DFDB01DF64E9C4B27BB65FF84324F24C969E9094B246C376D846CA62
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0126D603 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000F.00000002.927012969.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_126d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction ID: 7c5be8d532dd00b4616c4448108a8561fd5966a320ef2ee88060eee755ccd8c7
            • Opcode Fuzzy Hash: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction Fuzzy Hash: 9F110372504288CFDB02CF54E9C4B16BF71FB84324F2886A9D9490B297C336D896CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0126D517 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000F.00000002.927012969.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_126d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction ID: f84df072ea352f32b40ffcc7d953be1c711175f9afc43f689baf4d8d9bbf6132
            • Opcode Fuzzy Hash: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction Fuzzy Hash: DE110376504288CFDB02CF14E9C4B16BF72FB84324F24C6A9D9454B657C336D496CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0127D0EB Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000000F.00000002.927061791.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_15_2_127d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7883d842060d0ec81f5009c8ee0316552504d27eb367d12dc34326bcecf933f0
            • Instruction ID: e32343b8cc6ed7f3182e16eb59a219475e15f43e510aebebe0543da06e414d28
            • Opcode Fuzzy Hash: 7883d842060d0ec81f5009c8ee0316552504d27eb367d12dc34326bcecf933f0
            • Instruction Fuzzy Hash: 1C11DD75504284CFDB02CF54E9C4B16BFB1FF84324F28CAAAD9494B656C33AD44ACB61
            Uniqueness

            Uniqueness Score: -1.00%

            Execution Graph

            Execution Coverage:15.6%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:21
            Total number of Limit Nodes:0
            execution_graph 1607 5541a3c 1609 5541a48 SearchPathW 1607->1609 1610 5541bfd 1609->1610 1587 55404a8 1589 55404c3 1587->1589 1590 55408e2 1587->1590 1591 5540916 1590->1591 1592 5540946 1591->1592 1595 55419d0 1591->1595 1599 55419bf 1591->1599 1596 55419e1 1595->1596 1603 5540744 1596->1603 1600 55419d0 1599->1600 1601 5540744 SearchPathW 1600->1601 1602 5541a1f 1601->1602 1602->1592 1605 5541a48 SearchPathW 1603->1605 1606 5541bfd 1605->1606 1611 5540498 1612 55404a8 1611->1612 1613 55404c3 1612->1613 1614 55408e2 SearchPathW 1612->1614 1614->1613

            Executed Functions

            Function 0571A670 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000018.00000003.780972836.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_3_5710000_RegSvcs.jbxd
            Similarity
            • API ID: DecodePointer
            • String ID:
            • API String ID: 3527080286-0
            • Opcode ID: b43b832ac7013a6ba6ac7f115ce1a276dc2503f33240ae4dd528f0dd88cd3b79
            • Instruction ID: 0b0b0ded94b985747c8cb94d4827eb374f035c316df2bf0e1d10161b49f52b33
            • Opcode Fuzzy Hash: b43b832ac7013a6ba6ac7f115ce1a276dc2503f33240ae4dd528f0dd88cd3b79
            • Instruction Fuzzy Hash: 72812270C06248DFDB21DFA8D1887DCFBF1AB08328F24845AE815A7391CB755984DFA6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05541A3C Relevance: 1.7, APIs: 1, Instructions: 170COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 5541a3c-5541ac1 3 5541ac3-5541ac9 0->3 4 5541acc-5541ad3 0->4 3->4 5 5541ad5-5541adb 4->5 6 5541ade-5541ae7 4->6 5->6 7 5541af8-5541b01 6->7 8 5541ae9-5541af5 6->8 9 5541b03-5541b30 7->9 10 5541b6e-5541b72 7->10 8->7 17 5541b60 9->17 18 5541b32-5541b34 9->18 11 5541b74-5541b97 10->11 12 5541b9d-5541ba8 10->12 11->12 14 5541bb4-5541bfb SearchPathW 12->14 15 5541baa-5541bb2 12->15 19 5541c04-5541c19 14->19 20 5541bfd-5541c03 14->20 15->14 23 5541b65-5541b68 17->23 21 5541b56-5541b5e 18->21 22 5541b36-5541b40 18->22 29 5541c2f-5541c56 19->29 30 5541c1b-5541c27 19->30 20->19 21->23 26 5541b44-5541b52 22->26 27 5541b42 22->27 23->10 26->26 31 5541b54 26->31 27->26 34 5541c66 29->34 35 5541c58-5541c5c 29->35 30->29 31->21 37 5541c67 34->37 35->34 36 5541c5e 35->36 36->34 37->37
            APIs
            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 05541BEB
            Memory Dump Source
            • Source File: 00000018.00000002.782211347.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_2_5540000_RegSvcs.jbxd
            Similarity
            • API ID: PathSearch
            • String ID:
            • API String ID: 2203818243-0
            • Opcode ID: 309cc8965afece243a0add3ecebe826770f52744bbd5d18041677006e607fa4a
            • Instruction ID: 6f848efae0c06ea59bc1cc50d2207ee6d9af6d09322f07f1a247fd0323d3889c
            • Opcode Fuzzy Hash: 309cc8965afece243a0add3ecebe826770f52744bbd5d18041677006e607fa4a
            • Instruction Fuzzy Hash: 62710571D006199FDB24CF99C9846DDBBF1FF48318F158129E819AB350DB34A985CF85
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05540744 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 38 5540744-5541ac1 41 5541ac3-5541ac9 38->41 42 5541acc-5541ad3 38->42 41->42 43 5541ad5-5541adb 42->43 44 5541ade-5541ae7 42->44 43->44 45 5541af8-5541b01 44->45 46 5541ae9-5541af5 44->46 47 5541b03-5541b30 45->47 48 5541b6e-5541b72 45->48 46->45 55 5541b60 47->55 56 5541b32-5541b34 47->56 49 5541b74-5541b97 48->49 50 5541b9d-5541ba8 48->50 49->50 52 5541bb4-5541bfb SearchPathW 50->52 53 5541baa-5541bb2 50->53 57 5541c04-5541c19 52->57 58 5541bfd-5541c03 52->58 53->52 61 5541b65-5541b68 55->61 59 5541b56-5541b5e 56->59 60 5541b36-5541b40 56->60 67 5541c2f-5541c56 57->67 68 5541c1b-5541c27 57->68 58->57 59->61 64 5541b44-5541b52 60->64 65 5541b42 60->65 61->48 64->64 69 5541b54 64->69 65->64 72 5541c66 67->72 73 5541c58-5541c5c 67->73 68->67 69->59 75 5541c67 72->75 73->72 74 5541c5e 73->74 74->72 75->75
            APIs
            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 05541BEB
            Memory Dump Source
            • Source File: 00000018.00000002.782211347.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_2_5540000_RegSvcs.jbxd
            Similarity
            • API ID: PathSearch
            • String ID:
            • API String ID: 2203818243-0
            • Opcode ID: 64f137e8505b4c61a5962c9281299c0837ccd7f9878c0ece7ff7fa2903795053
            • Instruction ID: ceff3a5441d1ec3e9061201fd4372d64706a8b86562a38c682b08f04cb26b1b2
            • Opcode Fuzzy Hash: 64f137e8505b4c61a5962c9281299c0837ccd7f9878c0ece7ff7fa2903795053
            • Instruction Fuzzy Hash: 29711670D00619DFDB24CF9AC98469EBBF1FF48318F158129E819AB350D774A985CF85
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0571A65B Relevance: 1.7, APIs: 1, Instructions: 167COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000018.00000003.780972836.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_3_5710000_RegSvcs.jbxd
            Similarity
            • API ID: DecodePointer
            • String ID:
            • API String ID: 3527080286-0
            • Opcode ID: d8443e42e987ab1ebc9132b26007ccd35c612cbce4839a438bf393a8aa692f27
            • Instruction ID: 1ddbf96c8db774cfe0489f6ee7e3ec7232f3f52b32b873438abbfe4d1643dd06
            • Opcode Fuzzy Hash: d8443e42e987ab1ebc9132b26007ccd35c612cbce4839a438bf393a8aa692f27
            • Instruction Fuzzy Hash: 6C712470C063489FDB21CFA8D5887DCFBF5AB08328F24845AE815A7391CB755984DBA6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05713233 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • RtlEncodePointer.NTDLL(00000000), ref: 057132B7
            Memory Dump Source
            • Source File: 00000018.00000003.780972836.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_3_5710000_RegSvcs.jbxd
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: 57bf189a9898a9b6917d09291f4f86258fb88c239b23566691ea331a8dc352d2
            • Instruction ID: 1c01b53e6117a1f7c2aa5c91c871133e9289d94c3429afa8c40477356597f5c9
            • Opcode Fuzzy Hash: 57bf189a9898a9b6917d09291f4f86258fb88c239b23566691ea331a8dc352d2
            • Instruction Fuzzy Hash: 9F216AB1D113598FDB60DFA9D54979ABFF4EB04324F10486AEC15E7740CB38A504CBA6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05713240 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
            Download Yara Rule
            APIs
            • RtlEncodePointer.NTDLL(00000000), ref: 057132B7
            Memory Dump Source
            • Source File: 00000018.00000003.780972836.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_3_5710000_RegSvcs.jbxd
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: 430c1ae8d1e7d97f87abcac0ce089b7cce14276ceba10f37026e005acca88c87
            • Instruction ID: b15d97ae985f706d46cc4925a0eddea2b81fcd727e01df6e54e9d0f288adef5b
            • Opcode Fuzzy Hash: 430c1ae8d1e7d97f87abcac0ce089b7cce14276ceba10f37026e005acca88c87
            • Instruction Fuzzy Hash: 6D115970D113098FDB60DF99D54979ABFF4FB08324F10482AE805E7640CB78A944CFA6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E6D32C Relevance: .1, Instructions: 76COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 351 2e6d32c-2e6d33e 352 2e6d344 351->352 353 2e6d3d5-2e6d3dc 351->353 354 2e6d346-2e6d352 352->354 353->354 356 2e6d3e1-2e6d3e6 354->356 357 2e6d358-2e6d37a 354->357 356->357 358 2e6d37c-2e6d39d 357->358 359 2e6d3eb-2e6d400 357->359 362 2e6d3a5-2e6d3b5 358->362 363 2e6d3b7-2e6d3bf 359->363 362->363 364 2e6d40d 362->364 365 2e6d402-2e6d40b 363->365 366 2e6d3c1-2e6d3d2 363->366 365->366
            Memory Dump Source
            • Source File: 00000018.00000002.782018389.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_2_2e6d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2a0f6979d5e85b1f3710c23e4abf7b091875c81050d52b4ea0a6b56ecfdfb2df
            • Instruction ID: 1ea9983269c4e36fd1b78d19970b91e01628f78c5700040cf2cf6fdba210cf7f
            • Opcode Fuzzy Hash: 2a0f6979d5e85b1f3710c23e4abf7b091875c81050d52b4ea0a6b56ecfdfb2df
            • Instruction Fuzzy Hash: 872128B16C4244DFDB05CF10DDC8B36BB65FB88368F28C569E9054B246C336D816CBA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E6D508 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 368 2e6d508-2e6d51a 369 2e6d520 368->369 370 2e6d5ae-2e6d5b5 368->370 371 2e6d522-2e6d52e 369->371 370->371 373 2e6d534-2e6d556 371->373 374 2e6d5ba-2e6d5bf 371->374 375 2e6d5c4-2e6d5d9 373->375 376 2e6d558-2e6d576 373->376 374->373 381 2e6d590-2e6d598 375->381 378 2e6d57e-2e6d58e 376->378 380 2e6d5e6 378->380 378->381 382 2e6d59a-2e6d5ab 381->382 383 2e6d5db-2e6d5e4 381->383 383->382
            Memory Dump Source
            • Source File: 00000018.00000002.782018389.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_2_2e6d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a19a22c32dbae295daec04faceb7aa4170b049a79cffa8067e2041cbd8f24824
            • Instruction ID: b26d42269228c582235a46a66444a95949b80ccfe2184033e39136c6695d2cfc
            • Opcode Fuzzy Hash: a19a22c32dbae295daec04faceb7aa4170b049a79cffa8067e2041cbd8f24824
            • Instruction Fuzzy Hash: D12133B1684240DFDB01DF10DDC8B66BB65FB8836CF24C569E9054A646C336D806C6A2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E6D327 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 385 2e6d327-2e6d33e 386 2e6d344 385->386 387 2e6d3d5-2e6d3dc 385->387 388 2e6d346-2e6d352 386->388 387->388 390 2e6d3e1-2e6d3e6 388->390 391 2e6d358-2e6d37a 388->391 390->391 392 2e6d37c-2e6d39d 391->392 393 2e6d3eb-2e6d400 391->393 396 2e6d3a5-2e6d3b5 392->396 397 2e6d3b7-2e6d3bf 393->397 396->397 398 2e6d40d 396->398 399 2e6d402-2e6d40b 397->399 400 2e6d3c1-2e6d3d2 397->400 399->400
            Memory Dump Source
            • Source File: 00000018.00000002.782018389.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_2_2e6d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f7668753e47af45a6b1809cf1dd247d186bd07808e2ac97e9ae12c485743572
            • Instruction ID: 38f8d67e4a5e96a106154bb326a952d510b7d7d855791bc81c88fefc141f6ff5
            • Opcode Fuzzy Hash: 7f7668753e47af45a6b1809cf1dd247d186bd07808e2ac97e9ae12c485743572
            • Instruction Fuzzy Hash: 73217F76584284DFDB16CF10D9C4B26BF71FB84324F28C6AAD8444B656C33AD85ACBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E6D503 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 402 2e6d503-2e6d51a 403 2e6d520 402->403 404 2e6d5ae-2e6d5b5 402->404 405 2e6d522-2e6d52e 403->405 404->405 407 2e6d534-2e6d556 405->407 408 2e6d5ba-2e6d5bf 405->408 409 2e6d5c4-2e6d5d9 407->409 410 2e6d558-2e6d576 407->410 408->407 415 2e6d590-2e6d598 409->415 412 2e6d57e-2e6d58e 410->412 414 2e6d5e6 412->414 412->415 416 2e6d59a-2e6d5ab 415->416 417 2e6d5db-2e6d5e4 415->417 417->416
            Memory Dump Source
            • Source File: 00000018.00000002.782018389.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_2_2e6d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction ID: d59fcc93538022a5844f944e7c1831478a6eed4195bed14b8bc0b7a20fd26567
            • Opcode Fuzzy Hash: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction Fuzzy Hash: 4F11E676544280DFDF11CF10D9C4B26BF72FB84328F28C6A9D8054B656C336D456CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E6D795 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000018.00000002.782018389.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_2_2e6d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0e8055c3b832b8565d01557d693900f03d6bdb3476c202c0ea937f8ce81d97ad
            • Instruction ID: 6ff6e6c58efaff67bc54b067919e2da0c7ebff008af2ada47d105176b5339e5d
            • Opcode Fuzzy Hash: 0e8055c3b832b8565d01557d693900f03d6bdb3476c202c0ea937f8ce81d97ad
            • Instruction Fuzzy Hash: D701F7716883849EE7108A25CD8CB72BB98EF412B8F48D45AEA045A286C778A844C673
            Uniqueness

            Uniqueness Score: -1.00%

            Function 02E6D794 Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000018.00000002.782018389.0000000002E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E6D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_24_2_2e6d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d72802b4b8af3e44d83d2a4ae0b1cab4fff9494c7d8490cc7ff30c0e66035fc3
            • Instruction ID: c6929b7ab6ebdcba9b9f01b531257359eec61b1f90cf5d9652d6f1c4ead3a201
            • Opcode Fuzzy Hash: d72802b4b8af3e44d83d2a4ae0b1cab4fff9494c7d8490cc7ff30c0e66035fc3
            • Instruction Fuzzy Hash: C8F096715443949EEB208E19CCC8B72FF98EB41778F18C45AED085B286C378A844CAB2
            Uniqueness

            Uniqueness Score: -1.00%

            Execution Graph

            Execution Coverage:16.5%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:27
            Total number of Limit Nodes:0
            execution_graph 1563 dd1a3c 1564 dd1a40 SearchPathW 1563->1564 1566 dd1bfd 1564->1566 1532 dd04a8 1533 dd04c3 1532->1533 1536 dd08f0 1532->1536 1541 dd08e3 1532->1541 1537 dd0916 1536->1537 1538 dd0946 1537->1538 1546 dd19bf 1537->1546 1550 dd19d0 1537->1550 1542 dd08e8 1541->1542 1543 dd0946 1542->1543 1544 dd19bf SearchPathW 1542->1544 1545 dd19d0 SearchPathW 1542->1545 1544->1543 1545->1543 1547 dd19c4 1546->1547 1554 dd0744 1547->1554 1551 dd19e1 1550->1551 1552 dd0744 SearchPathW 1551->1552 1553 dd1a1f 1552->1553 1553->1538 1555 dd1a48 SearchPathW 1554->1555 1557 dd1bfd 1555->1557 1558 dd0498 1559 dd049c 1558->1559 1560 dd04c3 1559->1560 1561 dd08f0 SearchPathW 1559->1561 1562 dd08e3 SearchPathW 1559->1562 1561->1560 1562->1560

            Executed Functions

            Function 04FDA670 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000001C.00000003.784146167.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_28_3_4fd0000_RegSvcs.jbxd
            Similarity
            • API ID: DecodePointer
            • String ID:
            • API String ID: 3527080286-0
            • Opcode ID: 739ab4483766431cea89cb145672c0327f522d44c984184fa2c8f0a8d107cfd1
            • Instruction ID: f47b43af0bf2ec2ddf097d3372f3dcf1b9eee8a7c3051ae6e958c89537a5b127
            • Opcode Fuzzy Hash: 739ab4483766431cea89cb145672c0327f522d44c984184fa2c8f0a8d107cfd1
            • Instruction Fuzzy Hash: 6981F674D01348DFEF21DFA8E58879DBBF1AB08314F28845AE815A7390C7796886CF56
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00DD1A3C Relevance: 1.7, APIs: 1, Instructions: 170COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 dd1a3c-dd1a3e 1 dd1a44-dd1ac1 0->1 2 dd1a40 0->2 5 dd1acc-dd1ad3 1->5 6 dd1ac3-dd1ac9 1->6 2->1 7 dd1ade-dd1ae7 5->7 8 dd1ad5-dd1adb 5->8 6->5 9 dd1ae9-dd1af5 7->9 10 dd1af8-dd1b01 7->10 8->7 9->10 11 dd1b6e-dd1b72 10->11 12 dd1b03-dd1b30 10->12 13 dd1b9d-dd1ba8 11->13 14 dd1b74-dd1b97 11->14 20 dd1b60 12->20 21 dd1b32-dd1b34 12->21 15 dd1baa-dd1bb2 13->15 16 dd1bb4-dd1bfb SearchPathW 13->16 14->13 15->16 18 dd1bfd-dd1c03 16->18 19 dd1c04-dd1c19 16->19 18->19 32 dd1c2f-dd1c56 19->32 33 dd1c1b-dd1c27 19->33 25 dd1b65-dd1b68 20->25 23 dd1b56-dd1b5e 21->23 24 dd1b36-dd1b40 21->24 23->25 28 dd1b44-dd1b52 24->28 29 dd1b42 24->29 25->11 28->28 31 dd1b54 28->31 29->28 31->23 35 dd1c58-dd1c5c 32->35 36 dd1c66 32->36 33->32 35->36 38 dd1c5e 35->38 39 dd1c67 36->39 38->36 39->39
            Memory Dump Source
            • Source File: 0000001C.00000002.784777489.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_28_2_dd0000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 706be10a1dddc8a8283dc2224b092a65d4c93c3610f03f9e2c630834f1c0b91f
            • Instruction ID: 1f6c79638b2f161731495d2e572cb7f6d51d74b05f614375b77ea75b1760d978
            • Opcode Fuzzy Hash: 706be10a1dddc8a8283dc2224b092a65d4c93c3610f03f9e2c630834f1c0b91f
            • Instruction Fuzzy Hash: F8712574D002199FDB24CF99C98469DFBF1FF48314F29812AE819AB350DB34A946CF95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04FDA65B Relevance: 1.7, APIs: 1, Instructions: 169COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000001C.00000003.784146167.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_28_3_4fd0000_RegSvcs.jbxd
            Similarity
            • API ID: DecodePointer
            • String ID:
            • API String ID: 3527080286-0
            • Opcode ID: 7b51a5e77f9428f5dce2816feb43384cfca1b47d1016b13ce36d1732c6855df5
            • Instruction ID: f6cb90756802e21338cca31129ea30fad592d212bde045241690e77bb5eabb27
            • Opcode Fuzzy Hash: 7b51a5e77f9428f5dce2816feb43384cfca1b47d1016b13ce36d1732c6855df5
            • Instruction Fuzzy Hash: 43710770C11348DFEF11DFA8D58879DBBF5AB09314F28805AE814A7290C7796886CB56
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00DD0744 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 40 dd0744-dd1ac1 43 dd1acc-dd1ad3 40->43 44 dd1ac3-dd1ac9 40->44 45 dd1ade-dd1ae7 43->45 46 dd1ad5-dd1adb 43->46 44->43 47 dd1ae9-dd1af5 45->47 48 dd1af8-dd1b01 45->48 46->45 47->48 49 dd1b6e-dd1b72 48->49 50 dd1b03-dd1b30 48->50 51 dd1b9d-dd1ba8 49->51 52 dd1b74-dd1b97 49->52 58 dd1b60 50->58 59 dd1b32-dd1b34 50->59 53 dd1baa-dd1bb2 51->53 54 dd1bb4-dd1bfb SearchPathW 51->54 52->51 53->54 56 dd1bfd-dd1c03 54->56 57 dd1c04-dd1c19 54->57 56->57 70 dd1c2f-dd1c56 57->70 71 dd1c1b-dd1c27 57->71 63 dd1b65-dd1b68 58->63 61 dd1b56-dd1b5e 59->61 62 dd1b36-dd1b40 59->62 61->63 66 dd1b44-dd1b52 62->66 67 dd1b42 62->67 63->49 66->66 69 dd1b54 66->69 67->66 69->61 73 dd1c58-dd1c5c 70->73 74 dd1c66 70->74 71->70 73->74 76 dd1c5e 73->76 77 dd1c67 74->77 76->74 77->77
            APIs
            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00DD1BEB
            Memory Dump Source
            • Source File: 0000001C.00000002.784777489.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_28_2_dd0000_RegSvcs.jbxd
            Similarity
            • API ID: PathSearch
            • String ID:
            • API String ID: 2203818243-0
            • Opcode ID: ae87b36e6e480dbaf1e73a9b9be2b06d4ad60696ba043f25774d10068fa26756
            • Instruction ID: 40fd8727d677139d8fe3d394f285c42775919b8a0fdd318a3f178d15120b6695
            • Opcode Fuzzy Hash: ae87b36e6e480dbaf1e73a9b9be2b06d4ad60696ba043f25774d10068fa26756
            • Instruction Fuzzy Hash: 6B711474D002199FDB24CF99C98469EFBF1FF48314F29812AE819AB350DB34A945CF95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04FD3238 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
            Download Yara Rule
            APIs
            • RtlEncodePointer.NTDLL(00000000), ref: 04FD32B7
            Memory Dump Source
            • Source File: 0000001C.00000003.784146167.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_28_3_4fd0000_RegSvcs.jbxd
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: eac295cca45b2c13a3421c27005ab628c58e00768cdc0a1aa4d15ec11a9251d3
            • Instruction ID: 34178054861f573238ab8e3a500c3e2c022907c74ff0fd5e6e89e5fbc648856c
            • Opcode Fuzzy Hash: eac295cca45b2c13a3421c27005ab628c58e00768cdc0a1aa4d15ec11a9251d3
            • Instruction Fuzzy Hash: 462190B0D11349CFDB20DF95E4487DABBF4EB04324F144529D805A3600CB38AD45CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 04FD3240 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
            Download Yara Rule
            APIs
            • RtlEncodePointer.NTDLL(00000000), ref: 04FD32B7
            Memory Dump Source
            • Source File: 0000001C.00000003.784146167.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_28_3_4fd0000_RegSvcs.jbxd
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: 79ea8897918982abb96e621ad6ccc873b61e337efd1a088929bdf08b73fe82ff
            • Instruction ID: 10e4a0e17e2088e96bc62ef7cfdf8a09f64e2cc8d6b8e95ac7e80a1d8151457c
            • Opcode Fuzzy Hash: 79ea8897918982abb96e621ad6ccc873b61e337efd1a088929bdf08b73fe82ff
            • Instruction Fuzzy Hash: 23116A70D10349CFDB60EFA9E54879ABBF4EB04315F144529D805A3640CB38AD45CFA2
            Uniqueness

            Uniqueness Score: -1.00%

            Execution Graph

            Execution Coverage:15.9%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:21
            Total number of Limit Nodes:0
            execution_graph 1574 13a04a8 1575 13a04c3 1574->1575 1577 13a08e2 1574->1577 1578 13a0916 1577->1578 1579 13a0946 1578->1579 1582 13a19bf 1578->1582 1586 13a19d0 1578->1586 1583 13a19e1 1582->1583 1590 13a0744 1583->1590 1587 13a19e1 1586->1587 1588 13a0744 SearchPathW 1587->1588 1589 13a1a1f 1588->1589 1589->1579 1592 13a1a48 SearchPathW 1590->1592 1593 13a1bfd 1592->1593 1598 13a0498 1599 13a04a8 1598->1599 1600 13a04c3 1599->1600 1601 13a08e2 SearchPathW 1599->1601 1601->1600 1594 13a1a3c 1596 13a1a48 SearchPathW 1594->1596 1597 13a1bfd 1596->1597

            Executed Functions

            Function 0535A670 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000001E.00000003.798593549.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_3_5350000_RegSvcs.jbxd
            Similarity
            • API ID: DecodePointer
            • String ID:
            • API String ID: 3527080286-0
            • Opcode ID: 7f08721704eab2802a117e88e717b4d33a7fc0d543785b091e369c75b29fcdce
            • Instruction ID: 48c338a165e7415207abc4b60aaabdb8244b30eea4da191c9077d47749e1b611
            • Opcode Fuzzy Hash: 7f08721704eab2802a117e88e717b4d33a7fc0d543785b091e369c75b29fcdce
            • Instruction Fuzzy Hash: 5E810474D05258DFDB21CFA8D188BDCFBF1BB08329F24964AE815A7390C7B55888DB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 013A1A3C Relevance: 1.7, APIs: 1, Instructions: 169COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 13a1a3c-13a1ac1 3 13a1acc-13a1ad3 0->3 4 13a1ac3-13a1ac9 0->4 5 13a1ade-13a1ae7 3->5 6 13a1ad5-13a1adb 3->6 4->3 7 13a1af8-13a1b01 5->7 8 13a1ae9-13a1af5 5->8 6->5 9 13a1b6e-13a1b72 7->9 10 13a1b03-13a1b30 7->10 8->7 11 13a1b9d-13a1ba8 9->11 12 13a1b74-13a1b97 9->12 19 13a1b32-13a1b34 10->19 20 13a1b60 10->20 14 13a1baa-13a1bb2 11->14 15 13a1bb4-13a1bfb SearchPathW 11->15 12->11 14->15 16 13a1bfd-13a1c03 15->16 17 13a1c04-13a1c19 15->17 16->17 30 13a1c1b-13a1c27 17->30 31 13a1c2f-13a1c56 17->31 21 13a1b56-13a1b5e 19->21 22 13a1b36-13a1b40 19->22 26 13a1b65-13a1b68 20->26 21->26 23 13a1b42 22->23 24 13a1b44-13a1b52 22->24 23->24 24->24 29 13a1b54 24->29 26->9 29->21 30->31 34 13a1c58-13a1c5c 31->34 35 13a1c66 31->35 34->35 36 13a1c5e 34->36 37 13a1c67 35->37 36->35 37->37
            APIs
            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 013A1BEB
            Memory Dump Source
            • Source File: 0000001E.00000002.799427886.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_2_13a0000_RegSvcs.jbxd
            Similarity
            • API ID: PathSearch
            • String ID:
            • API String ID: 2203818243-0
            • Opcode ID: d5adc4a3b621ee0289414ed47be59e022d9ed87d150cd9c9ddb849c20b65a5ad
            • Instruction ID: b4fde11fa7b69df852542aa81df9ff17096e574338df8d0486235b8ee6992ab6
            • Opcode Fuzzy Hash: d5adc4a3b621ee0289414ed47be59e022d9ed87d150cd9c9ddb849c20b65a5ad
            • Instruction Fuzzy Hash: 2371F2B0D002198FDF24CF99C98469EBBF1FF48318F658129E819AB350DB74A945CF85
            Uniqueness

            Uniqueness Score: -1.00%

            Function 013A0744 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 38 13a0744-13a1ac1 41 13a1acc-13a1ad3 38->41 42 13a1ac3-13a1ac9 38->42 43 13a1ade-13a1ae7 41->43 44 13a1ad5-13a1adb 41->44 42->41 45 13a1af8-13a1b01 43->45 46 13a1ae9-13a1af5 43->46 44->43 47 13a1b6e-13a1b72 45->47 48 13a1b03-13a1b30 45->48 46->45 49 13a1b9d-13a1ba8 47->49 50 13a1b74-13a1b97 47->50 57 13a1b32-13a1b34 48->57 58 13a1b60 48->58 52 13a1baa-13a1bb2 49->52 53 13a1bb4-13a1bfb SearchPathW 49->53 50->49 52->53 54 13a1bfd-13a1c03 53->54 55 13a1c04-13a1c19 53->55 54->55 68 13a1c1b-13a1c27 55->68 69 13a1c2f-13a1c56 55->69 59 13a1b56-13a1b5e 57->59 60 13a1b36-13a1b40 57->60 64 13a1b65-13a1b68 58->64 59->64 61 13a1b42 60->61 62 13a1b44-13a1b52 60->62 61->62 62->62 67 13a1b54 62->67 64->47 67->59 68->69 72 13a1c58-13a1c5c 69->72 73 13a1c66 69->73 72->73 74 13a1c5e 72->74 75 13a1c67 73->75 74->73 75->75
            APIs
            • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 013A1BEB
            Memory Dump Source
            • Source File: 0000001E.00000002.799427886.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_2_13a0000_RegSvcs.jbxd
            Similarity
            • API ID: PathSearch
            • String ID:
            • API String ID: 2203818243-0
            • Opcode ID: 1e58ac410394637fa348040a218ba830605f62a46d96aeadf25dac13550545ba
            • Instruction ID: e1fa0206e174c1cb790790e170e7868fc37efc6d0a4c4a0823ed60d5a9efe85f
            • Opcode Fuzzy Hash: 1e58ac410394637fa348040a218ba830605f62a46d96aeadf25dac13550545ba
            • Instruction Fuzzy Hash: FF7101B0E002199FDF24CF99C98469EBBF1FF48318F658129E919AB350DB34A945CF85
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0535A65B Relevance: 1.7, APIs: 1, Instructions: 165COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 0000001E.00000003.798593549.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_3_5350000_RegSvcs.jbxd
            Similarity
            • API ID: DecodePointer
            • String ID:
            • API String ID: 3527080286-0
            • Opcode ID: bd7fe323d6e8c9ea2f78c37ef71495a25ff7e11e0868da0df1f6d43062c7eeb1
            • Instruction ID: 54b3b65103e8214f251347c7cec5277ef4f3006d13f0f076242d30124cff1eb8
            • Opcode Fuzzy Hash: bd7fe323d6e8c9ea2f78c37ef71495a25ff7e11e0868da0df1f6d43062c7eeb1
            • Instruction Fuzzy Hash: 1F712674C052489FDB11CFA8D588BDCFFF5BB08329F24964AE819A7390C3B55888DB61
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05353230 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • RtlEncodePointer.NTDLL(00000000), ref: 053532B7
            Memory Dump Source
            • Source File: 0000001E.00000003.798593549.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_3_5350000_RegSvcs.jbxd
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: 07dd8e63e7962a3c9e26f96c0df84a2736e1f07ac080df000eac1fe6e24410e4
            • Instruction ID: db0fa98ea35b13d88d0c12a23c950591d74f978f89c1340d6745a44fd428912c
            • Opcode Fuzzy Hash: 07dd8e63e7962a3c9e26f96c0df84a2736e1f07ac080df000eac1fe6e24410e4
            • Instruction Fuzzy Hash: CA2188B1D417858FCB60CFA9D5487EEBBF4FB05328F11496AD805A3A41C3795908CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 05353240 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
            Download Yara Rule
            APIs
            • RtlEncodePointer.NTDLL(00000000), ref: 053532B7
            Memory Dump Source
            • Source File: 0000001E.00000003.798593549.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_3_5350000_RegSvcs.jbxd
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: d34e1f74b6df0b1cdc425aed5aae2d673334caf9ae31076656b075e0d822b6ab
            • Instruction ID: 63e2c3b164a22c3bc200cc18e0a5e84163f3a52836b230172b1ed349360b2542
            • Opcode Fuzzy Hash: d34e1f74b6df0b1cdc425aed5aae2d673334caf9ae31076656b075e0d822b6ab
            • Instruction Fuzzy Hash: 73115971D417458FDB60CF99D5487AEBBF8FB08328F104929D809A3640C778A948CFA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0130D5F4 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 367 130d5f4-130d606 368 130d69a-130d6a1 367->368 369 130d60c 367->369 370 130d60e-130d61a 368->370 369->370 371 130d620-130d642 370->371 372 130d6a6-130d6ab 370->372 374 130d6b0-130d6c5 371->374 375 130d644-130d662 371->375 372->371 379 130d67c-130d684 374->379 378 130d66a-130d67a 375->378 378->379 380 130d6d2 378->380 381 130d686-130d697 379->381 382 130d6c7-130d6d0 379->382 382->381
            Memory Dump Source
            • Source File: 0000001E.00000002.799294887.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_2_130d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0e1c0dc1d4ef1069a2c904fe13ac876049af79040f8de1ffd296d5dfdf08a5ce
            • Instruction ID: 59740c5c0ac9d23553e30347965129cb8b71be5fa4175212bb2984124a4aaae0
            • Opcode Fuzzy Hash: 0e1c0dc1d4ef1069a2c904fe13ac876049af79040f8de1ffd296d5dfdf08a5ce
            • Instruction Fuzzy Hash: 1F213871504248DFDB02CF94DDD0B26BFE5FB88338F248569D9094A286C336D446CAA2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0130D508 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 350 130d508-130d51a 351 130d520 350->351 352 130d5ae-130d5b5 350->352 353 130d522-130d52e 351->353 352->353 354 130d534-130d556 353->354 355 130d5ba-130d5bf 353->355 357 130d5c4-130d5d9 354->357 358 130d558-130d576 354->358 355->354 362 130d590-130d598 357->362 360 130d57e-130d58e 358->360 360->362 363 130d5e6 360->363 364 130d59a-130d5ab 362->364 365 130d5db-130d5e4 362->365 365->364
            Memory Dump Source
            • Source File: 0000001E.00000002.799294887.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_2_130d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: de091af83101525dac9393561cfc2232151e34913b2902f1d6da2568432c5843
            • Instruction ID: 0a86c5902f4c8a44607d410db28ae831f965ac111039829e9882f8b5e9813494
            • Opcode Fuzzy Hash: de091af83101525dac9393561cfc2232151e34913b2902f1d6da2568432c5843
            • Instruction Fuzzy Hash: FC2145B1504204DFDB02CF94D9D4B26BBE5FB8832CF248569ED064B28AC337D806C7A2
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0130D5EF Relevance: .1, Instructions: 56COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 401 130d5ef-130d606 402 130d69a-130d6a1 401->402 403 130d60c 401->403 404 130d60e-130d61a 402->404 403->404 405 130d620-130d642 404->405 406 130d6a6-130d6ab 404->406 408 130d6b0-130d6c5 405->408 409 130d644-130d662 405->409 406->405 413 130d67c-130d684 408->413 412 130d66a-130d67a 409->412 412->413 414 130d6d2 412->414 415 130d686-130d697 413->415 416 130d6c7-130d6d0 413->416 416->415
            Memory Dump Source
            • Source File: 0000001E.00000002.799294887.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_2_130d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction ID: 458dae488991d6afb41ba6a244b9473951b4bdf6372c26678582ef5328cdead7
            • Opcode Fuzzy Hash: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction Fuzzy Hash: 6611D376504284CFDB12CF94D9D4B16BFB1FB84324F28C6A9D8490B657C336D456CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0130D503 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 384 130d503-130d51a 385 130d520 384->385 386 130d5ae-130d5b5 384->386 387 130d522-130d52e 385->387 386->387 388 130d534-130d556 387->388 389 130d5ba-130d5bf 387->389 391 130d5c4-130d5d9 388->391 392 130d558-130d576 388->392 389->388 396 130d590-130d598 391->396 394 130d57e-130d58e 392->394 394->396 397 130d5e6 394->397 398 130d59a-130d5ab 396->398 399 130d5db-130d5e4 396->399 399->398
            Memory Dump Source
            • Source File: 0000001E.00000002.799294887.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_2_130d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction ID: 85b46b5f91ad62126d81a93e6512269246249224adf36cf972489fbd1c507646
            • Opcode Fuzzy Hash: 1967e1d8e991aea2e47e39e1f732321430c81ec071d3e65f4882fbb11894070a
            • Instruction Fuzzy Hash: 96110372404280CFDB12CF44D9C4B16BFB2FB84328F2486A9DC050B257C336D45ACBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0130D795 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000001E.00000002.799294887.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_2_130d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1268edfb186b62ce1c55a1900bca3b8591c5ebb179cc436f850287379fbcc98f
            • Instruction ID: 3620cdbe88dfd1630fa8149257223339f8df414108edbf0d1dc1ca24201240ab
            • Opcode Fuzzy Hash: 1268edfb186b62ce1c55a1900bca3b8591c5ebb179cc436f850287379fbcc98f
            • Instruction Fuzzy Hash: B001FC715083C49AE7128E99CD94B62BFDCDF4163CF04C459EE055A6C6C7789440C672
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0130D794 Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 0000001E.00000002.799294887.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_30_2_130d000_RegSvcs.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ff91c208b14382f79cb866b6e70ade6a7d55bef1905ca0b86cc4d94d621f2085
            • Instruction ID: ccf153bab3e450ea7a9985774bd211ccf66bedc3677d740230eb674eb98f52d0
            • Opcode Fuzzy Hash: ff91c208b14382f79cb866b6e70ade6a7d55bef1905ca0b86cc4d94d621f2085
            • Instruction Fuzzy Hash: F6F096715043849EE7218E59DCC8B62FFECEB41638F18C55AEE085F286C3789844CAB1
            Uniqueness

            Uniqueness Score: -1.00%