Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

Overview

General Information

Sample name:1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
Analysis ID:1467918
MD5:dd1bd551108f3ec1e9e775c7b09a0e1c
SHA1:418ec6e49557849276c4a8198b92eff0af4b957f
SHA256:e347ded6059659a1c81d016b64bb550d7fe94fb789957ed5f312eacebb8944db
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fMNDB.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe" MD5: DD1BD551108F3EC1E9E775C7B09A0E1C)
  • fMNDB.exe (PID: 7796 cmdline: "C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe" MD5: DD1BD551108F3EC1E9E775C7B09A0E1C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.raczki.pl", "Username": "wojt@raczki.pl", "Password": "obslugaradygminy"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 07 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 07 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 61 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x40470:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x404e2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x4056c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x405fe:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x40668:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x406da:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x40770:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x40800:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  3.2.fMNDB.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
                  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
                  • 0x700:$s3: 83 EC 38 53 B0 07 88 44 24 2B 88 44 24 2F B0 62 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
                  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                  • 0x1e9d0:$s5: delete[]
                  • 0x1de88:$s6: constructor or from DllMain.
                  Click to see the 217 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, ProcessId: 7416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fMNDB
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.49.148.195, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, Initiated: true, ProcessId: 7416, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeAvira: detection malicious, Label: TR/Spy.Gen8
                  Found malware configuration
                  Source: 1.2.fMNDB.exe.3546458.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.raczki.pl", "Username": "wojt@raczki.pl", "Password": "obslugaradygminy"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeReversingLabs: Detection: 52%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeJoe Sandbox ML: detected
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: _.pdb source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1740970421.0000000000762000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 185.49.148.195:587
                  Source: Joe Sandbox ViewIP Address: 185.49.148.195 185.49.148.195
                  Source: Joe Sandbox ViewASN Name: PL-BEYOND-ASPL PL-BEYOND-ASPL
                  Source: global trafficTCP traffic: 192.168.2.4:49730 -> 185.49.148.195:587
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: mail.raczki.pl
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/dvcasha2.crl0q
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dvcasha2.ocsp-certum.com04
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.raczki.pl
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raczki.pl
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/dvcasha2.cer0
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, SKTzxzsJw.cs.Net Code: JTHNI

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 3.0.fMNDB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.0.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.0.fMNDB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00408C600_2_00408C60
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0040DC110_2_0040DC11
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00407C3F0_2_00407C3F
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00418CCC0_2_00418CCC
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00406CA00_2_00406CA0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004028B00_2_004028B0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0041A4BE0_2_0041A4BE
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00408C600_2_00408C60
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004182440_2_00418244
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004016500_2_00401650
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00402F200_2_00402F20
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004193C40_2_004193C4
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004187880_2_00418788
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00402F890_2_00402F89
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00402B900_2_00402B90
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004073A00_2_004073A0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0219CC780_2_0219CC78
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0219D8900_2_0219D890
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_02190F400_2_02190F40
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_02190FD00_2_02190FD0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0219CFC00_2_0219CFC0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_021910300_2_02191030
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_02778AC80_2_02778AC8
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_027758E80_2_027758E8
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0277E6C80_2_0277E6C8
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0277C4180_2_0277C418
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_027700400_2_02770040
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_027700070_2_02770007
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0277B6080_2_0277B608
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_05B699A90_2_05B699A9
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_05B65A900_2_05B65A90
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_05B64AF80_2_05B64AF8
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_05B67F580_2_05B67F58
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_05B609F80_2_05B609F8
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0636DA890_2_0636DA89
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_063678E00_2_063678E0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_063660780_2_06366078
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_020BCC781_2_020BCC78
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_020BD8901_2_020BD890
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_020BCFC01_2_020BCFC0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_020B0FD01_2_020B0FD0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_020B10301_2_020B1030
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B3E5981_2_05B3E598
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B3C2C01_2_05B3C2C0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B352C81_2_05B352C8
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B38D0F1_2_05B38D0F
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B3ECBF1_2_05B3ECBF
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B300131_2_05B30013
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B300401_2_05B30040
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B699A91_2_05B699A9
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B67CA01_2_05B67CA0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B65A981_2_05B65A98
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B646FA1_2_05B646FA
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B609F81_2_05B609F8
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_0077D8A03_2_0077D8A0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_0077CC883_2_0077CC88
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_0077CFD03_2_0077CFD0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_007710303_2_00771030
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_00770FD03_2_00770FD0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_059FE5983_2_059FE598
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_059F578A3_2_059F578A
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_059F89683_2_059F8968
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_059FC2C03_2_059FC2C0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_059FECBF3_2_059FECBF
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_059F00063_2_059F0006
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_059F00403_2_059F0040
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_05A246FB3_2_05A246FB
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_05A27CA03_2_05A27CA0
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_05A299A93_2_05A299A9
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_05A25A983_2_05A25A98
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_05A209F83_2_05A209F8
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_062374003_2_06237400
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_0623D5E93_2_0623D5E9
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_06235B983_2_06235B98
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: String function: 0040E1D8 appears 43 times
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1624911204.0000000000849000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.0000000002791000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2891200196.0000000000198000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeBinary or memory string: OriginalFilename158bf27d-8add-42b0-9c59-29d7b3834f24.exe4 vs 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 3.0.fMNDB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.0.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.0.fMNDB.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9948172982283464
                  Source: fMNDB.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.9948172982283464
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@1/1
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeFile created: C:\Users\user\AppData\Roaming\fMNDBJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCommand line argument: 08A0_2_00413780
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeFile read: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe "C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe "C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe "C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe"
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: _.pdb source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1740970421.0000000000762000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeStatic PE information: real checksum: 0x23bfb should be: 0x42aeb
                  Source: fMNDB.exe.0.drStatic PE information: real checksum: 0x23bfb should be: 0x42aeb
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd 0_2_0040BBA3
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0219435B push esp; iretd 0_2_02194361
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0636B0A5 push es; ret 0_2_0636B0AC
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_06360C80 push es; ret 0_2_06360C90
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_020B435B push esp; iretd 1_2_020B4361
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 1_2_05B68408 push eax; retf 1_2_05B68411
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_0077435B push esp; iretd 3_2_00774361
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_059F431F pushad ; iretd 3_2_059F4335
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeCode function: 3_2_06230790 push es; ret 3_2_062307A0
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'qtSgq8WCW5EZy', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeFile created: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeJump to dropped file
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMNDBJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fMNDBJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeFile opened: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeMemory allocated: 2150000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeMemory allocated: 23C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeMemory allocated: 2070000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeMemory allocated: 2540000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeMemory allocated: 22E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeMemory allocated: 770000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeMemory allocated: 25C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeMemory allocated: 24C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeWindow / User API: threadDelayed 1401Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeWindow / User API: threadDelayed 8178Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWindow / User API: threadDelayed 2932Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWindow / User API: threadDelayed 6913Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWindow / User API: threadDelayed 6557Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWindow / User API: threadDelayed 2667Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep count: 35 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7504Thread sleep count: 1401 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -99843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -99724s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7504Thread sleep count: 8178 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -99556s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -99453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -99326s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -99000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -98859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -98689s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -98562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -98453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -98343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -98234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -98124s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -98013s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97796s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97249s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -97031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -96921s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -96812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -96702s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -96586s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -96481s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -96374s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -96222s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -96078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95962s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95749s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95421s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -95093s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -94984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -94874s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -94765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -94656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -94546s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -94437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -94327s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -94208s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe TID: 7496Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep count: 45 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -41505174165846465s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7712Thread sleep count: 2932 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -99865s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7712Thread sleep count: 6913 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -99734s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -99624s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -99515s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -99405s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -99296s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -99187s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -99077s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -98968s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -98851s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -98744s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -98625s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -98510s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -98341s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -98187s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -98070s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97953s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97843s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97734s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97624s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97515s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97404s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97296s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97187s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -97077s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96968s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96859s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96749s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96640s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96531s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96418s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96312s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96203s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -96093s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -95984s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -95872s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -95763s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -95647s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -95531s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -95419s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -95234s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -95109s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -94999s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -94890s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -94781s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -94671s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -94562s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -94452s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -94343s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7704Thread sleep time: -94234s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep count: 33 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7936Thread sleep count: 6557 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99890s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7936Thread sleep count: 2667 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99781s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99671s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99562s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99453s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99343s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99233s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99125s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -99015s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -98895s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -98765s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -98651s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -98384s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -98247s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -98135s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -98031s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97921s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97812s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97703s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97593s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97484s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97375s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97265s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97156s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -97046s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96937s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96828s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96718s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96609s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96500s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96390s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96281s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96171s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -96062s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95950s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95841s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95733s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95624s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95515s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95340s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95234s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95122s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -95015s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -94904s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -94796s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -94687s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe TID: 7924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 99843Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 99724Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 99556Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 99453Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 99326Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 99000Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 98859Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 98689Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 98562Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 98453Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 98343Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 98234Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 98124Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 98013Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97906Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97796Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97687Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97578Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97468Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97359Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97249Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97140Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 97031Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 96921Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 96812Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 96702Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 96586Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 96481Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 96374Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 96222Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 96078Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95962Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95859Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95749Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95640Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95531Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95421Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95312Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95203Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 95093Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 94984Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 94874Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 94765Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 94656Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 94546Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 94437Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 94327Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 94208Jump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99865Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99734Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99624Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99515Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99405Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99296Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99187Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99077Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98968Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98851Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98744Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98625Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98510Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98341Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98187Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98070Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97953Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97843Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97734Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97624Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97515Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97404Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97296Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97187Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97077Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96968Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96859Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96749Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96640Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96531Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96418Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96312Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96203Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96093Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95984Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95872Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95763Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95647Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95531Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95419Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95234Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95109Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94999Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94890Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94781Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94671Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94562Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94452Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94343Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94234Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99890Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99781Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99671Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99562Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99453Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99343Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99233Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99125Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 99015Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98895Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98765Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98651Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98384Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98247Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98135Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 98031Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97921Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97812Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97703Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97593Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97484Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97375Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97265Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97156Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 97046Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96937Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96828Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96718Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96609Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96500Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96390Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96281Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96171Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 96062Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95950Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95841Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95733Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95624Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95515Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95340Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95234Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95122Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 95015Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94904Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94796Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 94687Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringPNPDeviceID
                  Source: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeAPI call chain: ExitProcess graph end nodegraph_0-52077
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: GetLocaleInfoA,0_2_00417A20
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893613189.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893613189.000000000260F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893797859.00000000027DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1832183101.000000000258F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893797859.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1832183101.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe PID: 7416, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fMNDB.exe PID: 7616, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fMNDB.exe PID: 7796, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893613189.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893797859.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1832183101.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe PID: 7416, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fMNDB.exe PID: 7616, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fMNDB.exe PID: 7796, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893613189.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893613189.000000000260F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893797859.00000000027DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1832183101.000000000258F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893797859.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1832183101.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe PID: 7416, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fMNDB.exe PID: 7616, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: fMNDB.exe PID: 7796, type: MEMORYSTR
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2540000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3594190.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3545570.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c6458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.50e0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.228f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.fMNDB.exe.7d19c8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.3614190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.2240506.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2290506.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.3546458.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.224f61e.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.3.fMNDB.exe.714da8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.35c5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.4b20000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.2250506.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.fMNDB.exe.2560ee8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3795570.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.4a80ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.24b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.37e4190.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.fMNDB.exe.223f61e.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.3796458.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe.7c9510.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Process Injection                  		11
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		1
                  File and Directory Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Command and Scripting Interpreter                  		Logon Script (Windows)1
                  Registry Run Keys / Startup Folder                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		35
                  System Information Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Software Packing                  		NTDS1
                  Query Registry                  		Distributed Component Object Model1
                  Input Capture                  		11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets241
                  Security Software Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials141
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Process Injection                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Hidden Files and Directories                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467918 Sample: 1dd97881cd53e8039e8c3439905... Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 19 raczki.pl 2->19 21 mail.raczki.pl 2->21 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 6 other signatures 2->31 6 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe 1 5 2->6         started        11 fMNDB.exe 2 2->11         started        13 fMNDB.exe 2 2->13         started        signatures3 process4 dnsIp5 23 raczki.pl 185.49.148.195, 49730, 49731, 49736 PL-BEYOND-ASPL Poland 6->23 15 C:\Users\user\AppData\Roaming\...\fMNDB.exe, PE32 6->15 dropped 17 C:\Users\user\...\fMNDB.exe:Zone.Identifier, ASCII 6->17 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 6->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->35 37 Tries to steal Mail credentials (via file / registry access) 6->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->39 41 Antivirus detection for dropped file 11->41 43 Multi AV Scanner detection for dropped file 11->43 45 Machine Learning detection for dropped file 11->45 47 Tries to harvest and steal ftp login credentials 13->47 49 Tries to harvest and steal browser information (history, passwords, etc) 13->49 file6 signatures7

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe100%AviraTR/Spy.Gen8
                  1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe100%AviraTR/Spy.Gen8
                  C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe53%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://account.dyn.com/0%URL Reputationsafe
                  http://raczki.pl0%Avira URL Cloudsafe
                  http://www.certum.pl/CPS00%Avira URL Cloudsafe
                  http://subca.ocsp-certum.com010%Avira URL Cloudsafe
                  https://www.certum.pl/CPS00%Avira URL Cloudsafe
                  http://mail.raczki.pl0%Avira URL Cloudsafe
                  http://crl.certum.pl/ctnca.crl0k0%Avira URL Cloudsafe
                  http://repository.certum.pl/ctnca.cer090%Avira URL Cloudsafe
                  http://crl.certum.pl/dvcasha2.crl0q0%Avira URL Cloudsafe
                  http://repository.certum.pl/dvcasha2.cer00%Avira URL Cloudsafe
                  http://dvcasha2.ocsp-certum.com040%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  raczki.pl
                  		185.49.148.195
                  		truetrue
                    		unknown
                    mail.raczki.pl
                    		unknown
                    		unknowntrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.certum.pl/dvcasha2.crl0q1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mail.raczki.pl1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://raczki.pl1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://repository.certum.pl/ctnca.cer091dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://account.dyn.com/1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, fMNDB.exe, 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.certum.pl/CPS01dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.certum.pl/ctnca.crl0k1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://dvcasha2.ocsp-certum.com041dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.certum.pl/CPS01dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://repository.certum.pl/dvcasha2.cer01dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894648241.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://subca.ocsp-certum.com011dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2894752336.0000000004D4F000.00000004.00000020.00020000.00000000.sdmp, 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe, 00000000.00000002.2893797859.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834069251.0000000005AAC000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1834029976.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1832183101.0000000002597000.00000004.00000800.00020000.00000000.sdmp, fMNDB.exe, 00000001.00000002.1831173926.0000000000704000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2895035340.00000000058F0000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2892324240.000000000080C000.00000004.00000020.00020000.00000000.sdmp, fMNDB.exe, 00000003.00000002.2893613189.0000000002617000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.49.148.195
                      		raczki.plPoland
                      		31229PL-BEYOND-ASPLtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1467918
                      Start date and time:2024-07-05 01:28:05 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 52s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@3/2@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 94%
                      • Number of executed functions: 160
                      • Number of non-executed functions: 34
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      00:28:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fMNDB C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe
                      00:29:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fMNDB C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe
                      19:28:52API Interceptor49x Sleep call for process: 1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe modified
                      19:29:03API Interceptor113x Sleep call for process: fMNDB.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.49.148.195MFRtbb58Qh.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        N#U00b0 2400718.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          C4N6-0008399495-3353853121 TH C L09.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            101764ZAM2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              101764ZAM2024.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                PL_PLK_PT_filter_I-534_wheels_krotki.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  PL-BEYOND-ASPLMFRtbb58Qh.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 185.49.148.195
                                  Order-1351125X.docx.docGet hashmaliciousFormBookBrowse
                                  • 5.149.161.103
                                  N#U00b0 2400718.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 185.49.148.195
                                  http://ceva.r-shop.euGet hashmaliciousUnknownBrowse
                                  • 2.57.138.83
                                  C4N6-0008399495-3353853121 TH C L09.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 185.49.148.195
                                  101764ZAM2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 185.49.148.195
                                  101764ZAM2024.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 185.49.148.195
                                  PL_PLK_PT_filter_I-534_wheels_krotki.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 185.49.148.195
                                  t3CBipL4lt.elfGet hashmaliciousMiraiBrowse
                                  • 91.102.119.171
                                  http://dkdeep.com/?placement%5C=Facebook_Desktop_Feed&adset_name%5C=26&ad_name%5C=1_267069722828906&fb%5C=267069722828906&ad_id%5C=120206568353510682&buyer%5C=mk&netProbitiya2k23%5C=w0tth3b3stGmev3R&pre%5C=celeb1&fbclid%5C=IwAR2SLF2yfFVFau_BLIzVYgyo3FnJIWRI2bBRkxat54PFXlIdShtFrFBG6PgGet hashmaliciousUnknownBrowse
                                  • 5.149.162.7

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):269312
                                  Entropy (8bit):7.543647615959605
                                  Encrypted:false
                                  SSDEEP:6144:IDKW1Lgbdl0TBBvjc/B8Q1PS20j9VS2u0zna:Oh1Lk70TnvjcZ8Q1KxS2a
                                  MD5:DD1BD551108F3EC1E9E775C7B09A0E1C
                                  SHA1:418EC6E49557849276C4A8198B92EFF0AF4B957F
                                  SHA-256:E347DED6059659A1C81D016B64BB550D7FE94FB789957ED5F312EACEBB8944DB
                                  SHA-512:7DFC26E555B3F3291264C73E3F52E62ED417B17AA8A3417AA0C7117C25C1592C3221D517E08AB498E076362AF04F302E58C8496B5542C10E05F23DC5AAE7DE5C
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe, Author: ditekSHen
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 53%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~.................._f....PE..L...t..P..........#................./.............@..........................`.......;..........................................P....`..x...............................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc...x....`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.543647615959605
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                                  File size:269'312 bytes
                                  MD5:dd1bd551108f3ec1e9e775c7b09a0e1c
                                  SHA1:418ec6e49557849276c4a8198b92eff0af4b957f
                                  SHA256:e347ded6059659a1c81d016b64bb550d7fe94fb789957ed5f312eacebb8944db
                                  SHA512:7dfc26e555b3f3291264c73e3f52e62ed417b17aa8a3417aa0c7117c25c1592c3221d517e08ab498e076362af04f302e58c8496b5542c10e05f23dc5aae7de5c
                                  SSDEEP:6144:IDKW1Lgbdl0TBBvjc/B8Q1PS20j9VS2u0zna:Oh1Lk70TnvjcZ8Q1KxS2a
                                  TLSH:A144D02035C0D1B3C477017085E6CA669E3974760B6AD5D3BAED2BBA6F213D163362CE
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~.................._f....PE..L...t..P..........#........

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x40cd2f
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:0
                                  File Version Major:5
                                  File Version Minor:0
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:0
                                  Import Hash:bf5a4aa99e5b160f8521cadd6bfe73b8

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F1B81159EA6h
                                  jmp 00007F1B81154069h
                                  mov edi, edi
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 20h
                                  mov eax, dword ptr [ebp+08h]
                                  push esi
                                  push edi
                                  push 00000008h
                                  pop ecx
                                  mov esi, 0041F058h
                                  lea edi, dword ptr [ebp-20h]
                                  rep movsd
                                  mov dword ptr [ebp-08h], eax
                                  mov eax, dword ptr [ebp+0Ch]
                                  pop edi
                                  mov dword ptr [ebp-04h], eax
                                  pop esi
                                  test eax, eax
                                  je 00007F1B811541CEh
                                  test byte ptr [eax], 00000008h
                                  je 00007F1B811541C9h
                                  mov dword ptr [ebp-0Ch], 01994000h
                                  lea eax, dword ptr [ebp-0Ch]
                                  push eax
                                  push dword ptr [ebp-10h]
                                  push dword ptr [ebp-1Ch]
                                  push dword ptr [ebp-20h]
                                  call dword ptr [0041B000h]
                                  leave
                                  retn 0008h
                                  ret
                                  mov eax, 00413563h
                                  mov dword ptr [004228E4h], eax
                                  mov dword ptr [004228E8h], 00412C4Ah
                                  mov dword ptr [004228ECh], 00412BFEh
                                  mov dword ptr [004228F0h], 00412C37h
                                  mov dword ptr [004228F4h], 00412BA0h
                                  mov dword ptr [004228F8h], eax
                                  mov dword ptr [004228FCh], 004134DBh
                                  mov dword ptr [00422900h], 00412BBCh
                                  mov dword ptr [00422904h], 00412B1Eh
                                  mov dword ptr [00422908h], 00412AABh
                                  ret
                                  mov edi, edi
                                  push ebp
                                  mov ebp, esp
                                  call 00007F1B8115415Bh
                                  call 00007F1B8115A9E0h
                                  cmp dword ptr [ebp+00h], 00000000h

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2008 build 21022
                                  • [IMP] VS2005 build 50727
                                  • [C++] VS2008 build 21022
                                  • [ C ] VS2008 build 21022
                                  • [LNK] VS2008 build 21022

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x1fb78.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x197180x1980042b7248e125c55e9d0771fea968ec5b1False0.5789579503676471data6.748591703757032IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x1b0000x6db40x6e005826801f33fc1b607aa8e942aa92e9faFalse0.5467329545454546data6.442956247632331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x220000x30c00x16002fe51a72ede820cd7cf55a77ba59b1f4False0.3126775568181818data3.2625868398009703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x260000x1fb780x1fc0070415c8b9153ecb912f77da4740844bcFalse0.9948172982283464data7.9952920528291385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_RCDATA0x261240x1f58adata1.0003582721934048
                                  RT_RCDATA0x456b00x20data1.28125
                                  RT_VERSION0x456d00x2bcdata0.44285714285714284
                                  RT_MANIFEST0x4598c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                  Imports

                                  DLLImport
                                  KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                                  ole32.dllOleInitialize
                                  OLEAUT32.dllSafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 5, 2024 01:28:53.314853907 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:53.322422981 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:53.326431990 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:54.642700911 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:54.643795967 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:54.649542093 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:54.839976072 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:54.840183020 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:54.845024109 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.036209106 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.048037052 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:55.052983046 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.256294966 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.256381035 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.256392956 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.256424904 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:55.256594896 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.256632090 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:55.282871962 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:55.288119078 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.478487968 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.490386009 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:55.495274067 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.790760994 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:55.791836977 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:56.012187958 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:56.012265921 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:56.013761044 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:56.204109907 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:56.204417944 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:56.209160089 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:58.424467087 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:58.424748898 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:58.431076050 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:58.794406891 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:58.794511080 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:58.794521093 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:28:58.794562101 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:58.812324047 CEST49730587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:28:58.817147970 CEST58749730185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:04.214262962 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:04.219305992 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:04.219388008 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:05.795300961 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:05.812791109 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:05.817893982 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.008507967 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.010216951 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:06.015074968 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.206243992 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.229136944 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:06.233997107 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.435944080 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.435957909 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.435970068 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.436023951 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.436044931 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:06.436080933 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:06.437546015 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:06.442347050 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.632780075 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.649620056 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:06.654362917 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.844517946 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:06.844880104 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:06.849757910 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:11.040764093 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:11.041245937 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:11.047070980 CEST58749731185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:12.716818094 CEST49731587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:13.291928053 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:13.296736002 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:13.296808958 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:14.443773985 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:14.457401991 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:14.465595007 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:14.656306982 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:14.656478882 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:14.661279917 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:14.914239883 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:14.969197989 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:15.068625927 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:15.073489904 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.281018019 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.281105042 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.281116009 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.281166077 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:15.281363010 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.282398939 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:15.299122095 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:15.303889036 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.497390032 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.513044119 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:15.517761946 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.711158037 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.711488008 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:15.716254950 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.909799099 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:15.910156965 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:15.914932966 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:18.481009960 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:18.481266022 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:18.490161896 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:18.680521011 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:18.681467056 CEST58749736185.49.148.195192.168.2.4
                                  Jul 5, 2024 01:29:18.681545973 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:18.686104059 CEST49736587192.168.2.4185.49.148.195
                                  Jul 5, 2024 01:29:18.690901041 CEST58749736185.49.148.195192.168.2.4

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 5, 2024 01:28:53.166657925 CEST6469853192.168.2.41.1.1.1
                                  Jul 5, 2024 01:28:53.252038956 CEST53646981.1.1.1192.168.2.4
                                  Jul 5, 2024 01:29:13.381287098 CEST53495851.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 5, 2024 01:28:53.166657925 CEST192.168.2.41.1.1.10xd7e9Standard query (0)mail.raczki.plA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 5, 2024 01:28:53.252038956 CEST1.1.1.1192.168.2.40xd7e9No error (0)mail.raczki.plraczki.plCNAME (Canonical name)IN (0x0001)false
                                  Jul 5, 2024 01:28:53.252038956 CEST1.1.1.1192.168.2.40xd7e9No error (0)raczki.pl185.49.148.195A (IP address)IN (0x0001)false

                                  SMTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  Jul 5, 2024 01:28:54.642700911 CEST58749730185.49.148.195192.168.2.4220-whm4.i.media.pl ESMTP Exim 4.96.2 #2 Fri, 05 Jul 2024 01:28:54 +0200
                                  220-We do not authorize the use of this system to transport unsolicited,
                                  220 and/or bulk e-mail.
                                  Jul 5, 2024 01:28:54.643795967 CEST49730587192.168.2.4185.49.148.195EHLO 035347
                                  Jul 5, 2024 01:28:54.839976072 CEST58749730185.49.148.195192.168.2.4250-whm4.i.media.pl Hello 035347 [8.46.123.33]
                                  250-SIZE 134217728
                                  250-8BITMIME
                                  250-DSN
                                  250-PIPELINING
                                  250-PIPECONNECT
                                  250-AUTH PLAIN LOGIN
                                  250-STARTTLS
                                  250 HELP
                                  Jul 5, 2024 01:28:54.840183020 CEST49730587192.168.2.4185.49.148.195STARTTLS
                                  Jul 5, 2024 01:28:55.036209106 CEST58749730185.49.148.195192.168.2.4220 TLS go ahead
                                  Jul 5, 2024 01:29:05.795300961 CEST58749731185.49.148.195192.168.2.4220-whm4.i.media.pl ESMTP Exim 4.96.2 #2 Fri, 05 Jul 2024 01:29:05 +0200
                                  220-We do not authorize the use of this system to transport unsolicited,
                                  220 and/or bulk e-mail.
                                  Jul 5, 2024 01:29:05.812791109 CEST49731587192.168.2.4185.49.148.195EHLO 035347
                                  Jul 5, 2024 01:29:06.008507967 CEST58749731185.49.148.195192.168.2.4250-whm4.i.media.pl Hello 035347 [8.46.123.33]
                                  250-SIZE 134217728
                                  250-8BITMIME
                                  250-DSN
                                  250-PIPELINING
                                  250-PIPECONNECT
                                  250-AUTH PLAIN LOGIN
                                  250-STARTTLS
                                  250 HELP
                                  Jul 5, 2024 01:29:06.010216951 CEST49731587192.168.2.4185.49.148.195STARTTLS
                                  Jul 5, 2024 01:29:06.206243992 CEST58749731185.49.148.195192.168.2.4220 TLS go ahead
                                  Jul 5, 2024 01:29:14.443773985 CEST58749736185.49.148.195192.168.2.4220-whm4.i.media.pl ESMTP Exim 4.96.2 #2 Fri, 05 Jul 2024 01:29:14 +0200
                                  220-We do not authorize the use of this system to transport unsolicited,
                                  220 and/or bulk e-mail.
                                  Jul 5, 2024 01:29:14.457401991 CEST49736587192.168.2.4185.49.148.195EHLO 035347
                                  Jul 5, 2024 01:29:14.656306982 CEST58749736185.49.148.195192.168.2.4250-whm4.i.media.pl Hello 035347 [8.46.123.33]
                                  250-SIZE 134217728
                                  250-8BITMIME
                                  250-DSN
                                  250-PIPELINING
                                  250-PIPECONNECT
                                  250-AUTH PLAIN LOGIN
                                  250-STARTTLS
                                  250 HELP
                                  Jul 5, 2024 01:29:14.656478882 CEST49736587192.168.2.4185.49.148.195STARTTLS
                                  Jul 5, 2024 01:29:14.914239883 CEST58749736185.49.148.195192.168.2.4220 TLS go ahead

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:19:28:50
                                  Start date:04/07/2024
                                  Path:C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.exe"
                                  Imagebase:0x400000
                                  File size:269'312 bytes
                                  MD5 hash:DD1BD551108F3EC1E9E775C7B09A0E1C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2894422236.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2893323166.00000000024B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2893480376.0000000002540000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2892665779.000000000220F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2893797859.00000000027DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1625089311.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2893797859.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2893797859.0000000002791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:1
                                  Start time:19:29:01
                                  Start date:04/07/2024
                                  Path:C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe"
                                  Imagebase:0x400000
                                  File size:269'312 bytes
                                  MD5 hash:DD1BD551108F3EC1E9E775C7B09A0E1C
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000003.1739937195.0000000000714000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.1833189225.0000000004A80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.1833499854.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1831905265.00000000021FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1832183101.000000000258F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.1833007335.0000000003545000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1832183101.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1832183101.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 53%, ReversingLabs
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:19:29:10
                                  Start date:04/07/2024
                                  Path:C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\fMNDB\fMNDB.exe"
                                  Imagebase:0x400000
                                  File size:269'312 bytes
                                  MD5 hash:DD1BD551108F3EC1E9E775C7B09A0E1C
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2894238732.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2892950015.000000000224F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2893613189.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2893613189.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000003.00000002.2893524196.0000000002560000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2893613189.000000000260F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1819413806.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000003.00000002.2894541056.0000000004B20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:9.7%
                                    Dynamic/Decrypted Code Coverage:43.6%
                                    Signature Coverage:17%
                                    Total number of Nodes:289
                                    Total number of Limit Nodes:33
                                    execution_graph 51726 21993d8 51727 2199418 FindCloseChangeNotification 51726->51727 51729 2199449 51727->51729 51766 2199648 51767 219964e 51766->51767 51768 219971b 51767->51768 51771 5b6dc2a 51767->51771 51775 5b6dc38 51767->51775 51772 5b6dc38 51771->51772 51779 5b6d3fc 51772->51779 51776 5b6dc47 51775->51776 51777 5b6d3fc WaitMessage 51776->51777 51778 5b6dc68 51777->51778 51778->51767 51781 5b6d407 51779->51781 51783 5b6eb5c 51781->51783 51782 5b6f5dd 51782->51782 51784 5b6eb67 51783->51784 51785 5b6fc8f 51784->51785 51787 636da89 51784->51787 51785->51782 51789 636da9a 51787->51789 51788 636ded8 WaitMessage 51788->51789 51789->51788 51790 636dac2 51789->51790 51790->51785 51730 6368a70 51731 6368ad8 CreateWindowExW 51730->51731 51733 6368b94 51731->51733 51791 6361ba0 51792 6361bc8 51791->51792 51794 6361bf0 51792->51794 51795 6360d1c 51792->51795 51796 6360d27 51795->51796 51800 6366f50 51796->51800 51811 6366f38 51796->51811 51797 6361c99 51797->51794 51802 6366fcd 51800->51802 51803 6366f81 51800->51803 51801 6366f8d 51801->51797 51804 636718a 51802->51804 51829 63671f8 51802->51829 51803->51801 51806 6366f50 2 API calls 51803->51806 51807 6366f38 2 API calls 51803->51807 51822 63671b8 51803->51822 51826 63671c8 51803->51826 51804->51797 51805 63671d2 51805->51797 51806->51802 51807->51802 51813 6366f81 51811->51813 51816 6366fcd 51811->51816 51812 6366f8d 51812->51797 51813->51812 51817 6366f50 2 API calls 51813->51817 51818 6366f38 2 API calls 51813->51818 51819 63671b8 2 API calls 51813->51819 51820 63671c8 2 API calls 51813->51820 51814 636718a 51814->51797 51815 63671d2 51815->51797 51816->51814 51821 63671f8 2 API calls 51816->51821 51817->51816 51818->51816 51819->51816 51820->51816 51821->51815 51823 63671c8 51822->51823 51824 63671d2 51823->51824 51825 63671f8 2 API calls 51823->51825 51824->51802 51825->51824 51827 63671d2 51826->51827 51828 63671f8 2 API calls 51826->51828 51827->51802 51828->51827 51830 6367219 51829->51830 51831 636723c 51829->51831 51830->51831 51837 63674a0 51830->51837 51841 6367490 51830->51841 51831->51805 51832 6367234 51832->51831 51833 6367440 GetModuleHandleW 51832->51833 51834 636746d 51833->51834 51834->51805 51838 63674b4 51837->51838 51840 63674d9 51838->51840 51845 63661d0 51838->51845 51840->51832 51843 63674a0 51841->51843 51842 63674d9 51842->51832 51843->51842 51844 63661d0 LoadLibraryExW 51843->51844 51844->51842 51846 6367660 LoadLibraryExW 51845->51846 51848 63676d9 51846->51848 51848->51840 51872 5b6ed40 51873 5b6ed86 GetCurrentProcess 51872->51873 51875 5b6edd1 51873->51875 51876 5b6edd8 GetCurrentThread 51873->51876 51875->51876 51877 5b6ee15 GetCurrentProcess 51876->51877 51878 5b6ee0e 51876->51878 51879 5b6ee4b 51877->51879 51878->51877 51880 5b6ee73 GetCurrentThreadId 51879->51880 51881 5b6eea4 51880->51881 51734 27710f0 51735 2771109 51734->51735 51736 277134b 51735->51736 51738 2771380 51735->51738 51739 27713a9 51738->51739 51740 27713db 51739->51740 51743 2771420 51739->51743 51747 277141a 51739->51747 51740->51736 51744 2771466 DeleteFileW 51743->51744 51746 277149f 51744->51746 51746->51740 51749 2771466 DeleteFileW 51747->51749 51750 277149f 51749->51750 51750->51740 51882 40cbf7 51883 40cc08 51882->51883 51926 40d534 HeapCreate 51883->51926 51886 40cc46 51987 41087e 71 API calls 8 library calls 51886->51987 51889 40cc4c 51890 40cc50 51889->51890 51891 40cc58 __RTC_Initialize 51889->51891 51988 40cbb4 62 API calls 3 library calls 51890->51988 51928 411a15 67 API calls 3 library calls 51891->51928 51893 40cc57 51893->51891 51895 40cc66 51896 40cc72 GetCommandLineA 51895->51896 51897 40cc6a 51895->51897 51929 412892 71 API calls 3 library calls 51896->51929 51989 40e79a 62 API calls 3 library calls 51897->51989 51900 40cc71 51900->51896 51901 40cc82 51990 4127d7 107 API calls 3 library calls 51901->51990 51903 40cc8c 51904 40cc90 51903->51904 51905 40cc98 51903->51905 51991 40e79a 62 API calls 3 library calls 51904->51991 51930 41255f 106 API calls 6 library calls 51905->51930 51908 40cc97 51908->51905 51909 40cc9d 51910 40cca1 51909->51910 51911 40cca9 51909->51911 51992 40e79a 62 API calls 3 library calls 51910->51992 51931 40e859 73 API calls 5 library calls 51911->51931 51914 40cca8 51914->51911 51915 40ccb0 51916 40ccb5 51915->51916 51917 40ccbc 51915->51917 51993 40e79a 62 API calls 3 library calls 51916->51993 51932 4019f0 OleInitialize 51917->51932 51920 40ccd8 51922 40ccea 51920->51922 51994 40ea0a 62 API calls _doexit 51920->51994 51921 40ccbb 51921->51917 51995 40ea36 62 API calls _doexit 51922->51995 51925 40ccef __msize 51927 40cc3a 51926->51927 51927->51886 51986 40cbb4 62 API calls 3 library calls 51927->51986 51928->51895 51929->51901 51930->51909 51931->51915 51933 401ab9 51932->51933 51996 40b99e 51933->51996 51935 401abf 51936 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 51935->51936 51966 402467 51935->51966 51937 401dc3 FindCloseChangeNotification GetModuleHandleA 51936->51937 51944 401c55 51936->51944 52009 401650 51937->52009 51939 401e8b FindResourceA LoadResource LockResource SizeofResource 52011 40b84d 51939->52011 51943 401c9c CloseHandle 51943->51920 51944->51943 51949 401cf9 Module32Next 51944->51949 51945 401ecb _memset 51946 401efc SizeofResource 51945->51946 51947 401f1c 51946->51947 51948 401f5f 51946->51948 51947->51948 52067 401560 __VEC_memcpy ___sbh_free_block 51947->52067 51950 401f92 _memset 51948->51950 52068 401560 __VEC_memcpy ___sbh_free_block 51948->52068 51949->51937 51960 401d0f 51949->51960 51953 401fa2 FreeResource 51950->51953 51954 40b84d _malloc 62 API calls 51953->51954 51955 401fbb SizeofResource 51954->51955 51956 401fe5 _memset 51955->51956 51957 4020aa LoadLibraryA 51956->51957 51958 401650 51957->51958 51959 40216c GetProcAddress 51958->51959 51962 4021aa 51959->51962 51959->51966 51960->51943 51961 401dad Module32Next 51960->51961 51961->51937 51961->51960 51962->51966 52041 4018f0 51962->52041 51964 40243f 51964->51966 52069 40b6b5 62 API calls 2 library calls 51964->52069 51966->51920 51967 4021f1 51967->51964 52053 401870 51967->52053 51969 402269 VariantInit 51970 401870 75 API calls 51969->51970 51971 40228b VariantInit 51970->51971 51972 4022a7 51971->51972 51973 4022d9 SafeArrayCreate SafeArrayAccessData 51972->51973 52058 40b350 51973->52058 51976 40232c 51977 402354 SafeArrayDestroy 51976->51977 51985 40235b 51976->51985 51977->51985 51978 402392 SafeArrayCreateVector 51979 4023a4 51978->51979 51980 4023bc VariantClear VariantClear 51979->51980 52060 4019a0 51980->52060 51983 40242e 51984 4019a0 65 API calls 51983->51984 51984->51964 51985->51978 51986->51886 51987->51889 51988->51893 51989->51900 51990->51903 51991->51908 51992->51914 51993->51921 51994->51922 51995->51925 51997 40b9aa __msize _strnlen 51996->51997 51998 40b9b8 51997->51998 52002 40b9ec 51997->52002 52070 40bfc1 62 API calls __getptd_noexit 51998->52070 52000 40b9bd 52071 40e744 6 API calls 2 library calls 52000->52071 52072 40d6e0 62 API calls 2 library calls 52002->52072 52004 40b9f3 52073 40b917 120 API calls 3 library calls 52004->52073 52006 40b9cd __msize 52006->51935 52007 40b9ff 52074 40ba18 LeaveCriticalSection _doexit 52007->52074 52010 4017cc _realloc 52009->52010 52010->51939 52012 40b900 52011->52012 52018 40b85f 52011->52018 52082 40d2e3 6 API calls __decode_pointer 52012->52082 52014 40b870 52014->52018 52075 40ec4d 62 API calls 2 library calls 52014->52075 52076 40eaa2 62 API calls 7 library calls 52014->52076 52077 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 52014->52077 52015 40b906 52083 40bfc1 62 API calls __getptd_noexit 52015->52083 52018->52014 52021 40b8bc RtlAllocateHeap 52018->52021 52023 401ebf 52018->52023 52024 40b8ec 52018->52024 52027 40b8f1 52018->52027 52078 40b7fe 62 API calls 4 library calls 52018->52078 52079 40d2e3 6 API calls __decode_pointer 52018->52079 52021->52018 52029 40af66 52023->52029 52080 40bfc1 62 API calls __getptd_noexit 52024->52080 52081 40bfc1 62 API calls __getptd_noexit 52027->52081 52031 40af70 52029->52031 52030 40b84d _malloc 62 API calls 52030->52031 52031->52030 52032 40af8a 52031->52032 52036 40af8c std::bad_alloc::bad_alloc 52031->52036 52084 40d2e3 6 API calls __decode_pointer 52031->52084 52032->51945 52034 40afb2 52086 40af49 62 API calls std::exception::exception 52034->52086 52036->52034 52085 40d2bd 73 API calls __cinit 52036->52085 52037 40afbc 52087 40cd39 RaiseException 52037->52087 52040 40afca 52042 401903 lstrlenA 52041->52042 52043 4018fc 52041->52043 52088 4017e0 52042->52088 52043->51967 52046 401940 GetLastError 52048 40194b MultiByteToWideChar 52046->52048 52049 40198d 52046->52049 52047 401996 52047->51967 52050 4017e0 72 API calls 52048->52050 52049->52047 52096 401030 GetLastError 52049->52096 52051 401970 MultiByteToWideChar 52050->52051 52051->52049 52054 40af66 74 API calls 52053->52054 52055 40187c 52054->52055 52056 401885 SysAllocString 52055->52056 52057 4018a4 52055->52057 52056->52057 52057->51969 52059 40231a SafeArrayUnaccessData 52058->52059 52059->51976 52061 4019aa InterlockedDecrement 52060->52061 52066 4019df VariantClear 52060->52066 52062 4019b8 52061->52062 52061->52066 52063 4019c2 SysFreeString 52062->52063 52064 4019c9 52062->52064 52062->52066 52063->52064 52100 40aec0 63 API calls 2 library calls 52064->52100 52066->51983 52067->51947 52068->51950 52069->51966 52070->52000 52072->52004 52073->52007 52074->52006 52075->52014 52076->52014 52078->52018 52079->52018 52080->52027 52081->52023 52082->52015 52083->52023 52084->52031 52085->52034 52086->52037 52087->52040 52089 4017e9 52088->52089 52094 401844 52089->52094 52095 40182d 52089->52095 52097 40b783 72 API calls 4 library calls 52089->52097 52093 40186d MultiByteToWideChar 52093->52046 52093->52047 52094->52093 52099 40b743 62 API calls 2 library calls 52094->52099 52095->52094 52098 40b6b5 62 API calls 2 library calls 52095->52098 52097->52095 52098->52094 52099->52094 52100->52066 51849 636b1de 51850 636b1f2 51849->51850 51852 636b1f9 51849->51852 51851 636b24a CallWindowProcW 51850->51851 51850->51852 51851->51852 51751 2190890 51752 21908b1 51751->51752 51753 219097a 51752->51753 51755 2194184 51752->51755 51758 2199150 51755->51758 51760 2199163 51758->51760 51762 2199200 51760->51762 51763 2199248 VirtualProtect 51762->51763 51765 21941a0 51763->51765 51853 277125a 51854 277125f 51853->51854 51856 2771380 2 API calls 51854->51856 51855 277134b 51856->51855 52101 5b6ef88 DuplicateHandle 52102 5b6f01e 52101->52102 51857 2771618 51858 2771622 51857->51858 51859 277163c 51858->51859 51862 5b69018 51858->51862 51867 5b69008 51858->51867 51864 5b6902d 51862->51864 51863 5b69242 51863->51859 51864->51863 51865 5b69680 GlobalMemoryStatusEx 51864->51865 51866 5b69618 GlobalMemoryStatusEx 51864->51866 51865->51864 51866->51864 51869 5b69014 51867->51869 51868 5b69242 51868->51859 51869->51868 51870 5b69680 GlobalMemoryStatusEx 51869->51870 51871 5b69618 GlobalMemoryStatusEx 51869->51871 51870->51869 51871->51869

                                    Executed Functions

                                    Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 26 401ed6-401eed call 40ba30 7->26 27 401eef 7->27 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 32 401cd0-401cd4 24->32 30 401ef3-401f1a call 401300 SizeofResource 26->30 27->30 41 401f1c-401f2f 30->41 42 401f5f-401f69 30->42 35 401cf0-401cf2 32->35 36 401cd6-401cd8 32->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 48 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->48 49 401f77-401f8d call 401560 43->49 44->43 45->32 45->39 46->7 50 401d0f 46->50 47->42 48->5 85 4021aa-4021c0 48->85 49->48 54 401d10-401d2e call 401650 50->54 61 401d30-401d34 54->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 65 401d55-401d57 63->65 67 401d3a-401d40 64->67 68 401d4c-401d4e 64->68 65->25 69 401d5d-401d7b call 401650 65->69 67->63 71 401d42-401d4a 67->71 68->65 76 401d80-401d84 69->76 71->61 71->68 79 401da0-401da2 76->79 80 401d86-401d88 76->80 84 401da5-401da7 79->84 82 401d8a-401d90 80->82 83 401d9c-401d9e 80->83 82->79 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->76 86->83 87->7 87->54 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 104 402243-402251 98->104 99->90 100 402461-402467 call 40b6b5 99->100 100->90 104->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 104->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 60d006 122->154 155 40234e call 60d01d 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 60d006 135->152 153 402390 call 60d01d 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                                    APIs
                                    • OleInitialize.OLE32(00000000), ref: 004019FD
                                    • _getenv.LIBCMT ref: 00401ABA
                                    • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                    • Module32First.KERNEL32 ref: 00401C48
                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
                                    • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                    • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
                                    • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                    • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
                                    • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                    • LockResource.KERNEL32(00000000), ref: 00401EA7
                                    • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                    • _malloc.LIBCMT ref: 00401EBA
                                    • _memset.LIBCMT ref: 00401EDD
                                    • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
                                    • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                    • API String ID: 2366190142-2962942730
                                    • Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                                    • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                    • Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                                    • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                    Function 0277C418 Relevance: 8.0, Strings: 6, Instructions: 547COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 915 277c418-277c439 916 277c43b-277c43e 915->916 917 277c464-277c467 916->917 918 277c440-277c45f 916->918 919 277c46d-277c48c 917->919 920 277cc0c-277cc0e 917->920 918->917 928 277c4a5-277c4af 919->928 929 277c48e-277c491 919->929 922 277cc15-277cc18 920->922 923 277cc10 920->923 922->916 925 277cc1e-277cc27 922->925 923->922 932 277c4b5-277c4c4 928->932 929->928 930 277c493-277c4a3 929->930 930->932 1044 277c4c6 call 277cc30 932->1044 1045 277c4c6 call 277cc38 932->1045 934 277c4cb-277c4d0 935 277c4d2-277c4d8 934->935 936 277c4dd-277c7ba 934->936 935->925 957 277c7c0-277c86f 936->957 958 277cbfe-277cc0b 936->958 967 277c871-277c896 957->967 968 277c898 957->968 970 277c8a1-277c8b4 call 2775638 967->970 968->970 973 277cbe5-277cbf1 970->973 974 277c8ba-277c8dc call 2775644 970->974 973->957 975 277cbf7 973->975 974->973 978 277c8e2-277c8ec 974->978 975->958 978->973 979 277c8f2-277c8fd 978->979 979->973 980 277c903-277c9d9 979->980 992 277c9e7-277ca17 980->992 993 277c9db-277c9dd 980->993 997 277ca25-277ca31 992->997 998 277ca19-277ca1b 992->998 993->992 999 277ca33-277ca37 997->999 1000 277ca91-277ca95 997->1000 998->997 999->1000 1003 277ca39-277ca63 999->1003 1001 277cbd6-277cbdf 1000->1001 1002 277ca9b-277cad7 1000->1002 1001->973 1001->980 1014 277cae5-277caf3 1002->1014 1015 277cad9-277cadb 1002->1015 1010 277ca65-277ca67 1003->1010 1011 277ca71-277ca8e call 2775650 1003->1011 1010->1011 1011->1000 1018 277caf5-277cb00 1014->1018 1019 277cb0a-277cb15 1014->1019 1015->1014 1018->1019 1024 277cb02 1018->1024 1022 277cb17-277cb1d 1019->1022 1023 277cb2d-277cb3e 1019->1023 1025 277cb21-277cb23 1022->1025 1026 277cb1f 1022->1026 1028 277cb56-277cb62 1023->1028 1029 277cb40-277cb46 1023->1029 1024->1019 1025->1023 1026->1023 1033 277cb64-277cb6a 1028->1033 1034 277cb7a-277cbcf 1028->1034 1030 277cb4a-277cb4c 1029->1030 1031 277cb48 1029->1031 1030->1028 1031->1028 1035 277cb6e-277cb70 1033->1035 1036 277cb6c 1033->1036 1034->1001 1035->1034 1036->1034 1044->934 1045->934
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                    • API String ID: 0-1342094364
                                    • Opcode ID: 3e8e59e80cbf39e83b9d481c78afa0e3fe479c3ebdf2e69c2b9cac5dc6cab2ad
                                    • Instruction ID: d782cefd312f135e7d8ddddcc66583a98c226a23494ae3a4b2e0e089545aea9d
                                    • Opcode Fuzzy Hash: 3e8e59e80cbf39e83b9d481c78afa0e3fe479c3ebdf2e69c2b9cac5dc6cab2ad
                                    • Instruction Fuzzy Hash: 12324135E1061A8FCB15EF75C8945ADB7B6FFC9300F24C69AD409A7264EF309985CB90
                                    Function 05B699A9 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Xoq$$kq
                                    • API String ID: 0-227003152
                                    • Opcode ID: ce7d1153d86ce19887878424383703a7b29c802225177c03efc9b872d354bcd6
                                    • Instruction ID: 9dc0f635a4c4d375d85b5d39bb86c665b3ad59481cbf3d744d432f4186748ac8
                                    • Opcode Fuzzy Hash: ce7d1153d86ce19887878424383703a7b29c802225177c03efc9b872d354bcd6
                                    • Instruction Fuzzy Hash: F6B19031B042188FDB4CEB79996527E7BA7BFC8701B14846DE406EB398DE38DC028795
                                    Function 027758E8 Relevance: 2.7, Instructions: 2747COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 78ffabb890cacbb17edc071dee1a5c3baaaa85059eccb568334e57b6d9f2b2b9
                                    • Instruction ID: 81239c314071c055b68009ab2d24f22aa515a56ee43409d25c5a9d99335f2b93
                                    • Opcode Fuzzy Hash: 78ffabb890cacbb17edc071dee1a5c3baaaa85059eccb568334e57b6d9f2b2b9
                                    • Instruction Fuzzy Hash: 9653F731C10B1A8ACB55EF68C884699F7B1FF99300F11D79AE4587B125FB70AAD4CB81
                                    Function 02778AC8 Relevance: 2.3, Instructions: 2316COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9d1aba00eaf9bbe000f20895445e0182532ad39a4e6f8c15817e50c39abf57a4
                                    • Instruction ID: 9d755fc5edee190c5a98cc3eb61c43e4023ec83c29592d583cb91cdecce8fe84
                                    • Opcode Fuzzy Hash: 9d1aba00eaf9bbe000f20895445e0182532ad39a4e6f8c15817e50c39abf57a4
                                    • Instruction Fuzzy Hash: F0333E31D10B198EDB11DF68C8846ADF7B1FF99300F15D79AE448A7225EB70AAC5CB81
                                    Function 0636DA89 Relevance: 1.9, APIs: 1, Instructions: 364COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3456dcfe5292e7a0d2d485bb8e8dd4abc03aa711c7b8ff8756969b84240cb53f
                                    • Instruction ID: bbbeb851317b0c35ed6920e810dabe92681e2fe111bb16ce26fce0628fb77ad6
                                    • Opcode Fuzzy Hash: 3456dcfe5292e7a0d2d485bb8e8dd4abc03aa711c7b8ff8756969b84240cb53f
                                    • Instruction Fuzzy Hash: 00E11A30E00209CFDB54DFAAC958BADBBF1BF48304F15C559E405AF2A9DB74A949CB80
                                    Function 0277E6C8 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $
                                    • API String ID: 0-3993045852
                                    • Opcode ID: f1333e71392cc16552bb48fe5526f25e5393eae8d20ad95de89c1a2d6a7ded66
                                    • Instruction ID: 15454ff6670aa55b4367aca072f434a34a0590936d96827074a1c2843cbb4ec2
                                    • Opcode Fuzzy Hash: f1333e71392cc16552bb48fe5526f25e5393eae8d20ad95de89c1a2d6a7ded66
                                    • Instruction Fuzzy Hash: AC22E131E002158FDF24DBA4C5807AEBBB6EF85320F2484AAD546EB395DB35EC45CB91
                                    Function 0277B608 Relevance: 1.1, Instructions: 1101COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cbf37ecf3d53ae54d9276c6a1cd3f6d40ac4214451190c943b570135fce7d7c5
                                    • Instruction ID: 7d49642ff83b0e5fb535691768d10213d31978965e7e4f6fb58753589557369c
                                    • Opcode Fuzzy Hash: cbf37ecf3d53ae54d9276c6a1cd3f6d40ac4214451190c943b570135fce7d7c5
                                    • Instruction Fuzzy Hash: 73A26B30A00204CFDB24DF64C598B6DB7B2EF4A319F5588AAE406DB3A5DB75DC86CB50
                                    Function 05B65A90 Relevance: .6, Instructions: 648COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1ece9dedf3dd4dea894d7167d2dccb1f7628747a2c4f5cfc038528dba20b360f
                                    • Instruction ID: ce3bcbd08069a1dad58ffea7b06420761a4ab8b0e98325f5b95f398f0974cbca
                                    • Opcode Fuzzy Hash: 1ece9dedf3dd4dea894d7167d2dccb1f7628747a2c4f5cfc038528dba20b360f
                                    • Instruction Fuzzy Hash: DF32AF30B001059FDF24DF68D594AAEB7B3FB89310F6088A9D406D7394DB39EC568B91
                                    Function 05B64AF8 Relevance: .6, Instructions: 568COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f304abe620f974c0ed0e7e3bbed733ad86421cbbfcc4e3b26358b5d556a71898
                                    • Instruction ID: bc957ed8e25cfc2f04480e8ccec9dcc810349c29601e6f46d3541e908ae1552c
                                    • Opcode Fuzzy Hash: f304abe620f974c0ed0e7e3bbed733ad86421cbbfcc4e3b26358b5d556a71898
                                    • Instruction Fuzzy Hash: F6225270E006098FDF24DB58C590BBEB7B7FB85310F6488A6E409E7395DA39EC818B51
                                    Function 063678E0 Relevance: .4, Instructions: 407COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 79dcb5a6c8dbce30a1cc2017d8d09063a4c229bc27f752cafbf0b1ab283736f2
                                    • Instruction ID: 33d2b4cedcb5c8d8aa9035e1be3e63ef83e261a8e8534d75ce57d74464e516c1
                                    • Opcode Fuzzy Hash: 79dcb5a6c8dbce30a1cc2017d8d09063a4c229bc27f752cafbf0b1ab283736f2
                                    • Instruction Fuzzy Hash: 07F18B71A00609CFCB55CF69C8849ADBBF6FF49315F958429E806EB254E730F985CB80
                                    Function 0219D890 Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2892569472.0000000002190000.00000040.00000800.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2190000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b2f0a9c73edf04e3f401823bc02367cdcca5b0304f1af674d8a840174cf7100f
                                    • Instruction ID: 0a4bff7c3a4399862f156bc73a22feac5c072bbfe9fa86ccbd65ad01c3c74c14
                                    • Opcode Fuzzy Hash: b2f0a9c73edf04e3f401823bc02367cdcca5b0304f1af674d8a840174cf7100f
                                    • Instruction Fuzzy Hash: 62B15F70E40209CFDF14EFA9E98179DBBF2BF89314F148129D419EB258EB749845CB81
                                    Function 0219CC78 Relevance: .2, Instructions: 238COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2892569472.0000000002190000.00000040.00000800.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2190000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c3532b5847db1b7a5fb728d686f9d52061f9bf47173bd3a62a05483feac4a42c
                                    • Instruction ID: c0eb2f9203164243b10fd851acdc4e53dd4a316390e0f8a407f80fe9c4c2bac6
                                    • Opcode Fuzzy Hash: c3532b5847db1b7a5fb728d686f9d52061f9bf47173bd3a62a05483feac4a42c
                                    • Instruction Fuzzy Hash: 70916CB0E40209DFDF14CFA9C99179DBFF2AF8C314F24812AE455AB294EB749945CB81
                                    Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 685 40cbf7-40cc06 686 40cc08-40cc14 685->686 687 40cc2f 685->687 686->687 688 40cc16-40cc1d 686->688 689 40cc33-40cc3d call 40d534 687->689 688->687 690 40cc1f-40cc2d 688->690 693 40cc47 689->693 694 40cc3f-40cc46 call 40cbb4 689->694 690->689 696 40cc47 call 41087e 693->696 694->693 697 40cc4c-40cc4e 696->697 699 40cc50-40cc57 call 40cbb4 697->699 700 40cc58-40cc68 call 4129c9 call 411a15 697->700 699->700 707 40cc72-40cc82 GetCommandLineA call 412892 700->707 708 40cc6a-40cc71 call 40e79a 700->708 713 40cc87 call 4127d7 707->713 708->707 714 40cc8c-40cc8e 713->714 715 40cc90-40cc97 call 40e79a 714->715 716 40cc98-40cc9f call 41255f 714->716 715->716 721 40cca1-40cca8 call 40e79a 716->721 722 40cca9-40ccb3 call 40e859 716->722 721->722 727 40ccb5-40ccbb call 40e79a 722->727 728 40ccbc-40ccd3 call 4019f0 722->728 727->728 731 40ccd8-40cce2 728->731 733 40cce4-40cce5 call 40ea0a 731->733 734 40ccea-40cd2e call 40ea36 call 40e21d 731->734 733->734
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
                                    • String ID:
                                    • API String ID: 2598563909-0
                                    • Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                    • Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
                                    • Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
                                    • Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C
                                    Function 05B6ED31 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 871 5b6ed31-5b6edcf GetCurrentProcess 875 5b6edd1-5b6edd7 871->875 876 5b6edd8-5b6ee0c GetCurrentThread 871->876 875->876 877 5b6ee15-5b6ee49 GetCurrentProcess 876->877 878 5b6ee0e-5b6ee14 876->878 879 5b6ee52-5b6ee6d call 5b6ef1a 877->879 880 5b6ee4b-5b6ee51 877->880 878->877 884 5b6ee73-5b6eea2 GetCurrentThreadId 879->884 880->879 885 5b6eea4-5b6eeaa 884->885 886 5b6eeab-5b6ef0d 884->886 885->886
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 05B6EDBE
                                    • GetCurrentThread.KERNEL32 ref: 05B6EDFB
                                    • GetCurrentProcess.KERNEL32 ref: 05B6EE38
                                    • GetCurrentThreadId.KERNEL32 ref: 05B6EE91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID: vy
                                    • API String ID: 2063062207-2544928794
                                    • Opcode ID: b939e361d51b08b61abda747d11a8c4f1b55d09af280f2852ec8c157a640875c
                                    • Instruction ID: 66f5dce66f1de87167834357b9380d4155a46642f7808de9248c240ca4678b34
                                    • Opcode Fuzzy Hash: b939e361d51b08b61abda747d11a8c4f1b55d09af280f2852ec8c157a640875c
                                    • Instruction Fuzzy Hash: E45135B59003498FDB54CFA9D54879EBBF5EF48304F208499E059AB3A0CB34A984CF65
                                    Function 05B6ED40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 893 5b6ed40-5b6edcf GetCurrentProcess 897 5b6edd1-5b6edd7 893->897 898 5b6edd8-5b6ee0c GetCurrentThread 893->898 897->898 899 5b6ee15-5b6ee49 GetCurrentProcess 898->899 900 5b6ee0e-5b6ee14 898->900 901 5b6ee52-5b6ee6d call 5b6ef1a 899->901 902 5b6ee4b-5b6ee51 899->902 900->899 906 5b6ee73-5b6eea2 GetCurrentThreadId 901->906 902->901 907 5b6eea4-5b6eeaa 906->907 908 5b6eeab-5b6ef0d 906->908 907->908
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 05B6EDBE
                                    • GetCurrentThread.KERNEL32 ref: 05B6EDFB
                                    • GetCurrentProcess.KERNEL32 ref: 05B6EE38
                                    • GetCurrentThreadId.KERNEL32 ref: 05B6EE91
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID: vy
                                    • API String ID: 2063062207-2544928794
                                    • Opcode ID: d3407f2228b5a1b38f404d62bb9eb7fc13a92899ab33d8aef4dbdcf6f1b8cb93
                                    • Instruction ID: 2f4e7399c4ff98aad9495df0c52401667279a1337bb774d9bf18ec8e6518f7d3
                                    • Opcode Fuzzy Hash: d3407f2228b5a1b38f404d62bb9eb7fc13a92899ab33d8aef4dbdcf6f1b8cb93
                                    • Instruction Fuzzy Hash: 2A5155B59002098FDB54DFA9D548BDEBBF5EF88314F20C499E019A73A0DB34A984CF65
                                    Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1486 4018f0-4018fa 1487 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 1486->1487 1488 4018fc-401900 1486->1488 1491 401940-401949 GetLastError 1487->1491 1492 401996-40199a 1487->1492 1493 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 1491->1493 1494 40198d-40198f 1491->1494 1493->1494 1494->1492 1496 401991 call 401030 1494->1496 1496->1492
                                    APIs
                                    • lstrlenA.KERNEL32(?), ref: 00401906
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                    • GetLastError.KERNEL32 ref: 00401940
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                    • String ID:
                                    • API String ID: 3322701435-0
                                    • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                    • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                    • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                    • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                    Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1499 40af66-40af6e 1500 40af7d-40af88 call 40b84d 1499->1500 1503 40af70-40af7b call 40d2e3 1500->1503 1504 40af8a-40af8b 1500->1504 1503->1500 1507 40af8c-40af98 1503->1507 1508 40afb3-40afca call 40af49 call 40cd39 1507->1508 1509 40af9a-40afb2 call 40aefc call 40d2bd 1507->1509 1509->1508
                                    APIs
                                    • _malloc.LIBCMT ref: 0040AF80
                                      • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                      • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                      • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                    • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                      • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                    • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                    • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                    • String ID:
                                    • API String ID: 1411284514-0
                                    • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                    • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                    • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                                    • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                    Function 063671F8 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0636745E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 421cb9d6b32d9b5cc29510ae6859e5debc122a26c287a1da18ac73d396f9b864
                                    • Instruction ID: 06c852c71cbe1cfc9406e25e655e66ccbb181cb6420a3d35eb8dc2bdc77e90e5
                                    • Opcode Fuzzy Hash: 421cb9d6b32d9b5cc29510ae6859e5debc122a26c287a1da18ac73d396f9b864
                                    • Instruction Fuzzy Hash: 59815470A00B018FDBA4CF2AD44579ABBF5BF48304F008A2EE486DBB54D775E949CB91
                                    Function 05B69E40 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fd3a8ab5b1cf13de0cd1d1eb529cbdba25d262ee3310e11ca82a8e59342db648
                                    • Instruction ID: 2a8456bd93dc6b3b36a727bb6f7cf79de3fdb217c31c12c1bca604741cf410f2
                                    • Opcode Fuzzy Hash: fd3a8ab5b1cf13de0cd1d1eb529cbdba25d262ee3310e11ca82a8e59342db648
                                    • Instruction Fuzzy Hash: 70412272E047558FCB04DFA9D8043AEBBF1AF89310F1485AAD408EB291DB78A844CB91
                                    Function 06368A64 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06368B82
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 6c557767c8d49b142cf77cbb39dd6d3dd75227619ec3534118281bd7e19844d3
                                    • Instruction ID: 7d38e9d22a56b22144a730312f040aadf5d74fc7cdc7b00f1698b2fffa7a5ffc
                                    • Opcode Fuzzy Hash: 6c557767c8d49b142cf77cbb39dd6d3dd75227619ec3534118281bd7e19844d3
                                    • Instruction Fuzzy Hash: 8351DEB1D00359DFDB14CF9AC984ADEBBB5FF48310F24822AE818AB254D7709985CF90
                                    Function 06368A70 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06368B82
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 81fe26b10e7ac2d5c51da91ce0f84d847d963b3d4f96caef813b9d32bb9e5215
                                    • Instruction ID: a58811e2424e3b45b67d783fe65fe4029582e8107a3bcf1a518acaa5e09c3e4c
                                    • Opcode Fuzzy Hash: 81fe26b10e7ac2d5c51da91ce0f84d847d963b3d4f96caef813b9d32bb9e5215
                                    • Instruction Fuzzy Hash: DC41CEB1D003199FDB14CF9AC984ADEBBF5FF48310F24812AE818AB254D7709985CF90
                                    Function 0636B1DE Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0636B271
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: CallProcWindow
                                    • String ID:
                                    • API String ID: 2714655100-0
                                    • Opcode ID: 5e91fde319d2dcb1279d56dd7d9a82ef0bed04c68fdae130c2517f0e2f90529e
                                    • Instruction ID: 699fb5110b52448b106980b442a69a41cebc90350cf31f3640e98799b153448a
                                    • Opcode Fuzzy Hash: 5e91fde319d2dcb1279d56dd7d9a82ef0bed04c68fdae130c2517f0e2f90529e
                                    • Instruction Fuzzy Hash: 233137B8A00605CFDB54CF96C448AAEFBF5FB89314F24C458E119AB365C730A845CFA0
                                    Function 05B6EF80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05B6F00F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: e9769ba9c1ee8c42a7795d0629e9484f20484a9a851b8e67c1141dd2483db982
                                    • Instruction ID: a23d05d33f9b1d6b76de5d4557d8fb4cb073775d758ee003be4eb0aa9a7faf51
                                    • Opcode Fuzzy Hash: e9769ba9c1ee8c42a7795d0629e9484f20484a9a851b8e67c1141dd2483db982
                                    • Instruction Fuzzy Hash: 282114B5D002089FDB10CFA9D984AEEBBF8FF08320F14845AE964A3350D378A940CF64
                                    Function 05B6EF88 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05B6F00F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 2acdf43f10ab35450c8e92a42f240e87926abd2861527aa11eeba8ec73a83b58
                                    • Instruction ID: 2521660f81ff4f658631c5c2942116d77e390d5fcdc6ea9ed43dde2ce39520b0
                                    • Opcode Fuzzy Hash: 2acdf43f10ab35450c8e92a42f240e87926abd2861527aa11eeba8ec73a83b58
                                    • Instruction Fuzzy Hash: 9321F5B59002099FDB10CF9AD984AEEFFF8FB48310F14805AE914A7310D378A940CFA4
                                    Function 0277141A Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNELBASE(00000000), ref: 02771490
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: 5f3c93519be5500a78188a65cbfbac3e39f020edf3f4db61bdb797acae792e2a
                                    • Instruction ID: 9044a4578c17911f0b17350e083485aea82c5db616e0b3955245a9afb804e83a
                                    • Opcode Fuzzy Hash: 5f3c93519be5500a78188a65cbfbac3e39f020edf3f4db61bdb797acae792e2a
                                    • Instruction Fuzzy Hash: 152122B1C0065A9BCB14CF9AC544BEEFBF0EF48320F15816AD858A7650D378AA44CFA5
                                    Function 02771420 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNELBASE(00000000), ref: 02771490
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: DeleteFile
                                    • String ID:
                                    • API String ID: 4033686569-0
                                    • Opcode ID: c25ab00324452a94770dd5e63af6a2d9d61ed76078c4a700d77dca5ecb408939
                                    • Instruction ID: 14400e1ab38f4dc868f0269b9ca717d329cd2c7fa9b9528da1990fd21cb35a14
                                    • Opcode Fuzzy Hash: c25ab00324452a94770dd5e63af6a2d9d61ed76078c4a700d77dca5ecb408939
                                    • Instruction Fuzzy Hash: 8A1133B1C0061A9BCB10CF9AC544BAEFBF4EF48320F11816AD858A7650D338AA40CFA5
                                    Function 02199200 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02199274
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2892569472.0000000002190000.00000040.00000800.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2190000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 43ad2708eb8c088f3ce6e3e0dceac592c8b1720cd5c7f3111200fafc368040c3
                                    • Instruction ID: 7ecc8564a95839bb8b59223048ffe72f698af7b72e0c57604422fa2c293aaf63
                                    • Opcode Fuzzy Hash: 43ad2708eb8c088f3ce6e3e0dceac592c8b1720cd5c7f3111200fafc368040c3
                                    • Instruction Fuzzy Hash: 831106B1D002499FDB10DFAAC584ADEFBF4EF88320F10842AD459A7250C775A944CFA1
                                    Function 06367658 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,063674D9,00000800,00000000,00000000), ref: 063676CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 77359fda38a1eb91cade0772f8cf01eeb1025b3698e01128bfad76997991f862
                                    • Instruction ID: 3ca49a736a5872b453f6ec5e297a77aadb81f82f87239abc614dce6a4270a9b2
                                    • Opcode Fuzzy Hash: 77359fda38a1eb91cade0772f8cf01eeb1025b3698e01128bfad76997991f862
                                    • Instruction Fuzzy Hash: 1B1123B6D002098FDB20CFAAC944ADEFBF4EB88314F10842AE429B7210C374A545CFA4
                                    Function 063661D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,063674D9,00000800,00000000,00000000), ref: 063676CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 392e2c1711e7679084fed8377af83bb24a99304b13f6f544993a2afe3ad85f55
                                    • Instruction ID: 8aedd3fc4617e8495eca9a46c64e3dc458fd6d3ddee22ec8d4e72dbfbdcfb0cf
                                    • Opcode Fuzzy Hash: 392e2c1711e7679084fed8377af83bb24a99304b13f6f544993a2afe3ad85f55
                                    • Instruction Fuzzy Hash: 781126B6D002498FDB20CF9AC844ADEFBF4EB88314F50842AE419B7210C374A945CFA5
                                    Function 05B69F28 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 05B69F8F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 72d4fceacfc502c19a8ad8bbd058276fc026536a3e6803179bf0c609c8afe311
                                    • Instruction ID: 68c7ce2f8e0fd095751e587e800c994d3a172638ae045ab9d18124622e90a1e6
                                    • Opcode Fuzzy Hash: 72d4fceacfc502c19a8ad8bbd058276fc026536a3e6803179bf0c609c8afe311
                                    • Instruction Fuzzy Hash: 6711E2B1C0065A9FDB10DF9AC544BDEFBF4AF48320F15816AD818A7250D378A944CFA5
                                    Function 021993D8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE ref: 0219943A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2892569472.0000000002190000.00000040.00000800.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2190000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: b50202b4b1c998965206e1839f9ad4989cef4b55ab21122ed72854027f6b70c0
                                    • Instruction ID: 14a8ae5ec5117180492d1d46a9f934df6a3caba446f79ad9e4ca6ac4d8ac7dbd
                                    • Opcode Fuzzy Hash: b50202b4b1c998965206e1839f9ad4989cef4b55ab21122ed72854027f6b70c0
                                    • Instruction Fuzzy Hash: DD1136B19002498FDB20DFAAC5457DEFBF8EF88324F208429D559A7250CB75A944CFA4
                                    Function 063673F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0636745E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 20e8c760e3aa3ed7e725657a2a09f1696dd2a34e897770867558837b8597f0c0
                                    • Instruction ID: c3f380eabf1867fabbe9d8c55a879df5fb2d5641da152ceadad266503e3e7ac8
                                    • Opcode Fuzzy Hash: 20e8c760e3aa3ed7e725657a2a09f1696dd2a34e897770867558837b8597f0c0
                                    • Instruction Fuzzy Hash: 0311E0B5C006498FDB10CF9AD448ADEFBF4EF88328F10C46AD469A7614C3B5A545CFA5
                                    Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                    • SysAllocString.OLEAUT32 ref: 00401898
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: AllocString_malloc
                                    • String ID:
                                    • API String ID: 959018026-0
                                    • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                    • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                    • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                    • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                    Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: CreateHeap
                                    • String ID:
                                    • API String ID: 10892065-0
                                    • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                    • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                    • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                    • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                    Function 0060D5E8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891753768.000000000060D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_60d000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 02f9daff34ef838fbc32b81789fe35a853e54662535fb6d6ec16f7badab521d7
                                    • Instruction ID: e505800b300037685c56951ecd5b634a458a8193e6ffe2995f6f3cef624b6239
                                    • Opcode Fuzzy Hash: 02f9daff34ef838fbc32b81789fe35a853e54662535fb6d6ec16f7badab521d7
                                    • Instruction Fuzzy Hash: E7212871590204DFCB09DF94D9C4B27BF66FB94314F248669E80D0B396C337D856CAA1
                                    Function 0072D030 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891955220.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_72d000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3473e64b7571910cd347559b16da389b29abbf7575792bd28a0a289aa6877783
                                    • Instruction ID: 3aa3abfb71ac1c598d79a8f82b895e38494b5ac459d10a7fc193cbdaf9fdc410
                                    • Opcode Fuzzy Hash: 3473e64b7571910cd347559b16da389b29abbf7575792bd28a0a289aa6877783
                                    • Instruction Fuzzy Hash: C521F2B1504244DFCB34DF14E9C4B26BBA5EB88314F34C669D9494B266C33ADC46CA62
                                    Function 0060D5E3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891753768.000000000060D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_60d000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                    • Instruction ID: b65a4e2787518f823d8647f391ed55bc3960f440297155d4db51e6e7635c4140
                                    • Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                    • Instruction Fuzzy Hash: 8211BE76544280CFCB16CF54D9C4B56BF72FB94324F24C6A9D8090B396C33AD85ACBA2
                                    Function 0072D02B Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891955220.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_72d000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
                                    • Instruction ID: ff15eac83f79c5185ece25e3b6984a621d568303c9caa6b388156d05ab8b3706
                                    • Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
                                    • Instruction Fuzzy Hash: 8811BB75504284CFCB21CF14E5C4B15BBA1FB88314F28C6AAD8494B666C33AD84ACB62
                                    Function 0060D006 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891753768.000000000060D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_60d000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: efae8c34b11acbf8b2639fabce109c0c9819bc365437e78f7c0653b25ba65673
                                    • Instruction ID: a7b80f7f362ad3f28035c8afa0efd6c8f6243b53774397de9590741af258a1c4
                                    • Opcode Fuzzy Hash: efae8c34b11acbf8b2639fabce109c0c9819bc365437e78f7c0653b25ba65673
                                    • Instruction Fuzzy Hash: 56014C6140E3C09ED7178B258894B92BFB4EF53224F19C1DBD8888F2E3C2699C49C772
                                    Function 0060D01D Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891753768.000000000060D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_60d000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8db3470612506a2eed7d407c085d8ce7519f8575b084d4024e905108ea8586e7
                                    • Instruction ID: c22d9c3037c8f46ec39b7d7d29608f69463573e76ae614d2f0f153375b370265
                                    • Opcode Fuzzy Hash: 8db3470612506a2eed7d407c085d8ce7519f8575b084d4024e905108ea8586e7
                                    • Instruction Fuzzy Hash: 9401F7714483009AE7144E65C984BA7BFD9DF45324F18C62AEC4E0B2C6C2799C42C6B1

                                    Non-executed Functions

                                    Function 05B609F8 Relevance: 13.0, Strings: 10, Instructions: 470COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                    • API String ID: 0-1324371161
                                    • Opcode ID: 4b9374bf50049f4f3e60d6787a4b93427c9f9d4771786667dcf2fa7ae0e61e3f
                                    • Instruction ID: 12e3b2e55aabafd9669e922d6141711e1776090f857aee9cbec43390ed109294
                                    • Opcode Fuzzy Hash: 4b9374bf50049f4f3e60d6787a4b93427c9f9d4771786667dcf2fa7ae0e61e3f
                                    • Instruction Fuzzy Hash: 84123130A016198FDB24EF65C954A6EB7F7FF89300F2485A9D40AAB354DB35AD85CF80
                                    Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                    • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                    • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                    • String ID:
                                    • API String ID: 2579439406-0
                                    • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                    • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                    • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                    • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                    Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @$@$PA
                                    • API String ID: 0-3039612711
                                    • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                    • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
                                    • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                                    • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
                                    Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                    • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                    • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                    • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                    Function 02190F40 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2892569472.0000000002190000.00000040.00000800.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2190000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'kq
                                    • API String ID: 0-3255046985
                                    • Opcode ID: 4c5f69f814825ba93c6e254cea6f0d71525f6c824f9fe94e3877e5e8e7ba02e6
                                    • Instruction ID: 7e1791666bd28777618fa68421e6f56fc57bb21a7886d7ca9888985ad57150c7
                                    • Opcode Fuzzy Hash: 4c5f69f814825ba93c6e254cea6f0d71525f6c824f9fe94e3877e5e8e7ba02e6
                                    • Instruction Fuzzy Hash: 3AA10BB1D453914FD706DF39986029ABFB7AF86304F08C6ABC0449F2AADB35590BC760
                                    Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                    • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                                    • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                                    • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                                    Function 02190FD0 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2892569472.0000000002190000.00000040.00000800.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2190000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'kq
                                    • API String ID: 0-3255046985
                                    • Opcode ID: aa52ca0ef5fb7442439ebd306b422c62cc14399b82bded5e7bd18038ca629455
                                    • Instruction ID: a336197ce03810ae9336aa8420333ad2e244046aae33dda99218a41f45d30303
                                    • Opcode Fuzzy Hash: aa52ca0ef5fb7442439ebd306b422c62cc14399b82bded5e7bd18038ca629455
                                    • Instruction Fuzzy Hash: 207154B1D452554FD70ADF3AE96069ABFB7BFC5300F14C66BC0049B2A9DB34590ACB60
                                    Function 02191030 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2892569472.0000000002190000.00000040.00000800.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2190000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 4'kq
                                    • API String ID: 0-3255046985
                                    • Opcode ID: fa9723c1a09db5e65b6625b8b0838f332cdcbcd2682a3ba3c6511e25368481c2
                                    • Instruction ID: b325cd5d79c1a4ba7ce092d9956cfeb0cb504bcbf3cc9b2aa58fb0e23c1c11ea
                                    • Opcode Fuzzy Hash: fa9723c1a09db5e65b6625b8b0838f332cdcbcd2682a3ba3c6511e25368481c2
                                    • Instruction Fuzzy Hash: 665121B0E402158FD749EF7AE99065ABBE7BBC9300F14C63AD0049B36DDF7469068B60
                                    Function 00407C3F Relevance: .8, Instructions: 783COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                    • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
                                    • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                                    • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
                                    Function 004073A0 Relevance: .6, Instructions: 633COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                    • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
                                    • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                                    • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
                                    Function 00406CA0 Relevance: .4, Instructions: 401COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                    • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
                                    • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                                    • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
                                    Function 05B67F58 Relevance: .4, Instructions: 365COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895022699.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_5b60000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6828f98be5290e6431fdf09777c36505a4471724854eaa1362c72fc01872f794
                                    • Instruction ID: 0afcd026faa9f1733b230ae9759efbe1a6257a387044bb39a5fd00556ae13309
                                    • Opcode Fuzzy Hash: 6828f98be5290e6431fdf09777c36505a4471724854eaa1362c72fc01872f794
                                    • Instruction Fuzzy Hash: 76C19330B001158FDB24DB68D554BBEB7E7FB89310F2488A9E405DB395DB79EC828B91
                                    Function 02770040 Relevance: .3, Instructions: 315COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 957d27ea8d8dd2410ec4898eb79675fcb5a243985ef1bfe6a77b9ba74ed5236c
                                    • Instruction ID: b8960d7503e3ccc70b92f7bf912f821aacd9b1890479aef52d5d8654e259746a
                                    • Opcode Fuzzy Hash: 957d27ea8d8dd2410ec4898eb79675fcb5a243985ef1bfe6a77b9ba74ed5236c
                                    • Instruction Fuzzy Hash: F112A6F0C917468BE710CF25E9EC2893BB9BB41318FD04A0BD2615B2E9D7B4156ACF64
                                    Function 0219CFC0 Relevance: .3, Instructions: 281COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2892569472.0000000002190000.00000040.00000800.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2190000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1533d5dff8b01d26c0ed819917314c60653f42e24a8b64509acdd60343b0118
                                    • Instruction ID: 567e8a736cc929a9f948f87dc09651a5ae13cad9761cafb50b63824d88866907
                                    • Opcode Fuzzy Hash: e1533d5dff8b01d26c0ed819917314c60653f42e24a8b64509acdd60343b0118
                                    • Instruction Fuzzy Hash: 27B16EB1E40209CFDF14DFA9E9857AEBBF2AF88304F148129D815AB254EB749945CF81
                                    Function 06366078 Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2895417136.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6360000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 84b0ea57a24b7f1d0f6acd81294757ab532d2d3d0e3d3910797407d9f18e29c6
                                    • Instruction ID: c30befa4fe66768d4e72a1e1fbba65dee8a81114f385d7850deb8fe07ed5d627
                                    • Opcode Fuzzy Hash: 84b0ea57a24b7f1d0f6acd81294757ab532d2d3d0e3d3910797407d9f18e29c6
                                    • Instruction Fuzzy Hash: 15A18E32E10619CFCF45DFA6C84159EBBB2FF86300B15856AF806AB215DB31E955CBC0
                                    Function 02770007 Relevance: .2, Instructions: 242COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2893730512.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2770000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: debd3f3eb0a60f19f825dba6e8a89fa18aa51daafdc7c41ad64dd8444814e7a5
                                    • Instruction ID: 9e0491efd22174b6b298cca98606a7b1323e86c6c39e4902de0ea0a982bc904f
                                    • Opcode Fuzzy Hash: debd3f3eb0a60f19f825dba6e8a89fa18aa51daafdc7c41ad64dd8444814e7a5
                                    • Instruction Fuzzy Hash: A6D14AF0C817468BD710CF25E8EC1897BB9BB85314F944B0BD1606B2E9DBB414AACF64
                                    Function 00402B90 Relevance: .2, Instructions: 212COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                    • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
                                    • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                                    • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
                                    Function 004028B0 Relevance: .2, Instructions: 184COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                    • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
                                    • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                                    • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
                                    Function 00401650 Relevance: .1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                    • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
                                    • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                                    • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
                                    Function 00402F20 Relevance: .1, Instructions: 103COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                    • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
                                    • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                                    • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
                                    Function 00402F89 Relevance: .1, Instructions: 77COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                    • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
                                    • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                                    • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
                                    Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                    • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,021E1900), ref: 004170C5
                                    • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                    • _malloc.LIBCMT ref: 0041718A
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                    • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                    • _malloc.LIBCMT ref: 0041724C
                                    • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                    • __freea.LIBCMT ref: 004172A4
                                    • __freea.LIBCMT ref: 004172AD
                                    • ___ansicp.LIBCMT ref: 004172DE
                                    • ___convertcp.LIBCMT ref: 00417309
                                    • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                    • _malloc.LIBCMT ref: 00417362
                                    • _memset.LIBCMT ref: 00417384
                                    • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                    • ___convertcp.LIBCMT ref: 004173BA
                                    • __freea.LIBCMT ref: 004173CF
                                    • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                    • String ID:
                                    • API String ID: 3809854901-0
                                    • Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                                    • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                    • Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                                    • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                    Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    • _malloc.LIBCMT ref: 004057DE
                                      • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                      • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                      • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                    • _malloc.LIBCMT ref: 00405842
                                    • _malloc.LIBCMT ref: 00405906
                                    • _malloc.LIBCMT ref: 00405930
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: _malloc$AllocateHeap
                                    • String ID: 1.2.3
                                    • API String ID: 680241177-2310465506
                                    • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                    • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                    • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                                    • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                    Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                    • String ID:
                                    • API String ID: 3886058894-0
                                    • Opcode ID: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
                                    • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                    • Opcode Fuzzy Hash: 61b9ef8a6f765c58139a33a573ef994292dae8fcc9e916c915b81b6d9ebba236
                                    • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                    Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 0040C6C8
                                    • __fileno.LIBCMT ref: 0040C6D6
                                    • __fileno.LIBCMT ref: 0040C6E2
                                    • __fileno.LIBCMT ref: 0040C6EE
                                    • __fileno.LIBCMT ref: 0040C6FE
                                      • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                      • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                    • String ID: 'B
                                    • API String ID: 2805327698-2787509829
                                    • Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                                    • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                    • Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
                                    • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                    Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00414744
                                      • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                      • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                    • __getptd.LIBCMT ref: 0041475B
                                    • __amsg_exit.LIBCMT ref: 00414769
                                    • __lock.LIBCMT ref: 00414779
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                    • String ID: @.B
                                    • API String ID: 3521780317-470711618
                                    • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                    • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                    • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                    • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                    Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00413FD8
                                      • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                      • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                    • __amsg_exit.LIBCMT ref: 00413FF8
                                    • __lock.LIBCMT ref: 00414008
                                    • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                    • InterlockedIncrement.KERNEL32(021E1660), ref: 00414050
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                    • String ID:
                                    • API String ID: 4271482742-0
                                    • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                    • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                    • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                    • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                    Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: __calloc_crt
                                    • String ID: P$B$`$B
                                    • API String ID: 3494438863-235554963
                                    • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                    • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
                                    • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                    • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
                                    Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: IsProcessorFeaturePresent$KERNEL32
                                    • API String ID: 1646373207-3105848591
                                    • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                    • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                    • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                    • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                    Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___addlocaleref.LIBCMT ref: 0041470C
                                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
                                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
                                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
                                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
                                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
                                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
                                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
                                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
                                    • ___removelocaleref.LIBCMT ref: 00414717
                                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
                                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
                                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
                                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
                                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
                                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
                                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
                                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
                                    • ___freetlocinfo.LIBCMT ref: 0041472B
                                      • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
                                      • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
                                      • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                                    • String ID: @.B
                                    • API String ID: 467427115-470711618
                                    • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                    • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
                                    • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                    • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
                                    Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __fileno.LIBCMT ref: 0040C77C
                                    • __locking.LIBCMT ref: 0040C791
                                      • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                      • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                    • String ID:
                                    • API String ID: 2395185920-0
                                    • Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                                    • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                    • Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
                                    • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                    Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: _fseek_malloc_memset
                                    • String ID:
                                    • API String ID: 208892515-0
                                    • Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                                    • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                    • Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                                    • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                    Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                    • __isleadbyte_l.LIBCMT ref: 00415307
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                    • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                    • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                    • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                    Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2891267853.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.2891234724.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891315681.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2891353782.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_1dd97881cd53e8039e8c343990524ff21292be0e9deb7ec5ad078bfe945c0189_dump.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                    • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                    • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                    • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

                                    Execution Graph

                                    Execution Coverage:11.3%
                                    Dynamic/Decrypted Code Coverage:92.1%
                                    Signature Coverage:0%
                                    Total number of Nodes:38
                                    Total number of Limit Nodes:5
                                    execution_graph 22590 20b93d8 22591 20b9418 FindCloseChangeNotification 22590->22591 22593 20b9449 22591->22593 22594 5b314a8 22595 5b314b2 22594->22595 22598 5b314cc 22595->22598 22599 5b69020 22595->22599 22604 5b69010 22595->22604 22601 5b69035 22599->22601 22600 5b6924a 22600->22598 22601->22600 22602 5b69680 GlobalMemoryStatusEx 22601->22602 22609 5b69650 22601->22609 22602->22601 22606 5b69035 22604->22606 22605 5b6924a 22605->22598 22606->22605 22607 5b69650 GlobalMemoryStatusEx 22606->22607 22608 5b69680 GlobalMemoryStatusEx 22606->22608 22607->22606 22608->22606 22611 5b69655 22609->22611 22610 5b6965a 22611->22610 22615 5b69e18 22611->22615 22618 5b69e08 22611->22618 22612 5b69760 22612->22601 22621 5b69e40 22615->22621 22616 5b69e26 22616->22612 22619 5b69e26 22618->22619 22620 5b69e40 GlobalMemoryStatusEx 22618->22620 22619->22612 22620->22619 22622 5b69e5d 22621->22622 22623 5b69e85 22621->22623 22622->22616 22623->22622 22624 5b69f6e GlobalMemoryStatusEx 22623->22624 22625 5b69f9e 22624->22625 22625->22616 22626 20b0890 22627 20b08b1 22626->22627 22628 20b097a 22627->22628 22630 20b4184 22627->22630 22633 20b9150 22630->22633 22635 20b9163 22633->22635 22637 20b9200 22635->22637 22638 20b9248 VirtualProtect 22637->22638 22640 20b41a0 22638->22640

                                    Executed Functions

                                    Function 05B3C2C0 Relevance: 8.0, Strings: 6, Instructions: 547COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 125 5b3c2c0-5b3c2e1 126 5b3c2e3-5b3c2e6 125->126 127 5b3c2e8-5b3c307 126->127 128 5b3c30c-5b3c30f 126->128 127->128 129 5b3c315-5b3c334 128->129 130 5b3cab4-5b3cab6 128->130 138 5b3c336-5b3c339 129->138 139 5b3c34d-5b3c357 129->139 131 5b3cab8 130->131 132 5b3cabd-5b3cac0 130->132 131->132 132->126 135 5b3cac6-5b3cacf 132->135 138->139 140 5b3c33b-5b3c34b 138->140 142 5b3c35d-5b3c36c 139->142 140->142 254 5b3c36e call 5b3cb00 142->254 255 5b3c36e call 5b3caf9 142->255 144 5b3c373-5b3c378 145 5b3c385-5b3c662 144->145 146 5b3c37a-5b3c380 144->146 167 5b3caa6-5b3cab3 145->167 168 5b3c668-5b3c717 145->168 146->135 177 5b3c740 168->177 178 5b3c719-5b3c73e 168->178 180 5b3c749-5b3c75c call 5b38a40 177->180 178->180 183 5b3c762-5b3c784 call 5b38a4c 180->183 184 5b3ca8d-5b3ca99 180->184 183->184 188 5b3c78a-5b3c794 183->188 184->168 185 5b3ca9f 184->185 185->167 188->184 189 5b3c79a-5b3c7a5 188->189 189->184 190 5b3c7ab-5b3c881 189->190 202 5b3c883-5b3c885 190->202 203 5b3c88f-5b3c8bf 190->203 202->203 207 5b3c8c1-5b3c8c3 203->207 208 5b3c8cd-5b3c8d9 203->208 207->208 209 5b3c8db-5b3c8df 208->209 210 5b3c939-5b3c93d 208->210 209->210 213 5b3c8e1-5b3c90b 209->213 211 5b3c943-5b3c97f 210->211 212 5b3ca7e-5b3ca87 210->212 224 5b3c981-5b3c983 211->224 225 5b3c98d-5b3c99b 211->225 212->184 212->190 220 5b3c919-5b3c936 call 5b38a58 213->220 221 5b3c90d-5b3c90f 213->221 220->210 221->220 224->225 228 5b3c9b2-5b3c9bd 225->228 229 5b3c99d-5b3c9a8 225->229 233 5b3c9d5-5b3c9e6 228->233 234 5b3c9bf-5b3c9c5 228->234 229->228 232 5b3c9aa 229->232 232->228 238 5b3c9e8-5b3c9ee 233->238 239 5b3c9fe-5b3ca0a 233->239 235 5b3c9c7 234->235 236 5b3c9c9-5b3c9cb 234->236 235->233 236->233 240 5b3c9f2-5b3c9f4 238->240 241 5b3c9f0 238->241 243 5b3ca22-5b3ca77 239->243 244 5b3ca0c-5b3ca12 239->244 240->239 241->239 243->212 245 5b3ca16-5b3ca18 244->245 246 5b3ca14 244->246 245->243 246->243 254->144 255->144
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                    • API String ID: 0-1342094364
                                    • Opcode ID: 436f92a033850937c99e1c127621c5abf0d35d91b19b498e668fc7ab3bbdd303
                                    • Instruction ID: 6ed8a47d502b48510082e391cec3ece68e7216ff898f441f4c7b7a7393cfe6c0
                                    • Opcode Fuzzy Hash: 436f92a033850937c99e1c127621c5abf0d35d91b19b498e668fc7ab3bbdd303
                                    • Instruction Fuzzy Hash: 34321135E1061A8BCB14EFB5D99459EB7B2FF89300F209699D409B7264EF30AD85CB90
                                    Function 05B352C8 Relevance: 2.8, Instructions: 2818COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a31d0c37dad169b5aade4f829ed49317943db26cc1cb5d0ff9169a618f023095
                                    • Instruction ID: 7cab344f198c8a5fc2fce6f6ab5d1348c0767a03a16bea0a7c8ae04b572316b9
                                    • Opcode Fuzzy Hash: a31d0c37dad169b5aade4f829ed49317943db26cc1cb5d0ff9169a618f023095
                                    • Instruction Fuzzy Hash: 0D53E731D10B1A8ACB51EF68C8845A9F7B1FF99300F51D79AE4587B125EF70AAC4CB81
                                    Function 05B3E598 Relevance: 1.8, Strings: 1, Instructions: 589COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2021 5b3e598-5b3e5b5 2022 5b3e5b7-5b3e5ba 2021->2022 2023 5b3e5d3-5b3e5d6 2022->2023 2024 5b3e5bc-5b3e5ce 2022->2024 2025 5b3e5d8-5b3e5db 2023->2025 2026 5b3e5dd-5b3e5e3 2023->2026 2024->2023 2025->2026 2027 5b3e5ee-5b3e5f1 2025->2027 2028 5b3e6f1-5b3e6f7 2026->2028 2029 5b3e5e9 2026->2029 2031 5b3e5f3-5b3e5f9 2027->2031 2032 5b3e604-5b3e607 2027->2032 2033 5b3e767-5b3e793 2028->2033 2034 5b3e6f9-5b3e701 2028->2034 2029->2027 2035 5b3e6af-5b3e6b2 2031->2035 2036 5b3e5ff 2031->2036 2037 5b3e609-5b3e60d 2032->2037 2038 5b3e618-5b3e61b 2032->2038 2058 5b3e79d-5b3e7a0 2033->2058 2034->2033 2039 5b3e703-5b3e710 2034->2039 2040 5b3e6b7-5b3e6ba 2035->2040 2036->2032 2041 5b3e613 2037->2041 2042 5b3e759-5b3e766 2037->2042 2043 5b3e641-5b3e644 2038->2043 2044 5b3e61d-5b3e63c 2038->2044 2039->2033 2046 5b3e712-5b3e716 2039->2046 2047 5b3e6c4-5b3e6c7 2040->2047 2048 5b3e6bc-5b3e6bf 2040->2048 2041->2038 2050 5b3e657-5b3e65a 2043->2050 2051 5b3e646-5b3e64c 2043->2051 2044->2043 2049 5b3e71b-5b3e71e 2046->2049 2055 5b3e6db-5b3e6de 2047->2055 2056 5b3e6c9-5b3e6d6 2047->2056 2048->2047 2059 5b3e720-5b3e729 2049->2059 2060 5b3e72a-5b3e72d 2049->2060 2050->2051 2054 5b3e65c-5b3e65f 2050->2054 2052 5b3e652 2051->2052 2053 5b3e72f-5b3e739 2051->2053 2052->2050 2070 5b3e740-5b3e742 2053->2070 2062 5b3e661-5b3e663 2054->2062 2063 5b3e666-5b3e669 2054->2063 2064 5b3e6e0-5b3e6e7 2055->2064 2065 5b3e6ec-5b3e6ef 2055->2065 2056->2055 2066 5b3e7a2-5b3e7b3 2058->2066 2067 5b3e7b8-5b3e7bb 2058->2067 2060->2053 2061 5b3e747-5b3e749 2060->2061 2071 5b3e750-5b3e753 2061->2071 2072 5b3e74b 2061->2072 2062->2063 2073 5b3e671-5b3e674 2063->2073 2074 5b3e66b-5b3e66c 2063->2074 2064->2065 2065->2028 2065->2049 2066->2067 2068 5b3e7c5-5b3e7c8 2067->2068 2069 5b3e7bd-5b3e7c4 2067->2069 2077 5b3e7ea-5b3e7ed 2068->2077 2078 5b3e7ca-5b3e7ce 2068->2078 2070->2061 2071->2022 2071->2042 2072->2071 2079 5b3e691-5b3e694 2073->2079 2080 5b3e676-5b3e68c 2073->2080 2074->2073 2084 5b3e801-5b3e804 2077->2084 2085 5b3e7ef-5b3e7f6 2077->2085 2082 5b3e886-5b3e8c4 2078->2082 2083 5b3e7d4-5b3e7dc 2078->2083 2086 5b3e696-5b3e6a5 2079->2086 2087 5b3e6aa-5b3e6ad 2079->2087 2080->2079 2103 5b3e8c6-5b3e8c9 2082->2103 2083->2082 2088 5b3e7e2-5b3e7e5 2083->2088 2091 5b3e806-5b3e80a 2084->2091 2092 5b3e81e-5b3e821 2084->2092 2089 5b3e87e-5b3e885 2085->2089 2090 5b3e7fc 2085->2090 2086->2087 2087->2035 2087->2040 2088->2077 2090->2084 2091->2082 2094 5b3e80c-5b3e814 2091->2094 2095 5b3e823-5b3e827 2092->2095 2096 5b3e83b-5b3e83e 2092->2096 2094->2082 2101 5b3e816-5b3e819 2094->2101 2095->2082 2102 5b3e829-5b3e831 2095->2102 2099 5b3e840-5b3e844 2096->2099 2100 5b3e858-5b3e85b 2096->2100 2099->2082 2106 5b3e846-5b3e84e 2099->2106 2107 5b3e85d-5b3e867 2100->2107 2108 5b3e86c-5b3e86e 2100->2108 2101->2092 2102->2082 2109 5b3e833-5b3e836 2102->2109 2104 5b3e8d7-5b3e8da 2103->2104 2105 5b3e8cb-5b3e8d2 2103->2105 2110 5b3e8f4-5b3e8f7 2104->2110 2111 5b3e8dc-5b3e8ed 2104->2111 2105->2104 2106->2082 2112 5b3e850-5b3e853 2106->2112 2107->2108 2113 5b3e870 2108->2113 2114 5b3e875-5b3e878 2108->2114 2109->2096 2115 5b3e915-5b3e918 2110->2115 2116 5b3e8f9-5b3e90a 2110->2116 2111->2105 2121 5b3e8ef 2111->2121 2112->2100 2113->2114 2114->2058 2114->2089 2119 5b3e922-5b3e925 2115->2119 2120 5b3e91a-5b3e91f 2115->2120 2127 5b3ec80-5b3ec91 2116->2127 2128 5b3e910 2116->2128 2123 5b3e927-5b3e938 2119->2123 2124 5b3e93f-5b3e942 2119->2124 2120->2119 2121->2110 2123->2105 2132 5b3e93a 2123->2132 2125 5b3e944-5b3e947 2124->2125 2126 5b3e99b-5b3eb2f 2124->2126 2130 5b3e961-5b3e964 2125->2130 2131 5b3e949-5b3e95a 2125->2131 2170 5b3ec65-5b3ec78 2126->2170 2171 5b3eb35-5b3eb3c 2126->2171 2127->2105 2137 5b3ec97 2127->2137 2128->2115 2134 5b3e972-5b3e975 2130->2134 2135 5b3e966-5b3e96d 2130->2135 2142 5b3e97c-5b3e98f 2131->2142 2143 5b3e95c 2131->2143 2132->2124 2134->2126 2139 5b3e977-5b3e97a 2134->2139 2135->2134 2140 5b3ec9c-5b3ec9e 2137->2140 2139->2142 2144 5b3e992-5b3e995 2139->2144 2146 5b3eca0 2140->2146 2147 5b3eca5-5b3eca8 2140->2147 2143->2130 2144->2126 2145 5b3ec7b-5b3ec7e 2144->2145 2145->2127 2145->2140 2146->2147 2147->2103 2148 5b3ecae-5b3ecb7 2147->2148 2172 5b3eb42-5b3eb75 2171->2172 2173 5b3ebf0-5b3ebf7 2171->2173 2184 5b3eb77 2172->2184 2185 5b3eb7a-5b3ebbb 2172->2185 2173->2170 2174 5b3ebf9-5b3ec2c 2173->2174 2186 5b3ec31-5b3ec5e 2174->2186 2187 5b3ec2e 2174->2187 2184->2185 2195 5b3ebd3-5b3ebda 2185->2195 2196 5b3ebbd-5b3ebce 2185->2196 2186->2148 2187->2186 2198 5b3ebe2-5b3ebe4 2195->2198 2196->2148 2198->2148
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $
                                    • API String ID: 0-3993045852
                                    • Opcode ID: 0e70ef24790355944c376ca00a93c7d7f385f1cb6c26214d2900aa61e8d907fb
                                    • Instruction ID: c1772829f0031ccb9d6365e11155d76778d42908d469270397c6aabedf5273fe
                                    • Opcode Fuzzy Hash: 0e70ef24790355944c376ca00a93c7d7f385f1cb6c26214d2900aa61e8d907fb
                                    • Instruction Fuzzy Hash: DE229175E002199FDF24DB64C581AAEBBB6FF84310F2485AAD406BB394DB35EC45CB90
                                    Function 05B3DB40 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 961 5b3db40-5b3db64 962 5b3db66-5b3db69 961->962 963 5b3e248-5b3e24b 962->963 964 5b3db6f-5b3dc67 962->964 965 5b3e24d-5b3e267 963->965 966 5b3e26c-5b3e26e 963->966 984 5b3dcea-5b3dcf1 964->984 985 5b3dc6d-5b3dcba call 5b3e412 964->985 965->966 968 5b3e270 966->968 969 5b3e275-5b3e278 966->969 968->969 969->962 971 5b3e27e-5b3e28b 969->971 986 5b3dcf7-5b3dd67 984->986 987 5b3dd75-5b3dd7e 984->987 998 5b3dcc0-5b3dcdc 985->998 1004 5b3dd72 986->1004 1005 5b3dd69 986->1005 987->971 1002 5b3dce7-5b3dce8 998->1002 1003 5b3dcde 998->1003 1002->984 1003->1002 1004->987 1005->1004
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: fpq$XPpq$\Opq
                                    • API String ID: 0-2571271785
                                    • Opcode ID: bd9e1dae6ef2c91ccd0bbc1eb757bd223a4e3932eb76a7f7e0519b7b89cb11c2
                                    • Instruction ID: 9b72fa68e8804346554c7060d1b0ae48cab78f3782989342443d8293bd4c3bce
                                    • Opcode Fuzzy Hash: bd9e1dae6ef2c91ccd0bbc1eb757bd223a4e3932eb76a7f7e0519b7b89cb11c2
                                    • Instruction Fuzzy Hash: C2618E71B002099FDF149FA8C955BAEBAF6FF88740F208069E506AB3A4DF759C418B54
                                    Function 05B69E40 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2199 5b69e40-5b69e5b 2200 5b69e85-5b69ea4 call 5b69580 2199->2200 2201 5b69e5d-5b69e7c call 5b652c0 2199->2201 2208 5b69ea6-5b69ea9 2200->2208 2209 5b69eaa-5b69ee8 2200->2209 2203 5b69e7e-5b69e84 2201->2203 2209->2203 2214 5b69eea-5b69f09 2209->2214 2216 5b69f0f-5b69f9c GlobalMemoryStatusEx 2214->2216 2217 5b69f0b-5b69f0e 2214->2217 2220 5b69fa5-5b69fcd 2216->2220 2221 5b69f9e-5b69fa4 2216->2221 2221->2220
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834107447.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b60000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 142c4aa1ff5b6c75e3df579fbbb6acc065592afb7e1481c5aba65166c1c71b9c
                                    • Instruction ID: d7abc11f9ce1c65753e9061d4088774103196859a04f6798ad62723e80fe2b81
                                    • Opcode Fuzzy Hash: 142c4aa1ff5b6c75e3df579fbbb6acc065592afb7e1481c5aba65166c1c71b9c
                                    • Instruction Fuzzy Hash: 4D4123B2E047958FC700CFA9D40439EBBF1EF99310F1985AAD444E7251DB38A845CBD1
                                    Function 020B9200 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2224 20b9200-20b9281 VirtualProtect 2227 20b928a-20b92af 2224->2227 2228 20b9283-20b9289 2224->2228 2228->2227
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 020B9274
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1831816769.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_20b0000_fMNDB.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 2831f9c55f57e0ffc77adf3d244d78fc52a0949be9b3c23ce78e1b17da168b10
                                    • Instruction ID: fff6257cf4810c86eef96decc605adb6b221b56ff1307838ced3d7ecb2e23e5e
                                    • Opcode Fuzzy Hash: 2831f9c55f57e0ffc77adf3d244d78fc52a0949be9b3c23ce78e1b17da168b10
                                    • Instruction Fuzzy Hash: 4011F4B1D003499FDB10DFAAC584ADEFBF4EF48324F10842AD559A7250CB75A944CFA5
                                    Function 05B69F28 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 05B69F8F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834107447.0000000005B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b60000_fMNDB.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 54965697bce194151f86b69072964e84fbcb89f74e5ba6ede6c9978716ecd6ca
                                    • Instruction ID: a5947e06e9c5a8835590924cfa1c98f39590485200a5321956058fc8fe0f2876
                                    • Opcode Fuzzy Hash: 54965697bce194151f86b69072964e84fbcb89f74e5ba6ede6c9978716ecd6ca
                                    • Instruction Fuzzy Hash: F511E2B1C0065A9FCB10DF9AC544BDEFBF4AB48324F15816AD818A7250D778A944CFA5
                                    Function 020B93D8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE ref: 020B943A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1831816769.00000000020B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_20b0000_fMNDB.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: 8f3cf767e7815e8fa3dcfef74890b7d0e1bac3a56c3fe86d4f65c02cb1486106
                                    • Instruction ID: 67dddfe18fd6b10661913feba6a863762076b5249650a91c40201ddb5506eb3c
                                    • Opcode Fuzzy Hash: 8f3cf767e7815e8fa3dcfef74890b7d0e1bac3a56c3fe86d4f65c02cb1486106
                                    • Instruction Fuzzy Hash: 401128B19003488BCB20DFAAC5457DEFBF4AF88324F208429D559A7250CB74A944CF95
                                    Function 05B3DB30 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: XPpq
                                    • API String ID: 0-1266478781
                                    • Opcode ID: 1a75417fc80ee0576de425cf777c0e42338aed3e3d92ca52463de5bebb27fa10
                                    • Instruction ID: 79b76fe1d99dcb861e72378c60a33a5025de0ec04db569b40a026da96fbed94d
                                    • Opcode Fuzzy Hash: 1a75417fc80ee0576de425cf777c0e42338aed3e3d92ca52463de5bebb27fa10
                                    • Instruction Fuzzy Hash: E2418F71F102099FDB44DFA8C914BAEBAF6FF88740F208529D106AB3A8DA759C41DB50
                                    Function 05B3AF31 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PHkq
                                    • API String ID: 0-902561536
                                    • Opcode ID: 98a9ff0e4e3a6bc14bceee5aada02ef4be54694a3f3a7b8a53673e294f02191f
                                    • Instruction ID: 7594308baef65dddc14080fd5c9397a9f11031b60a5e37476b4fb50150793cb4
                                    • Opcode Fuzzy Hash: 98a9ff0e4e3a6bc14bceee5aada02ef4be54694a3f3a7b8a53673e294f02191f
                                    • Instruction Fuzzy Hash: 1231E435B002058FCB159B34D65566E77A7FF88600F2448ACE40AEB399EF35EC41C795
                                    Function 05B31390 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LRkq
                                    • API String ID: 0-1052062081
                                    • Opcode ID: 2a29820b62b68176a815d3de3ec727c95f5ed8d84cfc263fa3a393c271524ed5
                                    • Instruction ID: e1d0f64618bbee8c49f3ef09697b7d6c7be9f8f3b5ea5513a9a974427ec84b22
                                    • Opcode Fuzzy Hash: 2a29820b62b68176a815d3de3ec727c95f5ed8d84cfc263fa3a393c271524ed5
                                    • Instruction Fuzzy Hash: 95317030E10219DBDF14CFA8C546BAEB7BAFF45304F108569E406FB250EB74A946CB51
                                    Function 05B3AF08 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PHkq
                                    • API String ID: 0-902561536
                                    • Opcode ID: 34cefd1607238fa0c5d0a3a945b0a7ba7f4677c254c648587a4760e0bf3cca86
                                    • Instruction ID: ce39c0abe4464f3cd80c09c2e09ad35218c23aedcd2f7eb07026b80b1a26b52c
                                    • Opcode Fuzzy Hash: 34cefd1607238fa0c5d0a3a945b0a7ba7f4677c254c648587a4760e0bf3cca86
                                    • Instruction Fuzzy Hash: 0531E235B042458FCB169B349A5422E7BB7BF86240B2444EDD04AEB3AEDF39DC45C791
                                    Function 05B31380 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LRkq
                                    • API String ID: 0-1052062081
                                    • Opcode ID: 41a0112ffaf201e8eae9e8e7b0b89ed773a89f1305c97a84e2951c949adfcc6f
                                    • Instruction ID: d32b7722145294e6738eb526061488c6eb15ef7b9f30df66f47082bb68b15a72
                                    • Opcode Fuzzy Hash: 41a0112ffaf201e8eae9e8e7b0b89ed773a89f1305c97a84e2951c949adfcc6f
                                    • Instruction Fuzzy Hash: 4D314131E102199BDF14CFA8C951BAEB7BAFF45300F618569E801FB250EB74E946CB50
                                    Function 05B30D00 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LRkq
                                    • API String ID: 0-1052062081
                                    • Opcode ID: 518d80a397a677f8176ad20e99360c19880b58932793df60ec6e0bc69505a987
                                    • Instruction ID: 81c00508455c4cc8d03b88c9adcaf148f03c22384c36786feaca4cf8de464e2e
                                    • Opcode Fuzzy Hash: 518d80a397a677f8176ad20e99360c19880b58932793df60ec6e0bc69505a987
                                    • Instruction Fuzzy Hash: 5911F0717002168BCB18EB69E815BAE76E2FF89640F008869D005CB3A8DF35A84587D5
                                    Function 05B30CEB Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LRkq
                                    • API String ID: 0-1052062081
                                    • Opcode ID: ecabe542ec624ace4c1195a04b4d33913c97bcaa1cb68f6547124577e67f671a
                                    • Instruction ID: 17fc0a607dcd02215979fd67805789e740b453f612e75220ea54ecbc00ccc99d
                                    • Opcode Fuzzy Hash: ecabe542ec624ace4c1195a04b4d33913c97bcaa1cb68f6547124577e67f671a
                                    • Instruction Fuzzy Hash: 6101F272B002118FCB05EB78D9553AE7BF2EF8A750F1084AED00ACB7A5DE359C418791
                                    Function 05B31D43 Relevance: .5, Instructions: 537COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db89eb27ec4074fc74febb952a7193b855ba5b98f070f529b2bee04894a49b43
                                    • Instruction ID: c5a20c4ae1621a4f0574a12a0b5aab36d66f8c57544e5e3e284c438f33a02fa8
                                    • Opcode Fuzzy Hash: db89eb27ec4074fc74febb952a7193b855ba5b98f070f529b2bee04894a49b43
                                    • Instruction Fuzzy Hash: 5002FE35B103018BDF192778A45963C39A7FBCE755B68446DE806DB380CE3ADC839B5A
                                    Function 05B34AE0 Relevance: .4, Instructions: 389COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 465f421e2cb40dedae709023476bf9674372aef8738a024f3ae1e76819bdb4be
                                    • Instruction ID: 4151cb2f5fada5f80b58ba73047b57b2527cbcae7f829f42572480b8ce825c5c
                                    • Opcode Fuzzy Hash: 465f421e2cb40dedae709023476bf9674372aef8738a024f3ae1e76819bdb4be
                                    • Instruction Fuzzy Hash: 11E14F34B002059FCF14DB68D599A6EBBB6FB89310F1444A9E40AE73A4DB35EC46CB90
                                    Function 05B38568 Relevance: .3, Instructions: 339COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 751b1308317630bc5ec5e4855bf7ce54bdf2bb8470ad57859c3abfccd39fd7a7
                                    • Instruction ID: 083d29d68df03a26792e27a857ad87aca239e6d4bba96796aec7e23f78869395
                                    • Opcode Fuzzy Hash: 751b1308317630bc5ec5e4855bf7ce54bdf2bb8470ad57859c3abfccd39fd7a7
                                    • Instruction Fuzzy Hash: B7C1E471B012129FDB15CB68C940A7EBBA7FF84310F2585A9E415EB3A9DB31EC42C791
                                    Function 05B34AD2 Relevance: .2, Instructions: 243COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bbbc143ebdc12af2c84cc78b0537a29b7d57e890c7fe6e383255d9126c2455e7
                                    • Instruction ID: 74b2d1d6dcf550ab94cd97d8bd9661c34553c7f8c6bc04bff5a040e0bd191b4f
                                    • Opcode Fuzzy Hash: bbbc143ebdc12af2c84cc78b0537a29b7d57e890c7fe6e383255d9126c2455e7
                                    • Instruction Fuzzy Hash: BF911B35A102159FCF14DB64D58AAADBBF6FB88310F1484A9E806E73A4DB31EC46CB54
                                    Function 05B3F1C8 Relevance: .2, Instructions: 230COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3615c846b59ed84b226d4dd2eab2188cb14557404380e87e124cec3a2ffc42fa
                                    • Instruction ID: 90a7ea54c23768a83d45758c525fe14dbb2f15026bd38d18748aafa8315546ca
                                    • Opcode Fuzzy Hash: 3615c846b59ed84b226d4dd2eab2188cb14557404380e87e124cec3a2ffc42fa
                                    • Instruction Fuzzy Hash: 6061C5B5F001214BCF149A7DD844A7EBADBEFD4610B254076F80AE7365DE69EC0287C5
                                    Function 05B35030 Relevance: .2, Instructions: 221COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 455eb57da0220e89b4e15894759740dafa71f9b43e3d6d99b33073ca73b8daaa
                                    • Instruction ID: 178847d68bb14564abcaa854a7768057b7b1ed5ddd8f106f8af96c2d830315c1
                                    • Opcode Fuzzy Hash: 455eb57da0220e89b4e15894759740dafa71f9b43e3d6d99b33073ca73b8daaa
                                    • Instruction Fuzzy Hash: 4C81A071A002058FDB14DF68D985B9DBBB2FF88310F14C1A9E909AB395EB71E845CB90
                                    Function 05B3D121 Relevance: .2, Instructions: 217COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 78d873ca9ffa4e6e88b93a504d768c50520989dbd2a5a11783092e9a5dfbb2fe
                                    • Instruction ID: 78b34082a1c0f3c1b976cc63f8a297ed4f5d576ca200532fa352c9821494279b
                                    • Opcode Fuzzy Hash: 78d873ca9ffa4e6e88b93a504d768c50520989dbd2a5a11783092e9a5dfbb2fe
                                    • Instruction Fuzzy Hash: BC812B34B0060A8FDF54DBA9D555A6E77B7FB84340F208469D40AEB398EB74EC428B91
                                    Function 05B3D460 Relevance: .2, Instructions: 184COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb5db3fd0dac4b2e29f6f7b582d712463b9e6b20103a996224616e5ffb11195a
                                    • Instruction ID: 32caa7de79813e2885761f63879b4cd4155bea1eb666c961fb075416494663c9
                                    • Opcode Fuzzy Hash: fb5db3fd0dac4b2e29f6f7b582d712463b9e6b20103a996224616e5ffb11195a
                                    • Instruction Fuzzy Hash: B6615171E103098FDF10DBA8C951BEDB7B2FF89310F208529E519BB294DB74A985CB81
                                    Function 05B3D470 Relevance: .2, Instructions: 182COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c18a2ccef812539d752f78687107912ee6055e2f46b5effe2fc2ab6a9a23d34b
                                    • Instruction ID: 028081f4483ef467c39650b455a70a73ac8044cc99708c54f88b00d22327a414
                                    • Opcode Fuzzy Hash: c18a2ccef812539d752f78687107912ee6055e2f46b5effe2fc2ab6a9a23d34b
                                    • Instruction Fuzzy Hash: 01614130E103098FDF10DBA8C951BEDB7B2FF89310F208569E519BB294DB74A985CB81
                                    Function 05B34E50 Relevance: .1, Instructions: 149COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fdc0500d6e20301a3ce98fcb1da2baa30f1a1d1778215f0c2d54bb96d1df5756
                                    • Instruction ID: 8cbc99ad43967648f296107276c156c7be9a740dd36ac6d83213c45338ed5f65
                                    • Opcode Fuzzy Hash: fdc0500d6e20301a3ce98fcb1da2baa30f1a1d1778215f0c2d54bb96d1df5756
                                    • Instruction Fuzzy Hash: DB41AF35F001168BDF24DA68DA85B7EB7A6FB85310F20486AE40EE7294D735EC458B81
                                    Function 05B30E2C Relevance: .1, Instructions: 134COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e4686885e49a11f73442c69ab10af9a1901223043c874501a331c29dd026bbe
                                    • Instruction ID: fef6d2bc1ac0a3076fc1c0aea422c6d860d722c678ac109e84111a5c003808b2
                                    • Opcode Fuzzy Hash: 4e4686885e49a11f73442c69ab10af9a1901223043c874501a331c29dd026bbe
                                    • Instruction Fuzzy Hash: 485101B1E002188FDB14DFA9C889B9DBBF1FF48310F148169E819BB3A4D774A944CB95
                                    Function 05B30E38 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2aad5618b3c98b0501a5d300c2e48d81772b43cda08c8fc93141fd9c82d6a86e
                                    • Instruction ID: 5d1bed9a237c03e577179b16166c3a66582ac532051dece1e1edeb7dc9f96a6b
                                    • Opcode Fuzzy Hash: 2aad5618b3c98b0501a5d300c2e48d81772b43cda08c8fc93141fd9c82d6a86e
                                    • Instruction Fuzzy Hash: AC51F271E006188FDB14DFA9C889B9DBBF1FF48310F148159E819BB264DB74A944CF95
                                    Function 05B3E412 Relevance: .1, Instructions: 127COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aa256fcc21699cdc87287bbb222c49ace6d90015d0fd40381396f8a847a63fc4
                                    • Instruction ID: cdf956c3d7b8781917fb31b6247576ab69cce42b67305b8d6523195482106257
                                    • Opcode Fuzzy Hash: aa256fcc21699cdc87287bbb222c49ace6d90015d0fd40381396f8a847a63fc4
                                    • Instruction Fuzzy Hash: CF416D75A006098FDF30CEA9D981ABFFBB6FB88310F10496AE156E7650D330F8458B91
                                    Function 05B3ADA0 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4ab6972b4c6f284af4f9ea45cd04714fc9db4aea483225ccc23f28c035880cec
                                    • Instruction ID: 64d5847df37bbdd6ddcae33fa72065acd88745388b19adf0342dd650606798b8
                                    • Opcode Fuzzy Hash: 4ab6972b4c6f284af4f9ea45cd04714fc9db4aea483225ccc23f28c035880cec
                                    • Instruction Fuzzy Hash: 2C313B31B102168BCF19DF74D556AAEB7B2FF89300F248469E806FB354EF31A9468794
                                    Function 05B3ADB0 Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f69755dad5ba58a87ee73ccfde0f1e531c7288ad11bb65951931c8d8a69abb73
                                    • Instruction ID: 258e5407e475a3e028f09d93ba30403a5cb43bf12e050b3cac3b3b4ca19dc072
                                    • Opcode Fuzzy Hash: f69755dad5ba58a87ee73ccfde0f1e531c7288ad11bb65951931c8d8a69abb73
                                    • Instruction Fuzzy Hash: EF313A30B102158BCF19DF64D455AAEB7B6FF89300F208469E806EB354EF31A9468B94
                                    Function 05B34900 Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 78a8e0a648067bfda4d82b1f92585ccf97b07a04b0e9214942ec9688320dcafa
                                    • Instruction ID: 5ef0b5a182f1b78f4ade15fc0f6d59802d9930cd30bd4897f43bcab61301d2f3
                                    • Opcode Fuzzy Hash: 78a8e0a648067bfda4d82b1f92585ccf97b07a04b0e9214942ec9688320dcafa
                                    • Instruction Fuzzy Hash: 75319031E102059FCF05CF64D995AAEBBB2FF85340F108569E801FB350EB70A846CB54
                                    Function 05B34928 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7d2ab18ae4f6cec520b8f97af16288da6b62f813a72eceb6da722a94af439eec
                                    • Instruction ID: 9a8800224e064cdcc8567a90c8a58feb97e5b9a8e17e4ac8673d44fef0505fb7
                                    • Opcode Fuzzy Hash: 7d2ab18ae4f6cec520b8f97af16288da6b62f813a72eceb6da722a94af439eec
                                    • Instruction Fuzzy Hash: 2A316F30E1020A9FCF19DF64D555AAEBBB6FF89340F108569E801FB354EB71A846CB54
                                    Function 05B3CD30 Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1a9aeefafa3c5a520b62510926b59911572ef5e9a8398caff1194100e254a3b
                                    • Instruction ID: b5b2dea4e4c78d69d3fd0c07dbdc9e3d89a781f68888ebac94f5307c11331f75
                                    • Opcode Fuzzy Hash: b1a9aeefafa3c5a520b62510926b59911572ef5e9a8398caff1194100e254a3b
                                    • Instruction Fuzzy Hash: 3C215779F516159FDB10DFA9D982AAEBBF1FB88310F104069E905F7258EB30AC418B94
                                    Function 05B3CD20 Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3512c3003a3e6f5455bf80c767c10e0b2a91471491f5740fab216655d786a511
                                    • Instruction ID: c326dabb3710ff5df4fbd4f72989ed48e9f0ccd332b06abd7a3d84e1590307f4
                                    • Opcode Fuzzy Hash: 3512c3003a3e6f5455bf80c767c10e0b2a91471491f5740fab216655d786a511
                                    • Instruction Fuzzy Hash: 84214876F502159FDB00DFA8D982AAEBBF1EB48710F008065E905E7398EB30EC418B54
                                    Function 05B347EF Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5b002b27bf387a5ee5fee710b89509aee7f77e781ced6999f9b9e75b0d57c336
                                    • Instruction ID: 2ad83c27b4593301ef0c694a1e51bb63df5adab197d474bbc55a121f94603bdb
                                    • Opcode Fuzzy Hash: 5b002b27bf387a5ee5fee710b89509aee7f77e781ced6999f9b9e75b0d57c336
                                    • Instruction Fuzzy Hash: 9921A431E002598BDF19CFA4D555AAEB7B3FF89300F10856AE812F7390EB70A846CB40
                                    Function 01FCD5E8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1831511159.0000000001FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01FCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_1fcd000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 35485685adfa2bc6ef4f35cf2a47ae82457b080a691b98545e67380674d43d5a
                                    • Instruction ID: 0c6fcad67a01cd37d1149d79ceb6dcdca3b7dd6b5d82cbb5d4f64d393829e5c7
                                    • Opcode Fuzzy Hash: 35485685adfa2bc6ef4f35cf2a47ae82457b080a691b98545e67380674d43d5a
                                    • Instruction Fuzzy Hash: F3212FB2500201DFCB05DF98CAC0B2ABFA5EB98B14F20817DE80D0B216C336D446EAE1
                                    Function 05B34800 Relevance: .1, Instructions: 73COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dac38df4d6d35f36edf9a7ce368cae6a51546d28b25295414f920edd1707e377
                                    • Instruction ID: 591b8a12eeb87d88ccae82e8231d78dbd57d9da406e285d1be9039132888e77a
                                    • Opcode Fuzzy Hash: dac38df4d6d35f36edf9a7ce368cae6a51546d28b25295414f920edd1707e377
                                    • Instruction Fuzzy Hash: 68218330E102599BDF19CFA4D5559AEB7B7FF89310F10866AE812F7390EB70A845CB50
                                    Function 05B3C2B0 Relevance: .1, Instructions: 67COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 01652ce1447319e313ec1b02ce2aee0c7a1e556d2861cfdf68c68cb5190afe25
                                    • Instruction ID: 2a9e94731bcf9b251f1d8e9819cbbd86bacbe5303f2ef7e9d06331cc6e76d54e
                                    • Opcode Fuzzy Hash: 01652ce1447319e313ec1b02ce2aee0c7a1e556d2861cfdf68c68cb5190afe25
                                    • Instruction Fuzzy Hash: 0E217271E002159BCF64DBA8D9815DEBBB6FF89310F1485AAE406FB354DA31ED41CBA0
                                    Function 05B3CE48 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8ebade53086ac51f239af35acb48a4f01b6c9561f6ef359de2be4dd11fc57107
                                    • Instruction ID: 2f3ad2f73c26a71e77ac0293f2bd0ed4af6cb4d9992dc53f46e1e7eae4b3401c
                                    • Opcode Fuzzy Hash: 8ebade53086ac51f239af35acb48a4f01b6c9561f6ef359de2be4dd11fc57107
                                    • Instruction Fuzzy Hash: F2118E31B101244BCF54DAA8C814ABF77EBEBC8710F008579D406F7358EE64EC068B90
                                    Function 01FCD5E3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1831511159.0000000001FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01FCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_1fcd000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                    • Instruction ID: 39c6fc471d4565ae062f659cc46cf4e2ab9caf00c2914f70cc7172b3bf0c9819
                                    • Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                    • Instruction Fuzzy Hash: 5311E1B2804240CFCB06CF54DAC4B1ABF71FB94314F24C5ADD8090B216C336D45AEBA1
                                    Function 05B3D07F Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 37e6cba9bbbac7b10df6d6cf3863fd28321055f144c5af81ea1bd1736c8b831b
                                    • Instruction ID: 68e64052c6875a728c3d25bf53e9eee9d78383a11e7b36c88775487422056b99
                                    • Opcode Fuzzy Hash: 37e6cba9bbbac7b10df6d6cf3863fd28321055f144c5af81ea1bd1736c8b831b
                                    • Instruction Fuzzy Hash: 8601B1317004110FDB209ABCD951B2AB7E7EBC9B60F20887AE40ACB394E932DC034395
                                    Function 05B3CAF9 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9782652149a85ba45bef4dc67a8b7633d73407d5ad702f8bab1e6124fee72b93
                                    • Instruction ID: d64c822a3fe17b361a2e2d963c38dca86104929f61ec5bfc4a6397a0b13aaac5
                                    • Opcode Fuzzy Hash: 9782652149a85ba45bef4dc67a8b7633d73407d5ad702f8bab1e6124fee72b93
                                    • Instruction Fuzzy Hash: 2C21C3B5D012599FCB00DF9AD885ACEFFB4FB49320F10812AE918B7240D374A944CBA5
                                    Function 05B3CB00 Relevance: .1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 988eb882693d7b4d188c7892f87e2f88d39356e37ab28ecfaf0097c1f0ec65af
                                    • Instruction ID: e3f74ffeb7f53c6aab884e5fd32c36ec5c355f9bf90a596ee14d023a95426fec
                                    • Opcode Fuzzy Hash: 988eb882693d7b4d188c7892f87e2f88d39356e37ab28ecfaf0097c1f0ec65af
                                    • Instruction Fuzzy Hash: 5911C0B5D012599BCB00DF9AD884ACEFFB4FB49320F10812AE918B7200D374A944CBA5
                                    Function 05B3D090 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b4d70486b1a91a6a4be76dd42a625a1a1b3d9e1da303fd289285dc388bf21b93
                                    • Instruction ID: 78944d90dd6aafc7404b8ec081e766734f1adc1600a8d97b9d03e5e4d2249810
                                    • Opcode Fuzzy Hash: b4d70486b1a91a6a4be76dd42a625a1a1b3d9e1da303fd289285dc388bf21b93
                                    • Instruction Fuzzy Hash: 57014B317004110FDB2499BD9956B2AB7EBEBC9B60F20887AE50AD7394ED62EC034395
                                    Function 05B35022 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9ab702be3a21f1fcc7edd121b6ac9124abf9c099341d161ecb82e28e077c90bc
                                    • Instruction ID: db77cea97bb4cc5864d5ccb3c3789d7c1d9510056297ed532b29ae926c7f12e8
                                    • Opcode Fuzzy Hash: 9ab702be3a21f1fcc7edd121b6ac9124abf9c099341d161ecb82e28e077c90bc
                                    • Instruction Fuzzy Hash: 0D11A131A002048FDB10EF55DD8478ABB66FF81311F54C565C8096F3A9EB71E949CBE1
                                    Function 05B3CE39 Relevance: .0, Instructions: 50COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ca4ff8d971c32d7019a960a034b93d4e7892218d0217779b117037435fd158b9
                                    • Instruction ID: 4d45080e45aa57a27810952e9048e59c78d122405203c5201211073ded97d646
                                    • Opcode Fuzzy Hash: ca4ff8d971c32d7019a960a034b93d4e7892218d0217779b117037435fd158b9
                                    • Instruction Fuzzy Hash: F301DB32B100284BCF589AA8C810AFF36EBEBC8B10F00403AD406F3388EE60EC1247D5
                                    Function 01FCD01D Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1831511159.0000000001FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01FCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_1fcd000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0489f0f089dd0c34636d06baf90d4a136699128f2601a6043e41a83b688180ec
                                    • Instruction ID: 31f3a501ab96a85ab07b11ea734663df36f28884da09888591cde6eca167d60b
                                    • Opcode Fuzzy Hash: 0489f0f089dd0c34636d06baf90d4a136699128f2601a6043e41a83b688180ec
                                    • Instruction Fuzzy Hash: 1A01F771448301DAE7104A6DCE8476BBFD8DF417A4F08C53DED4C0B14AC27A9845D6F1
                                    Function 01FCD005 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1831511159.0000000001FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01FCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_1fcd000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56f3179e1e27be2c786f95cf29cd12de7ec2242283d505cefbac52ead08275ae
                                    • Instruction ID: 5b63138c0a8463e85457dbd5aa44977d7ad311a9366c6466e6cc8fef1cf4a27f
                                    • Opcode Fuzzy Hash: 56f3179e1e27be2c786f95cf29cd12de7ec2242283d505cefbac52ead08275ae
                                    • Instruction Fuzzy Hash: C201807140E3C09FD7128B298D94756BFB4EF53224F09C1DBD8888F1A7C2694849C7B2
                                    Function 05B314A8 Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3415baa1fccb673e1252e4a7a9dc7476d9a67ffe7d86c5b052a85f7c245c3596
                                    • Instruction ID: 21ca2e11e2250f95e735af4dd42d875722aafa3b1b71a534d5bdbce621adca29
                                    • Opcode Fuzzy Hash: 3415baa1fccb673e1252e4a7a9dc7476d9a67ffe7d86c5b052a85f7c245c3596
                                    • Instruction Fuzzy Hash: BA011635B00204CFCB15EB68D55AB6C3BB2EF89215F5500A8E1069B2B4DF38AD46CF00
                                    Function 05B32478 Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9c85bc1b20586e11cad6eb63cfe48f6b9cba9a784d8b44847f49a1228a4096bf
                                    • Instruction ID: ed036aed57c943ccecfd9dfe063d76e50088e090bcd663c803bc9d191309ef9c
                                    • Opcode Fuzzy Hash: 9c85bc1b20586e11cad6eb63cfe48f6b9cba9a784d8b44847f49a1228a4096bf
                                    • Instruction Fuzzy Hash: 4D012C30A40149DFCF04FBA8FA51A9DBBB2EF41348F505A78C0059B278EB319A499B51
                                    Function 05B32488 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4ba9e8611889a89de7859b434d3acfe24fd4b9334a3280fdc67c61726bf7edfb
                                    • Instruction ID: 17c4529c97b2dd566da0db560413f4c0759f0e0ca9d624361d148d7935c43b3e
                                    • Opcode Fuzzy Hash: 4ba9e8611889a89de7859b434d3acfe24fd4b9334a3280fdc67c61726bf7edfb
                                    • Instruction Fuzzy Hash: 2E016D309401099FCF04FFB8FA4199DBBB6EF41304F504A78C0059B238EB31AA49AB91
                                    Function 05B3F450 Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.1834087446.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_1_2_5b30000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ccf8c7fc3919ac52f1ebb36b96fe90d88e7f9a066fcf784d325e50528e664572
                                    • Instruction ID: 082c22b538f63fca6eee50bd09c357a37e1a6225661b47e7ff6a4584a5831318
                                    • Opcode Fuzzy Hash: ccf8c7fc3919ac52f1ebb36b96fe90d88e7f9a066fcf784d325e50528e664572
                                    • Instruction Fuzzy Hash: CFE04FB2E011096BDF50DEA4C947B7A77AEE705254F6085A4E849E7342E53AEA024391

                                    Execution Graph

                                    Execution Coverage:10.1%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:136
                                    Total number of Limit Nodes:10
                                    execution_graph 41090 72d030 41091 72d048 41090->41091 41092 72d0a2 41091->41092 41097 6238737 41091->41097 41101 6235e8c 41091->41101 41110 6238748 41091->41110 41114 6239899 41091->41114 41100 6238742 41097->41100 41098 6235e8c CallWindowProcW 41099 623878f 41098->41099 41099->41092 41100->41098 41102 6235e97 41101->41102 41103 6239909 41102->41103 41105 62398f9 41102->41105 41139 623951c 41103->41139 41123 6239a20 41105->41123 41128 6239afc 41105->41128 41134 6239a30 41105->41134 41106 6239907 41111 6238768 41110->41111 41112 6235e8c CallWindowProcW 41111->41112 41113 623878f 41112->41113 41113->41092 41115 62398a8 41114->41115 41116 6239909 41115->41116 41118 62398f9 41115->41118 41117 623951c CallWindowProcW 41116->41117 41119 6239907 41117->41119 41120 6239a20 CallWindowProcW 41118->41120 41121 6239a30 CallWindowProcW 41118->41121 41122 6239afc CallWindowProcW 41118->41122 41120->41119 41121->41119 41122->41119 41124 6239a30 41123->41124 41143 6239ad9 41124->41143 41147 6239ae8 41124->41147 41125 6239ad0 41125->41106 41129 6239aba 41128->41129 41130 6239b0a 41128->41130 41132 6239ad9 CallWindowProcW 41129->41132 41133 6239ae8 CallWindowProcW 41129->41133 41131 6239ad0 41131->41106 41132->41131 41133->41131 41135 6239a44 41134->41135 41137 6239ad9 CallWindowProcW 41135->41137 41138 6239ae8 CallWindowProcW 41135->41138 41136 6239ad0 41136->41106 41137->41136 41138->41136 41140 6239527 41139->41140 41141 623ad6a CallWindowProcW 41140->41141 41142 623ad19 41140->41142 41141->41142 41142->41106 41144 6239ae8 41143->41144 41145 6239af9 41144->41145 41150 623aca1 41144->41150 41145->41125 41148 6239af9 41147->41148 41149 623aca1 CallWindowProcW 41147->41149 41148->41125 41149->41148 41151 623951c CallWindowProcW 41150->41151 41152 623acba 41151->41152 41152->41145 41153 5a2ed40 41154 5a2ed86 GetCurrentProcess 41153->41154 41156 5a2edd8 GetCurrentThread 41154->41156 41159 5a2edd1 41154->41159 41157 5a2ee15 GetCurrentProcess 41156->41157 41158 5a2ee0e 41156->41158 41160 5a2ee4b 41157->41160 41158->41157 41159->41156 41161 5a2ee73 GetCurrentThreadId 41160->41161 41162 5a2eea4 41161->41162 41163 62316c0 41164 62316e8 41163->41164 41165 6231710 41164->41165 41167 623083c 41164->41167 41168 6230847 41167->41168 41172 6236a70 41168->41172 41183 6236a58 41168->41183 41169 62317b9 41169->41165 41174 6236aa1 41172->41174 41175 6236ba1 41172->41175 41173 6236aad 41173->41169 41174->41173 41181 6236a70 3 API calls 41174->41181 41182 6236a58 3 API calls 41174->41182 41176 6236caa 41175->41176 41198 6236d18 41175->41198 41176->41169 41177 6236cf2 41177->41169 41178 6236aed 41194 6237400 41178->41194 41181->41178 41182->41178 41185 6236aa1 41183->41185 41186 6236ba1 41183->41186 41184 6236aad 41184->41169 41185->41184 41190 6236a70 3 API calls 41185->41190 41191 6236a58 3 API calls 41185->41191 41187 6236caa 41186->41187 41192 6236d18 2 API calls 41186->41192 41187->41169 41188 6236cf2 41188->41169 41189 6236aed 41193 6237400 CreateWindowExW 41189->41193 41190->41189 41191->41189 41192->41188 41193->41186 41195 6237422 41194->41195 41196 6237486 41194->41196 41195->41196 41206 6238510 41195->41206 41196->41175 41199 6236d39 41198->41199 41201 6236d5c 41198->41201 41199->41201 41211 6236fb0 41199->41211 41215 6236fc0 41199->41215 41200 6236d54 41200->41201 41202 6236f60 GetModuleHandleW 41200->41202 41201->41177 41203 6236f8d 41202->41203 41203->41177 41207 6238521 41206->41207 41208 6238546 41207->41208 41209 6238653 CreateWindowExW 41207->41209 41208->41196 41210 62386b4 41209->41210 41210->41210 41212 6236fd4 41211->41212 41213 6236ff9 41212->41213 41219 6235cf0 41212->41219 41213->41200 41216 6236fd4 41215->41216 41217 6236ff9 41216->41217 41218 6235cf0 LoadLibraryExW 41216->41218 41217->41200 41218->41217 41220 6237180 LoadLibraryExW 41219->41220 41222 62371f9 41220->41222 41222->41213 41223 770890 41224 7708b1 41223->41224 41225 77097a 41224->41225 41227 774184 41224->41227 41230 779150 41227->41230 41232 779163 41230->41232 41234 779200 41232->41234 41235 779248 VirtualProtect 41234->41235 41237 7741a0 41235->41237 41244 59f14a8 41245 59f14b2 41244->41245 41246 59f14cc 41245->41246 41249 5a29010 41245->41249 41253 5a29020 41245->41253 41250 5a29035 41249->41250 41251 5a2924a 41250->41251 41252 5a29680 GlobalMemoryStatusEx 41250->41252 41251->41246 41252->41250 41255 5a29035 41253->41255 41254 5a2924a 41254->41246 41255->41254 41256 5a29680 GlobalMemoryStatusEx 41255->41256 41256->41255 41238 5a2ef88 DuplicateHandle 41239 5a2f01e 41238->41239 41240 7793d8 41241 779418 FindCloseChangeNotification 41240->41241 41243 779449 41241->41243

                                    Executed Functions

                                    Function 059FC2C0 Relevance: 8.0, Strings: 6, Instructions: 547COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 651 59fc2c0-59fc2e1 652 59fc2e3-59fc2e6 651->652 653 59fc30c-59fc30f 652->653 654 59fc2e8-59fc307 652->654 655 59fc315-59fc334 653->655 656 59fcab4-59fcab6 653->656 654->653 664 59fc34d-59fc357 655->664 665 59fc336-59fc339 655->665 657 59fcabd-59fcac0 656->657 658 59fcab8 656->658 657->652 661 59fcac6-59fcacf 657->661 658->657 669 59fc35d-59fc36c 664->669 665->664 666 59fc33b-59fc34b 665->666 666->669 780 59fc36e call 59fcaf9 669->780 781 59fc36e call 59fcb00 669->781 670 59fc373-59fc378 671 59fc37a-59fc380 670->671 672 59fc385-59fc662 670->672 671->661 693 59fc668-59fc717 672->693 694 59fcaa6-59fcab3 672->694 703 59fc719-59fc73e 693->703 704 59fc740 693->704 705 59fc749-59fc75c call 59f54b0 703->705 704->705 709 59fca8d-59fca99 705->709 710 59fc762-59fc784 call 59f54bc 705->710 709->693 711 59fca9f 709->711 710->709 714 59fc78a-59fc794 710->714 711->694 714->709 715 59fc79a-59fc7a5 714->715 715->709 716 59fc7ab-59fc881 715->716 728 59fc88f-59fc8bf 716->728 729 59fc883-59fc885 716->729 733 59fc8cd-59fc8d9 728->733 734 59fc8c1-59fc8c3 728->734 729->728 735 59fc8db-59fc8df 733->735 736 59fc939-59fc93d 733->736 734->733 735->736 739 59fc8e1-59fc90b 735->739 737 59fca7e-59fca87 736->737 738 59fc943-59fc97f 736->738 737->709 737->716 750 59fc98d-59fc99b 738->750 751 59fc981-59fc983 738->751 746 59fc90d-59fc90f 739->746 747 59fc919-59fc936 call 59f54c8 739->747 746->747 747->736 754 59fc99d-59fc9a8 750->754 755 59fc9b2-59fc9bd 750->755 751->750 754->755 760 59fc9aa 754->760 758 59fc9bf-59fc9c5 755->758 759 59fc9d5-59fc9e6 755->759 761 59fc9c9-59fc9cb 758->761 762 59fc9c7 758->762 764 59fc9fe-59fca0a 759->764 765 59fc9e8-59fc9ee 759->765 760->755 761->759 762->759 769 59fca0c-59fca12 764->769 770 59fca22-59fca77 764->770 766 59fc9f2-59fc9f4 765->766 767 59fc9f0 765->767 766->764 767->764 771 59fca16-59fca18 769->771 772 59fca14 769->772 770->737 771->770 772->770 780->670 781->670
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                    • API String ID: 0-1342094364
                                    • Opcode ID: c2a386c2a4594aff4e17cfc6d0fa711a4ccc4aaf3ebf02fc48b7b573c502881d
                                    • Instruction ID: 0627d32dc35f1d151823992db0c5f9b5f8d79b080e2e6d7a953069cb996cb3c7
                                    • Opcode Fuzzy Hash: c2a386c2a4594aff4e17cfc6d0fa711a4ccc4aaf3ebf02fc48b7b573c502881d
                                    • Instruction Fuzzy Hash: 14323F31E1061ACBCB14EF74D8945ADB7B6BFC9300F20D69AD509A7264EF30AD85CB90
                                    Function 059F578A Relevance: 2.8, Instructions: 2757COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8e97cc9616c769a3a573a9915ba15537598f3f4109d6954174d743ae8614be74
                                    • Instruction ID: dbc393acc98858996a7343c69f282a6de306bbe560ab2959b525d0c737c88a30
                                    • Opcode Fuzzy Hash: 8e97cc9616c769a3a573a9915ba15537598f3f4109d6954174d743ae8614be74
                                    • Instruction Fuzzy Hash: 9453F831D10B1A8ACB51EF68C8845A9F7B1FF99300F11D79AE4587B125FB70AAD4CB81
                                    Function 059F8968 Relevance: 2.3, Instructions: 2303COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 63531ed7ddb8cc333d709493848e745cad85288a15ba3964fcd6dbf8a7d37acd
                                    • Instruction ID: d0e9fb50ba30c5182101afa8927d766f3a0a09db00d8eba71480f9c6f1e37152
                                    • Opcode Fuzzy Hash: 63531ed7ddb8cc333d709493848e745cad85288a15ba3964fcd6dbf8a7d37acd
                                    • Instruction Fuzzy Hash: BE333E31D107198ECB15DF68C884AADF7B5FF99300F15C79AE448A7225EB70AAC5CB81
                                    Function 059FE598 Relevance: 1.8, Strings: 1, Instructions: 588COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $
                                    • API String ID: 0-3993045852
                                    • Opcode ID: f3d7c98878679305492046b28f6eb4b0eabd4761d5561cd70d94c302a2084b6d
                                    • Instruction ID: 34885124f3fb32e340047adfb12fb10df013cae65a04ae89e5a8b16191d90485
                                    • Opcode Fuzzy Hash: f3d7c98878679305492046b28f6eb4b0eabd4761d5561cd70d94c302a2084b6d
                                    • Instruction Fuzzy Hash: 2B22B271F002198FDF64DB64C580ABEB7BAFF84310F248469E506AB3A4DA35DD45CB90
                                    Function 05A2ED31 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1039 5a2ed31-5a2edcf GetCurrentProcess 1044 5a2edd1-5a2edd7 1039->1044 1045 5a2edd8-5a2ee0c GetCurrentThread 1039->1045 1044->1045 1046 5a2ee15-5a2ee49 GetCurrentProcess 1045->1046 1047 5a2ee0e-5a2ee14 1045->1047 1049 5a2ee52-5a2ee6d call 5a2ef1b 1046->1049 1050 5a2ee4b-5a2ee51 1046->1050 1047->1046 1053 5a2ee73-5a2eea2 GetCurrentThreadId 1049->1053 1050->1049 1054 5a2eea4-5a2eeaa 1053->1054 1055 5a2eeab-5a2ef0d 1053->1055 1054->1055
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 05A2EDBE
                                    • GetCurrentThread.KERNEL32 ref: 05A2EDFB
                                    • GetCurrentProcess.KERNEL32 ref: 05A2EE38
                                    • GetCurrentThreadId.KERNEL32 ref: 05A2EE91
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895187143.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_fMNDB.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: f21970970e741bae847164da4381661aa21ae54a0ea6ae820ca2cd46ffc44d6e
                                    • Instruction ID: 9c53260f64a593e28ae4f46c607c83cedf185488a5aa198016af1ed19e2ecbdd
                                    • Opcode Fuzzy Hash: f21970970e741bae847164da4381661aa21ae54a0ea6ae820ca2cd46ffc44d6e
                                    • Instruction Fuzzy Hash: DE5156B09002499FDB14CFA9C549BAEBFF5AF48314F20845AE059B73A0DB34A984CF65
                                    Function 05A2ED40 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1062 5a2ed40-5a2edcf GetCurrentProcess 1066 5a2edd1-5a2edd7 1062->1066 1067 5a2edd8-5a2ee0c GetCurrentThread 1062->1067 1066->1067 1068 5a2ee15-5a2ee49 GetCurrentProcess 1067->1068 1069 5a2ee0e-5a2ee14 1067->1069 1071 5a2ee52-5a2ee6d call 5a2ef1b 1068->1071 1072 5a2ee4b-5a2ee51 1068->1072 1069->1068 1075 5a2ee73-5a2eea2 GetCurrentThreadId 1071->1075 1072->1071 1076 5a2eea4-5a2eeaa 1075->1076 1077 5a2eeab-5a2ef0d 1075->1077 1076->1077
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 05A2EDBE
                                    • GetCurrentThread.KERNEL32 ref: 05A2EDFB
                                    • GetCurrentProcess.KERNEL32 ref: 05A2EE38
                                    • GetCurrentThreadId.KERNEL32 ref: 05A2EE91
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895187143.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_fMNDB.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 88cddbfea68893f338296f1a0fbb3c6207e610cba321350cb700b281c910071e
                                    • Instruction ID: 6f114ff46733663c2d80e2b0fccd0ab16f5dd73a99c5683cbbc279328ab6c540
                                    • Opcode Fuzzy Hash: 88cddbfea68893f338296f1a0fbb3c6207e610cba321350cb700b281c910071e
                                    • Instruction Fuzzy Hash: 8B5135B09002099FDB14DFAAD549BAEBFF5EF48314F208459E019B73A0DB34A984CF65
                                    Function 059FDB40 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1532 59fdb40-59fdb64 1533 59fdb66-59fdb69 1532->1533 1534 59fdb6f-59fdc67 1533->1534 1535 59fe248-59fe24b 1533->1535 1555 59fdc6d-59fdcba call 59fe412 1534->1555 1556 59fdcea-59fdcf1 1534->1556 1536 59fe24d-59fe267 1535->1536 1537 59fe26c-59fe26e 1535->1537 1536->1537 1539 59fe275-59fe278 1537->1539 1540 59fe270 1537->1540 1539->1533 1542 59fe27e-59fe28b 1539->1542 1540->1539 1569 59fdcc0-59fdcdc 1555->1569 1557 59fdcf7-59fdd67 1556->1557 1558 59fdd75-59fdd7e 1556->1558 1575 59fdd69 1557->1575 1576 59fdd72 1557->1576 1558->1542 1572 59fdcde 1569->1572 1573 59fdce7-59fdce8 1569->1573 1572->1573 1573->1556 1575->1576 1576->1558
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: fpq$XPpq$\Opq
                                    • API String ID: 0-2571271785
                                    • Opcode ID: e0561c2baa6f421e6e03d6e789241b9c6f6bc7e973d820c7322cd6401e4b17bc
                                    • Instruction ID: 78c8febe84308d73ab7083bba7182835d1c0e68d5e005a14ff4c3669a8f8ecc8
                                    • Opcode Fuzzy Hash: e0561c2baa6f421e6e03d6e789241b9c6f6bc7e973d820c7322cd6401e4b17bc
                                    • Instruction Fuzzy Hash: 3C619170B002089FDB549BA9C814BAEBBF6FF88310F208429E506AB395DF744D458B90
                                    Function 06236D18 Relevance: 1.7, APIs: 1, Instructions: 218COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06236F7E
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895638476.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6230000_fMNDB.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 9aed5d3cca9864f6b8c90779e4befeb37f8c6c486b45f5a8b8bd9eeac269c5ee
                                    • Instruction ID: b1b054ead7ca5f83c4a2aa8d84ac7d45d5aa30efee0169bed7df95b12120861b
                                    • Opcode Fuzzy Hash: 9aed5d3cca9864f6b8c90779e4befeb37f8c6c486b45f5a8b8bd9eeac269c5ee
                                    • Instruction Fuzzy Hash: 5D8198B0A10B159FDB64CF29D44179ABBF5FF48304F10892ED88ADBA50DB34E949CB90
                                    Function 06238510 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062386A2
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895638476.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6230000_fMNDB.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 2f58da863b9bf029f921437c02cf2b1a0d261de87369b557e82605155e8ddc17
                                    • Instruction ID: d5c23267b4c9a3cd46e7d03a0800516aa53ac5e549ec3c1cca1bd8f5c0734f8a
                                    • Opcode Fuzzy Hash: 2f58da863b9bf029f921437c02cf2b1a0d261de87369b557e82605155e8ddc17
                                    • Instruction Fuzzy Hash: CD6120B1C10349AFCF12CFA9C980ADDBFB1BF49310F24856AE858AB261D7359881CF50
                                    Function 05A29E40 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895187143.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 697d1f059e7d2bfbc672e89ce55b1e03aad4f34e8804a575e4a0203cf6a80399
                                    • Instruction ID: 6c2a606595e680d63f885070e8c38abdb9c91b97ef89d4525d3abd544c93e44c
                                    • Opcode Fuzzy Hash: 697d1f059e7d2bfbc672e89ce55b1e03aad4f34e8804a575e4a0203cf6a80399
                                    • Instruction Fuzzy Hash: 87412572E047558FCB04DFA9D4046DEBBF5BF89320F14856AE505A7250DB38A885CBE1
                                    Function 06238590 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062386A2
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895638476.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6230000_fMNDB.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 967ce2f4e0b9f23daf60f47b64ce921666abe8c3e4c6cceb680ce6035f485a5e
                                    • Instruction ID: b4ce82adc969c467ba06022cc0c0b37dfc084ff516d768ec170b51dc427f853c
                                    • Opcode Fuzzy Hash: 967ce2f4e0b9f23daf60f47b64ce921666abe8c3e4c6cceb680ce6035f485a5e
                                    • Instruction Fuzzy Hash: D941B0B1D10319DFDB14CF9AC984ADEBBF5BF48314F24812AE819AB250D775A885CF90
                                    Function 0623951C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0623AD91
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895638476.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6230000_fMNDB.jbxd
                                    Similarity
                                    • API ID: CallProcWindow
                                    • String ID:
                                    • API String ID: 2714655100-0
                                    • Opcode ID: 26c0e51fab8b80da5788f21918338167b8417c76cfcdc81d2e34a2985a5f529a
                                    • Instruction ID: 5285ffa59c70db1b99ac724d37f78895c8841b31c030e01a16b10fea37e05a61
                                    • Opcode Fuzzy Hash: 26c0e51fab8b80da5788f21918338167b8417c76cfcdc81d2e34a2985a5f529a
                                    • Instruction Fuzzy Hash: 314129B4A10319CFDB54CF99C448AAABBF5FF88314F24C459D959AB321D774A841CFA0
                                    Function 05A2EF80 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A2F00F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895187143.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_fMNDB.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: bd7fee29b2d4ad13f6b9551345fa5bace6c1400545ddc714eea312f5937c3ad8
                                    • Instruction ID: a2b4f511d0c50f36d6ae0b8e37e8c5b721c13ec83fd562fae9fc9f2da15b767c
                                    • Opcode Fuzzy Hash: bd7fee29b2d4ad13f6b9551345fa5bace6c1400545ddc714eea312f5937c3ad8
                                    • Instruction Fuzzy Hash: CE2116B5900258EFDB10CF9AD985ADEBFF8EB48310F14801AE954A7350D378A944CFA5
                                    Function 05A2EF88 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A2F00F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895187143.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_fMNDB.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 36ccf2be1fe33bfe782567833b81fec4badf07a41f9b8c932bd028d7bf327692
                                    • Instruction ID: 0dab0c903a0cef10076c5ffde2609747e11137289fd1bef6f669594cfdd7d011
                                    • Opcode Fuzzy Hash: 36ccf2be1fe33bfe782567833b81fec4badf07a41f9b8c932bd028d7bf327692
                                    • Instruction Fuzzy Hash: 4721E4B59002189FDB10CF9AD985ADEBBF8EB48310F14801AE918A3350D378A940CFA5
                                    Function 00779200 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00779274
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2892294765.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_770000_fMNDB.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 32a53828d5a0b8ef5cfa91eff3e6f9823ced1048208a33ae9e07da7291899989
                                    • Instruction ID: 6cf29ab1640cd7fdf5f34dd25f0e4fc422f68abde36d9a4c207b0aa9fe8abf26
                                    • Opcode Fuzzy Hash: 32a53828d5a0b8ef5cfa91eff3e6f9823ced1048208a33ae9e07da7291899989
                                    • Instruction Fuzzy Hash: 1C11F4B19002499FDB10DFAAC544A9EFBF4FF48320F10842AD559A7250C779A944CFA5
                                    Function 06237178 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06236FF9,00000800,00000000,00000000), ref: 062371EA
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895638476.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6230000_fMNDB.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: a137bd915e63658c0a8f0246c8e9b402976c200751ca7b703c1d6d30aeb0386f
                                    • Instruction ID: 4baa33ad25a4cb3b1d0f2b376262ea082e8dd26f2408ec39fb7528fe5e0722b7
                                    • Opcode Fuzzy Hash: a137bd915e63658c0a8f0246c8e9b402976c200751ca7b703c1d6d30aeb0386f
                                    • Instruction Fuzzy Hash: 632129B6C002599FDB10CFAAD844ADEFBF4EF48310F10842ED899A7210C378A545CFA5
                                    Function 06235CF0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06236FF9,00000800,00000000,00000000), ref: 062371EA
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895638476.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6230000_fMNDB.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: e2a02c84a688194e4edac0d1764517c3d0f7f2e87aa8de2e700565f8df634d6c
                                    • Instruction ID: 67084913807a6645e74ce59f92b05a753706eaf2005c169168c5976b6478bd73
                                    • Opcode Fuzzy Hash: e2a02c84a688194e4edac0d1764517c3d0f7f2e87aa8de2e700565f8df634d6c
                                    • Instruction Fuzzy Hash: D71117B6D003199FDB10CF9AD844ADEFBF4EB48310F10842AE959A7210C375A545CFA4
                                    Function 05A29F28 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 05A29F8F
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895187143.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_5a20000_fMNDB.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 784ad5f41101f13aecbba52739895b0cdcc215734033efa8f9a7e8dea7b56d51
                                    • Instruction ID: 1a2c23a948295b7f2bcd8232cd0bce739c79f58c6b83deafae5d56f0e7250c30
                                    • Opcode Fuzzy Hash: 784ad5f41101f13aecbba52739895b0cdcc215734033efa8f9a7e8dea7b56d51
                                    • Instruction Fuzzy Hash: 571120B1C002699FDB10CF9AC544BDEFBF4AF48320F10812AE828B7240D378A940CFA5
                                    Function 059F4AD2 Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ]
                                    • API String ID: 0-3352871620
                                    • Opcode ID: 7b9c108604e0da41c48f23931310c4efe4ed66bf6a9e05228b139b2586122b5f
                                    • Instruction ID: 61947e5d790bf6ab6789386141415ce645f6684eeff16eabc5a7504d792acae2
                                    • Opcode Fuzzy Hash: 7b9c108604e0da41c48f23931310c4efe4ed66bf6a9e05228b139b2586122b5f
                                    • Instruction Fuzzy Hash: B1B15835A101048FDF14DB68D584AAEBBF6EB88321F148469E90AE7395DB35ED42CB60
                                    Function 007793D8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE ref: 0077943A
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2892294765.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_770000_fMNDB.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: f5e34c47f1517b57476e4d0553a20faa88a29bb7c66444f475e3a8d1a36e401c
                                    • Instruction ID: f44b0ebd5499940868c50993a89c97579429d8a28faaf81a7fa6966132dc15e0
                                    • Opcode Fuzzy Hash: f5e34c47f1517b57476e4d0553a20faa88a29bb7c66444f475e3a8d1a36e401c
                                    • Instruction Fuzzy Hash: B8113AB19002488FDB20DFAAC4457DFFBF4EF88324F208429D559A7250C778A944CF94
                                    Function 06236F18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06236F7E
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895638476.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_6230000_fMNDB.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 0b99ac6954d836ae43161fcd32ae8d350416f832dd8a4658292607dbf070fbf7
                                    • Instruction ID: 2e42a41029f24eb845ff716a08a5affc949837afcad180c8b7692a4de3156d88
                                    • Opcode Fuzzy Hash: 0b99ac6954d836ae43161fcd32ae8d350416f832dd8a4658292607dbf070fbf7
                                    • Instruction Fuzzy Hash: 361110B5C003599FCB10CF9AC444BDEFBF8EB88324F10842AD829A7210C378A545CFA1
                                    Function 059FDB30 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: XPpq
                                    • API String ID: 0-1266478781
                                    • Opcode ID: 4fad339530ea08e6290c761d1f695bc7273c6aeffce09d2fac62af1a883135bf
                                    • Instruction ID: 481567642ea99aef7dd5bea17dafa781a905b5cab30ed03c108d11d16b7b6fc5
                                    • Opcode Fuzzy Hash: 4fad339530ea08e6290c761d1f695bc7273c6aeffce09d2fac62af1a883135bf
                                    • Instruction Fuzzy Hash: 91418471B102089FEB54DFA9C854BAEBBF6FF88300F208529E506AB3D5DA749C45CB50
                                    Function 059FAF31 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PHkq
                                    • API String ID: 0-902561536
                                    • Opcode ID: ca8ea5995e8204c2745a0c51fb0e0ecc675174b291d5885f8a5efdc224cd3936
                                    • Instruction ID: ca97965a047cc356268aa1a8c6f6733650efa459e52dea3cb4f4e5c0f784bba7
                                    • Opcode Fuzzy Hash: ca8ea5995e8204c2745a0c51fb0e0ecc675174b291d5885f8a5efdc224cd3936
                                    • Instruction Fuzzy Hash: B231C131B002018FDB199B34C65476E7BE7BB88210F148868E50ADB399EF39CC46CBD4
                                    Function 059F1390 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LRkq
                                    • API String ID: 0-1052062081
                                    • Opcode ID: b51375202d6505799e5a1f039fc64e6350c84e2fe3c5c67591c54d46f9812b17
                                    • Instruction ID: 9e9deaed15bbfc51bf81c2555b6e5bcc4c6f29d0f0ba318dde23bb8efd6b98d2
                                    • Opcode Fuzzy Hash: b51375202d6505799e5a1f039fc64e6350c84e2fe3c5c67591c54d46f9812b17
                                    • Instruction Fuzzy Hash: 5131A430E10209DBDF14CFA4C544BAEB7B6FF85314F208925E902EB250DBB5E945DB91
                                    Function 059F1380 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LRkq
                                    • API String ID: 0-1052062081
                                    • Opcode ID: 14d5350a35af629284f843086a0dd7e5776721a737096712251ba21a0d5a14fe
                                    • Instruction ID: acfff60c6d4b64697ea8cd2058fab0152a05f9980fb728eb218a8804f461fd4e
                                    • Opcode Fuzzy Hash: 14d5350a35af629284f843086a0dd7e5776721a737096712251ba21a0d5a14fe
                                    • Instruction Fuzzy Hash: 3F317230E10219DBDF14CF64C584BAEB7B6FF85314F208829E901EB250EBB5D946DB91
                                    Function 059FAF08 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PHkq
                                    • API String ID: 0-902561536
                                    • Opcode ID: b6eda0b3a43c7c1846c267e3bfc7f811388cf233969beb922263ac7b9e59c3b9
                                    • Instruction ID: 1e777e792d5314e05ab7537d89b56960ba832df78b27a8f0111fe4a96b479442
                                    • Opcode Fuzzy Hash: b6eda0b3a43c7c1846c267e3bfc7f811388cf233969beb922263ac7b9e59c3b9
                                    • Instruction Fuzzy Hash: BE31E2717043418FCB1A9F34C66426E7BF7AF8A240B2884A9D14ADB3A9DF39CC45C795
                                    Function 059F0D00 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LRkq
                                    • API String ID: 0-1052062081
                                    • Opcode ID: 4229bf46d984955499ca289be9b9f56db9b09997e6368930c5c1c7fca7a0fc55
                                    • Instruction ID: b33b03d4946f9ad85f2bad88a21577cb0be23c81a71e2670b2d7efe07fdf88aa
                                    • Opcode Fuzzy Hash: 4229bf46d984955499ca289be9b9f56db9b09997e6368930c5c1c7fca7a0fc55
                                    • Instruction Fuzzy Hash: 3911D5707051048FC715AB3DE014A9E3BB6EF85310B00887AE005CB7A9DE3498868795
                                    Function 059F0CEB Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: LRkq
                                    • API String ID: 0-1052062081
                                    • Opcode ID: 786742e964465ae88aa3b1b2705afa441dabe9d0aec5ec306a745c844e11f411
                                    • Instruction ID: 552ad9cd9c2b1dd9af623ee86aafafd454d3b8c3a51688cc25d13638609f5554
                                    • Opcode Fuzzy Hash: 786742e964465ae88aa3b1b2705afa441dabe9d0aec5ec306a745c844e11f411
                                    • Instruction Fuzzy Hash: 000128717042449FC715AB38841469E7BF6EF8A314B1180BAD019CB3A2DE359C4287A2
                                    Function 059F2519 Relevance: .9, Instructions: 935COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3d615099d86442cca1031063a526581c6750cc6924022bcf951a243195578a22
                                    • Instruction ID: 064ac3a598050cfc8c553a10f5a8492ff577eb42d934fb13aa8bb51120e34389
                                    • Opcode Fuzzy Hash: 3d615099d86442cca1031063a526581c6750cc6924022bcf951a243195578a22
                                    • Instruction Fuzzy Hash: 2282CD34B206048FCF24EB64D994E6D77B6FB8A314F10486AD809D7368EF35AD86DB50
                                    Function 059F2528 Relevance: .9, Instructions: 934COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a201d5137c50db4d667e6adef6d143ba3a10b17a14e5b8961ec47169f4aed41d
                                    • Instruction ID: 93badefb396ebd5b548228a343ffdadd2a7a155a9c510bac57c3d54cbfa73485
                                    • Opcode Fuzzy Hash: a201d5137c50db4d667e6adef6d143ba3a10b17a14e5b8961ec47169f4aed41d
                                    • Instruction Fuzzy Hash: 8782CD34B206048FCF24EB64D984E6D77B6FB8A314F10486AD809D7368EF35AD86DB50
                                    Function 059F1D69 Relevance: .5, Instructions: 519COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8fb2e1bdc53ddd965d547a728016a3e8b3432f0eef71298400dd53ba5e5336f4
                                    • Instruction ID: 614f76b64bced4ae5d7816cec91bc067e2f4033bf978c4e982674a5db320158a
                                    • Opcode Fuzzy Hash: 8fb2e1bdc53ddd965d547a728016a3e8b3432f0eef71298400dd53ba5e5336f4
                                    • Instruction Fuzzy Hash: D902DE347212008BDF192778A49927C3BE7FBC9362B64046DF90AC7391CEB9DD869761
                                    Function 059F4AE0 Relevance: .4, Instructions: 388COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e143ad14946817d6885bbc2fda77a621b130242212b9e9911f4b923cba5a2d0c
                                    • Instruction ID: 5f268b2b5eca0baf7ceb8794c416293ede00902b07e4b217f39a96b291ec20b0
                                    • Opcode Fuzzy Hash: e143ad14946817d6885bbc2fda77a621b130242212b9e9911f4b923cba5a2d0c
                                    • Instruction Fuzzy Hash: 43E18D34B102059FCF14DB68D594AAEBBF6FB88310F208469E90AD73A5DB35ED41CB91
                                    Function 059FF1C8 Relevance: .2, Instructions: 230COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b6a8706e77424643eb955b0b89e5296f14d0ec1298ae7f81186690951a90104d
                                    • Instruction ID: de4bd37e53218007c8abc02e5d42da3de251dc6ee4c9c49aa5fdb6fa5cc6b553
                                    • Opcode Fuzzy Hash: b6a8706e77424643eb955b0b89e5296f14d0ec1298ae7f81186690951a90104d
                                    • Instruction Fuzzy Hash: 8961F6B2F001214BDF149A7DD884A6FBADBAFC4620B254036E90AD73B5DE79DC0287D1
                                    Function 059F5030 Relevance: .2, Instructions: 230COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d559233e0770c278e04d24eaaffa7544faae7cd9ca15f093e0410a0789048924
                                    • Instruction ID: 861d9c637a9eb18f28fc84f7580dbe1451b04af1185d8f6feea73202fe2593fe
                                    • Opcode Fuzzy Hash: d559233e0770c278e04d24eaaffa7544faae7cd9ca15f093e0410a0789048924
                                    • Instruction Fuzzy Hash: B1818F71B002049FDB14DFA8D984B9DBBB5FF88320F15C269E9099B395EB71E845CB90
                                    Function 059FD121 Relevance: .2, Instructions: 216COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7a6dcbff07be9b7ef58e3432e7eee983b2e67367a5bb70dbd8bc2458d8565859
                                    • Instruction ID: a4d17fbf7cdb854967515439aa784502757f6cf7e3f39d83d13d9fc3637ade8f
                                    • Opcode Fuzzy Hash: 7a6dcbff07be9b7ef58e3432e7eee983b2e67367a5bb70dbd8bc2458d8565859
                                    • Instruction Fuzzy Hash: 1D811930B102098FDF54DBA9D554AAE77F7EB88310F108429E50ADB398EB75EC468B91
                                    Function 059FD460 Relevance: .2, Instructions: 187COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e290cd5f106b7e2601eeab771aa584d6853b5f1dad458590974d783dfe322532
                                    • Instruction ID: fe08103e8a61b1195c72a2693d04d608db6c26153a710264b380feef766441c7
                                    • Opcode Fuzzy Hash: e290cd5f106b7e2601eeab771aa584d6853b5f1dad458590974d783dfe322532
                                    • Instruction Fuzzy Hash: 0A615430E103099BDF10EBA8C850BADB7B6FF85310F104529E549FF294EB74A985CB91
                                    Function 059FD470 Relevance: .2, Instructions: 182COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d5acb666c21bcdf8d39377e11ea42ff221fd17a391547352257e8325e3c2754a
                                    • Instruction ID: a510d67ceb5f48ffeed4883d1f770924d036b48ac335897e848ede5728439694
                                    • Opcode Fuzzy Hash: d5acb666c21bcdf8d39377e11ea42ff221fd17a391547352257e8325e3c2754a
                                    • Instruction Fuzzy Hash: CC612130E107099BDF10EBA8C850BADB7B6FF89310F204529E549FF294DB74A985CB91
                                    Function 059F4E50 Relevance: .1, Instructions: 149COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0c28749d1a53c1f93d50a93033ddb929726106b2f4e3c465549a8e32c198a894
                                    • Instruction ID: b7d63c18ecc32ac80fa2cf1ef70191da91326f21fdd0cf239ef23fd1c343c28c
                                    • Opcode Fuzzy Hash: 0c28749d1a53c1f93d50a93033ddb929726106b2f4e3c465549a8e32c198a894
                                    • Instruction Fuzzy Hash: 9641AF31F102069BDF249A68D590B7FB7AAFB85310F20482AE60ED7395EB35DD418BC1
                                    Function 059F4900 Relevance: .1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 107325a23135d7a2f044096959926c01c0b471b4b89689f89ea82a083dc190b8
                                    • Instruction ID: a0d2edd7dc9f5b44191164fc42b8d2c08c80cbd82706e00038d9cf2d1732c83e
                                    • Opcode Fuzzy Hash: 107325a23135d7a2f044096959926c01c0b471b4b89689f89ea82a083dc190b8
                                    • Instruction Fuzzy Hash: 9A41A430A106498BCF15DFA4D5616AEB7F6FF88310F108529EA0AE7394EB359D46CB50
                                    Function 059F0E2C Relevance: .1, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d26c35ff718dd0d1b2db193afbccf13513e7b0d526c2c51dbf61bcb1ca288c3e
                                    • Instruction ID: d4f32770b5bc51682268a344e1e69a35c6716af7b55417e54936c54429fdd3ab
                                    • Opcode Fuzzy Hash: d26c35ff718dd0d1b2db193afbccf13513e7b0d526c2c51dbf61bcb1ca288c3e
                                    • Instruction Fuzzy Hash: CC5115B1E102189FDB14CFA9C888B9DBBF5BF48310F14812AE81ABB395D7749944CF94
                                    Function 059F0E38 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 074baa848845ead3baf68c5d450464991dae561f8d107f252535c54beb7d7897
                                    • Instruction ID: f0ca80f77047af4c55ea5d65b06f703c54bbff5adf8af3a4dec321e0674b73f5
                                    • Opcode Fuzzy Hash: 074baa848845ead3baf68c5d450464991dae561f8d107f252535c54beb7d7897
                                    • Instruction Fuzzy Hash: 895116B0D102189FDB14CFA9C888B9DBBF9BF48310F548129E81ABB395D774A944CF95
                                    Function 059FE412 Relevance: .1, Instructions: 127COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 40de0b3fbcdb58b88ae44dd2630eb953eee77907fc19016054a9d51833e913d2
                                    • Instruction ID: 8b20a5a8151a6b63633b9c059372d6c505d0a1eed872ea123dcf6ce5d4e59e9c
                                    • Opcode Fuzzy Hash: 40de0b3fbcdb58b88ae44dd2630eb953eee77907fc19016054a9d51833e913d2
                                    • Instruction Fuzzy Hash: BF418271A006098FDF70CF99D880ABFF7BAFB84310F10492AD256D7660D330E9458B91
                                    Function 059FADA0 Relevance: .1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 25d5c3a121ded9a6fffd47bbd1224662e22d1c1c79f982d7dd4349c7cb9df67d
                                    • Instruction ID: bdac2bdbf9ea8b8908023e7a5fcaebecc0a2a4c4e478ae1e42d1a17d39ef643b
                                    • Opcode Fuzzy Hash: 25d5c3a121ded9a6fffd47bbd1224662e22d1c1c79f982d7dd4349c7cb9df67d
                                    • Instruction Fuzzy Hash: 9A315E31B106058BCB19DF64D5546AEB7F7AFC9310F108429E90AEB354EF35ED4687A0
                                    Function 059FADB0 Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6d21ed79c84398ce44b96d56ed30327fd13cacddbe7ce3c4c1e2d6ed77a9311e
                                    • Instruction ID: 37e6024c9240aef3e7300c50ae8adebf2f0f601bbe5b2cceb8882d68b4f3d51d
                                    • Opcode Fuzzy Hash: 6d21ed79c84398ce44b96d56ed30327fd13cacddbe7ce3c4c1e2d6ed77a9311e
                                    • Instruction Fuzzy Hash: 7B316F30B106058BCB19DF64D4546AEB7F6AFC9310F508429E90AEB354EF34ED428790
                                    Function 059F4928 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c9f89e3274053ef44ee890bc9944eca33c9375e8cd2cb2ae8008c03df74fadea
                                    • Instruction ID: bc2ae61a89ce90949601e30a5bb11668df3be2dd85b36fc27c58cf166ff8883c
                                    • Opcode Fuzzy Hash: c9f89e3274053ef44ee890bc9944eca33c9375e8cd2cb2ae8008c03df74fadea
                                    • Instruction Fuzzy Hash: D3319F30B106098BCF15DFA5D454AAEB7B6FF89310F108529E905E7354EB71EC86CB60
                                    Function 059FCD30 Relevance: .1, Instructions: 79COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2ffbf2946f61a5392426a023470e31113d9a5a01960d9828b322fefa3753aa60
                                    • Instruction ID: cfc8d4f5c6089365146d514bce466384c50d0525bff0f48846b94a721d266315
                                    • Opcode Fuzzy Hash: 2ffbf2946f61a5392426a023470e31113d9a5a01960d9828b322fefa3753aa60
                                    • Instruction Fuzzy Hash: 3A217C75F102199FDB00DF69D941AAEBBF5BB48310F108026EA05E7358EB30DC008BA4
                                    Function 059FCD20 Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db5ce222f0e47223b0e0006377a0dfb4ad7f2b4d23e5bb587458dcbe82b8abb5
                                    • Instruction ID: cae6c26c4582cb1bbcf81870f5e055e4c1f25de8cee4d16e63f7e3a69a8f27ac
                                    • Opcode Fuzzy Hash: db5ce222f0e47223b0e0006377a0dfb4ad7f2b4d23e5bb587458dcbe82b8abb5
                                    • Instruction Fuzzy Hash: 96216B75F102199FDB04DFA9D981AEEBBF5BB48310F118426EA05E7358EB34EC418B94
                                    Function 059F47EF Relevance: .1, Instructions: 77COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4b785e67c03a1698d0fb45066fe5a1f67e520602573a84bb025d129bdd765f47
                                    • Instruction ID: e7e655808d8cc75da8bfaf0f1272ad28a02063b0b2613ee08ea6d8c8287f4bc4
                                    • Opcode Fuzzy Hash: 4b785e67c03a1698d0fb45066fe5a1f67e520602573a84bb025d129bdd765f47
                                    • Instruction Fuzzy Hash: 3D21B070E102498BDF08CFA4D6546AEB7B7BF88310F10852AEA16F7390EB749C42CB50
                                    Function 0071D5E8 Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2891954222.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_71d000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9ecd3c2b53816c2606974588ddcb0469dd1a88914060f11559af180fad2dc57f
                                    • Instruction ID: b6617b23f453b85fabba4afdaac1aa474f5446dea972d058f5c56177eb92ec94
                                    • Opcode Fuzzy Hash: 9ecd3c2b53816c2606974588ddcb0469dd1a88914060f11559af180fad2dc57f
                                    • Instruction Fuzzy Hash: 712125B1500204DFCB25DF18DAC0B6BBFA5FB98354F208569D80D0B296C33ADC96CAA1
                                    Function 059F4800 Relevance: .1, Instructions: 73COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6f8961cea877b08a554cf46871adfa80b430be208efb4fac174f3d4fadc3ce71
                                    • Instruction ID: 16ec468db772e701e48bd4716904160591a67f9114cbdfaff37ec2beecc2d4ec
                                    • Opcode Fuzzy Hash: 6f8961cea877b08a554cf46871adfa80b430be208efb4fac174f3d4fadc3ce71
                                    • Instruction Fuzzy Hash: D6218030E102599BDF18CFA4D5546AEB7B6BF89310F20852AE916FB390EB74AC45CB50
                                    Function 0072D030 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2892039521.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_72d000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3473e64b7571910cd347559b16da389b29abbf7575792bd28a0a289aa6877783
                                    • Instruction ID: 3aa3abfb71ac1c598d79a8f82b895e38494b5ac459d10a7fc193cbdaf9fdc410
                                    • Opcode Fuzzy Hash: 3473e64b7571910cd347559b16da389b29abbf7575792bd28a0a289aa6877783
                                    • Instruction Fuzzy Hash: C521F2B1504244DFCB34DF14E9C4B26BBA5EB88314F34C669D9494B266C33ADC46CA62
                                    Function 059FC2B0 Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ef7722f2b075df924045255f03b3a9c8af873b788d7dcd52b9294e0a83cfe97a
                                    • Instruction ID: a795cb1ca7cc87803a4196da0f9b979dbe7cd9534a1cd69067c8999f30119fe9
                                    • Opcode Fuzzy Hash: ef7722f2b075df924045255f03b3a9c8af873b788d7dcd52b9294e0a83cfe97a
                                    • Instruction Fuzzy Hash: 0A21AF72E042199BCF18DB68D9805DDF7B6EB89310F10886AD10AEB344EA31DE458BA0
                                    Function 059F5022 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 40474d90aa17d1b40153d4f8abdfba70e295d62114d4cc1e27686546c4f9a138
                                    • Instruction ID: c4fd309c80bdd73235308daf4f491eb75e4954335ec2f937abaabbd2ab21b1f0
                                    • Opcode Fuzzy Hash: 40474d90aa17d1b40153d4f8abdfba70e295d62114d4cc1e27686546c4f9a138
                                    • Instruction Fuzzy Hash: DF11D372A002048FDB14EB68D94479ABB62FF80321F148675D90D5B39AEB35E94ACBD0
                                    Function 059FCE48 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4eb202a7ad6cb5bd1a67711f0b398a6a0f5b8946bdc0213c885baa58c07241a9
                                    • Instruction ID: 984f406cac20b781e13bff165e9d317e45529476c4488abde1495512251521f1
                                    • Opcode Fuzzy Hash: 4eb202a7ad6cb5bd1a67711f0b398a6a0f5b8946bdc0213c885baa58c07241a9
                                    • Instruction Fuzzy Hash: F1116D31B241299BCF14DA78D914ABE73EBABC8710F008539D50AE7358EE74DC029BA1
                                    Function 0071D5E3 Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2891954222.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_71d000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                    • Instruction ID: 27d89d1fc5f0f79e6497a87e379ea5efb30c84f30c4810adec7ae23068c8664c
                                    • Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
                                    • Instruction Fuzzy Hash: 2E11B176504240CFCB16CF14D9C4B56BF72FB94314F24C5A9D8090B256C33AD85ACFA1
                                    Function 059FD07F Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 97a05c5f4c6f2de2b58d937f68cfe7ef4edb0a02f3d8c1cff174f104d917ed52
                                    • Instruction ID: 5da0e5eeb5171092b49573c092642f7ac0d243bba2c52ba4a303afff7bbe1841
                                    • Opcode Fuzzy Hash: 97a05c5f4c6f2de2b58d937f68cfe7ef4edb0a02f3d8c1cff174f104d917ed52
                                    • Instruction Fuzzy Hash: 7B0184327001140FDB159ABC9555B7AB7EBEBC9720F10883AEA0AC7394EE66DD064791
                                    Function 0072D02B Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2892039521.000000000072D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0072D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_72d000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
                                    • Instruction ID: ff15eac83f79c5185ece25e3b6984a621d568303c9caa6b388156d05ab8b3706
                                    • Opcode Fuzzy Hash: 021c8d7180bca40b1b4a0da321e6e5f783d7625571517dbbd39f1422581fcb41
                                    • Instruction Fuzzy Hash: 8811BB75504284CFCB21CF14E5C4B15BBA1FB88314F28C6AAD8494B666C33AD84ACB62
                                    Function 059FCAF9 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f32701ab3603c81a1f85e86020caa5880317756493bf53ab6f15a14d24167409
                                    • Instruction ID: 971d96f000a342a40148f5c9a2927d2c8515bbd015d89e5cb94c12a3367d3697
                                    • Opcode Fuzzy Hash: f32701ab3603c81a1f85e86020caa5880317756493bf53ab6f15a14d24167409
                                    • Instruction Fuzzy Hash: 8921BFB5D01259DFCB00DF9AD984ADEFBB4FB49310F10812AE918B7240D374A954CFA4
                                    Function 059FCB00 Relevance: .1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 73ab8c85ba39234125a4a101dc06ed6fbff028edf7f563ab0f077434223ff5b8
                                    • Instruction ID: 237d36ed158cac391c25b0954bef0630856ef9eec6c21020b48e042fd7e1f3bb
                                    • Opcode Fuzzy Hash: 73ab8c85ba39234125a4a101dc06ed6fbff028edf7f563ab0f077434223ff5b8
                                    • Instruction Fuzzy Hash: E311C3B59012199BCB00DF9AD884ACEFBB8BB49310F10812AE518B7240C374A954CFA5
                                    Function 059FD090 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ab610f66bb03237509e74313fe46233273ae35a172b66898a83c8118c57510a4
                                    • Instruction ID: c56175f5f6c795414c94cee8007a49eccea0daef94e5066970b0b1c5f6817cc0
                                    • Opcode Fuzzy Hash: ab610f66bb03237509e74313fe46233273ae35a172b66898a83c8118c57510a4
                                    • Instruction Fuzzy Hash: 93016D317001140BDB249ABD9455B3BA7EFEBC9730F20883AE60AC7394EE66DC424791
                                    Function 059FCE39 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7fd0f12604547a81b7548a3beb9800e2529ab6ba35fb5b38e8fee57fbb910285
                                    • Instruction ID: 8cf36e76ba60d06fe406fd6a3bff19fcb5aeaeea6c048b33ea3709f4f0a0b92e
                                    • Opcode Fuzzy Hash: 7fd0f12604547a81b7548a3beb9800e2529ab6ba35fb5b38e8fee57fbb910285
                                    • Instruction Fuzzy Hash: 00014F32B200194BDF54D6A899146FE73AFABC8711F01843AD50AD7358EE64DD0647D1
                                    Function 0071D01D Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2891954222.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_71d000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 524a058475a9b3c7125740e45e04241fa4d6f31c8ba4b0d6ed6be1bdcce99f82
                                    • Instruction ID: 2c48eafb443fb559a19fb2ab4d897aa360946e5c46873451e7e7eb313de4ab5f
                                    • Opcode Fuzzy Hash: 524a058475a9b3c7125740e45e04241fa4d6f31c8ba4b0d6ed6be1bdcce99f82
                                    • Instruction Fuzzy Hash: CF01A771509340AAE7204A6DC984BA7BFD8DF59324F18C529ED494A2C6C27D9C85CEB1
                                    Function 059F14A8 Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a2dab2a6d3287e43096bea16d21af3256a27289c3b5ee02486ce5061bf031b53
                                    • Instruction ID: ebe2ea9cbaac08170b4ba4937a36f3e44a5d798298770dc4e23f56165908ef98
                                    • Opcode Fuzzy Hash: a2dab2a6d3287e43096bea16d21af3256a27289c3b5ee02486ce5061bf031b53
                                    • Instruction Fuzzy Hash: A8012835B00204CFCB19EB64D558B6C77B2FF88216F1400A5E5069B3B4CF35AD86DB40
                                    Function 059F2478 Relevance: .0, Instructions: 37COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 20bebad0e7314efca0b183847da2df5fdb54bc8e0a633f0836fda6d1aab2f51e
                                    • Instruction ID: 95f30f13e58e9d9f66b3820ca3b3d6395443327c1474f89cbf046a7541df72c7
                                    • Opcode Fuzzy Hash: 20bebad0e7314efca0b183847da2df5fdb54bc8e0a633f0836fda6d1aab2f51e
                                    • Instruction Fuzzy Hash: F601D830550049DFCF05FBA9EA8999C7BB2DB41304F404AB8C1455F2BAEF706F499741
                                    Function 0071D01C Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2891954222.000000000071D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0071D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_71d000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9715c56e227549ef64655b9deb9881d3a4d07de70333cc668c5331cabc0dc7e8
                                    • Instruction ID: ce64d4acd053a56e2298f2a895f580dc6b2b99837e2fe6b2551dd1d723d4a7aa
                                    • Opcode Fuzzy Hash: 9715c56e227549ef64655b9deb9881d3a4d07de70333cc668c5331cabc0dc7e8
                                    • Instruction Fuzzy Hash: E8F06271405344AEE7208E1AC9C4BA3FFA8EB55724F18C55AED484E2C6C27D9C85CAB1
                                    Function 059F2488 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9714d0f7172136b4a874daee5b857be8766a43e951216a5f4ffb8e6d6bc51573
                                    • Instruction ID: 721b395137d0f761903b9ab711e434e0e757c7a197aeea746e3f07075b4fc79d
                                    • Opcode Fuzzy Hash: 9714d0f7172136b4a874daee5b857be8766a43e951216a5f4ffb8e6d6bc51573
                                    • Instruction Fuzzy Hash: 5401FF30950109DFCF00FBA9EA4999DBBB6EB41304F504A74C40597269EF70AF499791
                                    Function 059FF450 Relevance: .0, Instructions: 27COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.2895152888.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_59f0000_fMNDB.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 738c817c8d20f493b5beb3b0d72d192b3b85e8cc7d9f7069dbe14b078e35f467
                                    • Instruction ID: 6b8c31201e5bd4c94223dce56eb1d4489d8d4d9b1b5ed106ae5ac5a846faf9bf
                                    • Opcode Fuzzy Hash: 738c817c8d20f493b5beb3b0d72d192b3b85e8cc7d9f7069dbe14b078e35f467
                                    • Instruction Fuzzy Hash: 37E0D8B2A052459FEB10CE748988AAEBB7EEB16308F1054EAD554D7203E175CB468351