Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
real-al-d7ya.exe

Overview

General Information

Sample name:real-al-d7ya.exe
Analysis ID:1473001
MD5:2b4129ddc8fddd48aee75adfaf4b59cc
SHA1:cc0226215497cec7adad4b6ddbe37c28bc1eca74
SHA256:5c3e62c072c7bf77abf2b6a087bb673121913113faba905e02bd776d0bb1f4fb
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • real-al-d7ya.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\real-al-d7ya.exe" MD5: 2B4129DDC8FDDD48AEE75ADFAF4B59CC)
    • schtasks.exe (PID: 7372 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7764 cmdline: C:\Windows\system32\WerFault.exe -u -p 7280 -s 2008 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • real-al-d7ya.exe (PID: 7468 cmdline: C:\Users\user\AppData\Roaming\real-al-d7ya.exe MD5: 2B4129DDC8FDDD48AEE75ADFAF4B59CC)
  • real-al-d7ya.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Roaming\real-al-d7ya.exe" MD5: 2B4129DDC8FDDD48AEE75ADFAF4B59CC)
  • real-al-d7ya.exe (PID: 7832 cmdline: "C:\Users\user\AppData\Roaming\real-al-d7ya.exe" MD5: 2B4129DDC8FDDD48AEE75ADFAF4B59CC)
  • real-al-d7ya.exe (PID: 8008 cmdline: C:\Users\user\AppData\Roaming\real-al-d7ya.exe MD5: 2B4129DDC8FDDD48AEE75ADFAF4B59CC)
  • real-al-d7ya.exe (PID: 7000 cmdline: C:\Users\user\AppData\Roaming\real-al-d7ya.exe MD5: 2B4129DDC8FDDD48AEE75ADFAF4B59CC)
  • real-al-d7ya.exe (PID: 1744 cmdline: C:\Users\user\AppData\Roaming\real-al-d7ya.exe MD5: 2B4129DDC8FDDD48AEE75ADFAF4B59CC)
    • schtasks.exe (PID: 4208 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["k-infectious.gl.at.ply.gg"], "Port": "9165", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
real-al-d7ya.exeJoeSecurity_XWormYara detected XWormJoe Security
    real-al-d7ya.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x79f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7a91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7ba6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x74a4:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\real-al-d7ya.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\real-al-d7ya.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x79f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7a91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7ba6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74a4:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1679599731.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1679599731.0000000000EC2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x77f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7891:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x79a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x72a4:$cnc4: POST / HTTP/1.1
        Process Memory Space: real-al-d7ya.exe PID: 7280JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.real-al-d7ya.exe.ec0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.real-al-d7ya.exe.ec0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x79f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7a91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7ba6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x74a4:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\real-al-d7ya.exe, ProcessId: 7280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\real-al-d7ya
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, ParentImage: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, ParentProcessId: 1744, ParentProcessName: real-al-d7ya.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe", ProcessId: 4208, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\real-al-d7ya.exe", ParentImage: C:\Users\user\Desktop\real-al-d7ya.exe, ParentProcessId: 7280, ParentProcessName: real-al-d7ya.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe", ProcessId: 7372, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:07/14/24-19:23:33.405583
            SID:2853193
            Source Port:52422
            Destination Port:9165
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/14/24-19:22:50.077254
            SID:2855924
            Source Port:52419
            Destination Port:9165
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: real-al-d7ya.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
            Found malware configuration
            Source: real-al-d7ya.exeMalware Configuration Extractor: Xworm {"C2 url": ["k-infectious.gl.at.ply.gg"], "Port": "9165", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeReversingLabs: Detection: 78%
            Multi AV Scanner detection for submitted file
            Source: real-al-d7ya.exeReversingLabs: Detection: 78%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: real-al-d7ya.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: real-al-d7ya.exeString decryptor: k-infectious.gl.at.ply.gg
            Source: real-al-d7ya.exeString decryptor: 9165
            Source: real-al-d7ya.exeString decryptor: <123456789>
            Source: real-al-d7ya.exeString decryptor: <Xwormmm>
            Source: real-al-d7ya.exeString decryptor: USB.exe
            Source: real-al-d7ya.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: real-al-d7ya.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C000000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Xml.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.ni.pdbRSDS source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: .pdb6 source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb! source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C000000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Xml.pdbh9% source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Configuration.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdbY source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Core.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3404521390.0000000001412000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C077000.00000004.00000020.00020000.00000000.sdmp, WER8C7E.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3404521390.0000000001423000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Management.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: mscorlib.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C063000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C063000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb5 source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: indoC:\Windows\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Management.pdbSystem.Xml.dll source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbper source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C000000.00000004.00000020.00020000.00000000.sdmp

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:52419 -> 147.185.221.20:9165
            Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:52422 -> 147.185.221.20:9165
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: k-infectious.gl.at.ply.gg
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.185.221.20:9165
            Source: Joe Sandbox ViewIP Address: 147.185.221.20 147.185.221.20
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: k-infectious.gl.at.ply.gg
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4142540535.0000000002791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: real-al-d7ya.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.real-al-d7ya.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1679599731.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\real-al-d7ya.exeCode function: 0_2_00007FFD9B898F820_2_00007FFD9B898F82
            Source: C:\Users\user\Desktop\real-al-d7ya.exeCode function: 0_2_00007FFD9B8981D60_2_00007FFD9B8981D6
            Source: C:\Users\user\Desktop\real-al-d7ya.exeCode function: 0_2_00007FFD9B8925190_2_00007FFD9B892519
            Source: C:\Users\user\Desktop\real-al-d7ya.exeCode function: 0_2_00007FFD9B8935AE0_2_00007FFD9B8935AE
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeCode function: 16_2_00007FFD9BAB83A616_2_00007FFD9BAB83A6
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeCode function: 16_2_00007FFD9BAB251916_2_00007FFD9BAB2519
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeCode function: 16_2_00007FFD9BAB915216_2_00007FFD9BAB9152
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeCode function: 16_2_00007FFD9BAB35AE16_2_00007FFD9BAB35AE
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeCode function: 16_2_00007FFD9BAB7BA516_2_00007FFD9BAB7BA5
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeCode function: 16_2_00007FFD9BAB5C8D16_2_00007FFD9BAB5C8D
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7280 -s 2008
            Source: real-al-d7ya.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: real-al-d7ya.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.real-al-d7ya.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1679599731.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: real-al-d7ya.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: real-al-d7ya.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: real-al-d7ya.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: real-al-d7ya.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: real-al-d7ya.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: real-al-d7ya.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: real-al-d7ya.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: real-al-d7ya.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: real-al-d7ya.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: real-al-d7ya.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@14/7@1/1
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile created: C:\Users\user\AppData\Roaming\real-al-d7ya.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMutant created: \Sessions\1\BaseNamedObjects\7zSdnFOyE9rndHTn
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7280
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
            Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\88f30414-151a-4226-8607-8a3752e4ced0Jump to behavior
            Source: real-al-d7ya.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: real-al-d7ya.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: real-al-d7ya.exeReversingLabs: Detection: 78%
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile read: C:\Users\user\Desktop\real-al-d7ya.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\real-al-d7ya.exe "C:\Users\user\Desktop\real-al-d7ya.exe"
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\real-al-d7ya.exe C:\Users\user\AppData\Roaming\real-al-d7ya.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\real-al-d7ya.exe "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\real-al-d7ya.exe "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\real-al-d7ya.exe C:\Users\user\AppData\Roaming\real-al-d7ya.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\real-al-d7ya.exe C:\Users\user\AppData\Roaming\real-al-d7ya.exe
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7280 -s 2008
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\real-al-d7ya.exe C:\Users\user\AppData\Roaming\real-al-d7ya.exe
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"Jump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\Desktop\real-al-d7ya.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: real-al-d7ya.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: real-al-d7ya.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C000000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Xml.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.ni.pdbRSDS source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: .pdb6 source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb! source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C000000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Xml.pdbh9% source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Configuration.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: symbols\dll\mscorlib.pdbpdb` source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: 0C:\Windows\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdbY source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Core.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3404521390.0000000001412000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C077000.00000004.00000020.00020000.00000000.sdmp, WER8C7E.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3404521390.0000000001423000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Management.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: mscorlib.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C063000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C063000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb5 source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: indoC:\Windows\mscorlib.pdb source: real-al-d7ya.exe, 00000000.00000002.3408555724.000000001C2F9000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Management.pdbSystem.Xml.dll source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.ni.pdb source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER8C7E.tmp.dmp.14.dr
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbper source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C000000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: real-al-d7ya.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: real-al-d7ya.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: real-al-d7ya.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: real-al-d7ya.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: real-al-d7ya.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: real-al-d7ya.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: real-al-d7ya.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: real-al-d7ya.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: real-al-d7ya.exe, Messages.cs.Net Code: Memory
            Source: real-al-d7ya.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: real-al-d7ya.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: real-al-d7ya.exe.0.dr, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile created: C:\Users\user\AppData\Roaming\real-al-d7ya.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Users\user\Desktop\real-al-d7ya.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run real-al-d7yaJump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
            Source: C:\Users\user\Desktop\real-al-d7ya.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run real-al-d7yaJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run real-al-d7yaJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeMemory allocated: 1320000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeMemory allocated: 1B240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 1AFF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: AA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 1A7D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 1A960000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 8A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 1A320000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 9C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 1A6F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: C20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeMemory allocated: 1A790000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWindow / User API: threadDelayed 6629Jump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWindow / User API: threadDelayed 3173Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeWindow / User API: threadDelayed 1584Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeWindow / User API: threadDelayed 8262Jump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exe TID: 7456Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exe TID: 7456Thread sleep time: -35048813740048126s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exe TID: 7460Thread sleep count: 6629 > 30Jump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exe TID: 7460Thread sleep count: 3173 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 7488Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 7596Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 7868Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 8028Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 4460Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 412Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 412Thread sleep time: -31359464925306218s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 5684Thread sleep count: 1584 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe TID: 5684Thread sleep count: 8262 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Amcache.hve.14.drBinary or memory string: VMware
            Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
            Source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll
            Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.14.drBinary or memory string: vmci.sys
            Source: Amcache.hve.14.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: real-al-d7ya.exe, 00000010.00000002.4147795618.000000001B890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlleSec
            Source: Amcache.hve.14.drBinary or memory string: VMware20,1
            Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"Jump to behavior
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4142540535.00000000027E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4142540535.00000000027E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.00000000034FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>2147483
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4142540535.00000000027E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.00000000034FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2147483
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.00000000034FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2y
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.00000000034FF000.00000004.00000800.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4142540535.00000000027E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
            Source: real-al-d7ya.exe, 00000000.00000002.3405432325.00000000034FF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -PING!<Xwormmm>Program Manager<Xwormmm>2147483@
            Source: real-al-d7ya.exe, 00000010.00000002.4142540535.00000000027E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
            Source: C:\Users\user\Desktop\real-al-d7ya.exeQueries volume information: C:\Users\user\Desktop\real-al-d7ya.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeQueries volume information: C:\Users\user\AppData\Roaming\real-al-d7ya.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeQueries volume information: C:\Users\user\AppData\Roaming\real-al-d7ya.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeQueries volume information: C:\Users\user\AppData\Roaming\real-al-d7ya.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeQueries volume information: C:\Users\user\AppData\Roaming\real-al-d7ya.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeQueries volume information: C:\Users\user\AppData\Roaming\real-al-d7ya.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeQueries volume information: C:\Users\user\AppData\Roaming\real-al-d7ya.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\real-al-d7ya.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C063000.00000004.00000020.00020000.00000000.sdmp, real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C000000.00000004.00000020.00020000.00000000.sdmp, real-al-d7ya.exe, 00000000.00000002.3408235456.000000001C080000.00000004.00000020.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4140540348.0000000000B66000.00000004.00000020.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4140540348.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4147795618.000000001B8ED000.00000004.00000020.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4147795618.000000001B902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: real-al-d7ya.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.real-al-d7ya.exe.ec0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1679599731.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: real-al-d7ya.exe PID: 7280, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: real-al-d7ya.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.real-al-d7ya.exe.ec0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1679599731.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: real-al-d7ya.exe PID: 7280, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		12
            Process Injection            		1
            Masquerading            		OS Credential Dumping121
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		11
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            DLL Side-Loading            		11
            Registry Run Keys / Startup Folder            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		12
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1473001 Sample: real-al-d7ya.exe Startdate: 14/07/2024 Architecture: WINDOWS Score: 100 36 k-infectious.gl.at.ply.gg 2->36 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 9 other signatures 2->46 8 real-al-d7ya.exe 1 5 2->8         started        13 real-al-d7ya.exe 1 2->13         started        15 real-al-d7ya.exe 3 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 38 k-infectious.gl.at.ply.gg 147.185.221.20, 49730, 52419, 52420 SALSGIVERUS United States 8->38 32 C:\Users\user\AppData\...\real-al-d7ya.exe, PE32 8->32 dropped 48 Creates autostart registry keys with suspicious names 8->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 8->50 19 WerFault.exe 19 16 8->19         started        22 schtasks.exe 1 8->22         started        34 C:\Users\user\...\real-al-d7ya.exe.log, CSV 13->34 dropped 52 Antivirus detection for dropped file 13->52 54 Multi AV Scanner detection for dropped file 13->54 56 Machine Learning detection for dropped file 13->56 24 schtasks.exe 15->24         started        file6 signatures7 process8 file9 30 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->30 dropped 26 conhost.exe 22->26         started        28 conhost.exe 24->28         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            real-al-d7ya.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWorm
            real-al-d7ya.exe100%AviraHEUR/AGEN.1305769
            real-al-d7ya.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\real-al-d7ya.exe100%AviraHEUR/AGEN.1305769
            C:\Users\user\AppData\Roaming\real-al-d7ya.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\real-al-d7ya.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWorm

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://upx.sf.net0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            k-infectious.gl.at.ply.gg0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            k-infectious.gl.at.ply.gg
            		147.185.221.20
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              k-infectious.gl.at.ply.ggtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://upx.sf.netAmcache.hve.14.drfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namereal-al-d7ya.exe, 00000000.00000002.3405432325.0000000003241000.00000004.00000800.00020000.00000000.sdmp, real-al-d7ya.exe, 00000010.00000002.4142540535.0000000002791000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              147.185.221.20
              		k-infectious.gl.at.ply.ggUnited States
              		12087SALSGIVERUStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1473001
              Start date and time:2024-07-14 19:21:15 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 44s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:19
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:real-al-d7ya.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@14/7@1/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 126
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 20.189.173.21
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target real-al-d7ya.exe, PID 1744 because it is empty
              • Execution Graph export aborted for target real-al-d7ya.exe, PID 7000 because it is empty
              • Execution Graph export aborted for target real-al-d7ya.exe, PID 7280 because it is empty
              • Execution Graph export aborted for target real-al-d7ya.exe, PID 7468 because it is empty
              • Execution Graph export aborted for target real-al-d7ya.exe, PID 7572 because it is empty
              • Execution Graph export aborted for target real-al-d7ya.exe, PID 7832 because it is empty
              • Execution Graph export aborted for target real-al-d7ya.exe, PID 8008 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.
              • VT rate limit hit for: real-al-d7ya.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              13:22:12API Interceptor5835007x Sleep call for process: real-al-d7ya.exe modified
              13:24:59API Interceptor1x Sleep call for process: WerFault.exe modified
              18:22:13Task SchedulerRun new task: real-al-d7ya path: C:\Users\user\AppData\Roaming\real-al-d7ya.exe
              18:22:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run real-al-d7ya C:\Users\user\AppData\Roaming\real-al-d7ya.exe
              18:22:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run real-al-d7ya C:\Users\user\AppData\Roaming\real-al-d7ya.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              147.185.221.20WindowsHealthProtect.exeGet hashmaliciousXWormBrowse
                Ym9RghQJbG.exeGet hashmaliciousNjratBrowse
                  $77wsappx.exeGet hashmaliciousSilverRatBrowse
                    Nursultan Crack Minecraft 1.16.5.exeGet hashmaliciousXWormBrowse
                      setup.exeGet hashmaliciousBlank Grabber, Njrat, Umbral Stealer, XWormBrowse
                        Antilose 2.0.exeGet hashmaliciousXWormBrowse
                          Realtek HD Audio Universal Service.exeGet hashmaliciousAsyncRAT, XWormBrowse
                            dllhost.exeGet hashmaliciousXWormBrowse
                              #U666e.#U901a.#U53d1.#U7968.#U52a9#U624b#U518c.exeGet hashmaliciousUnknownBrowse
                                ZeroDay Executor.exeGet hashmaliciousAsyncRAT, VenomRATBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  SALSGIVERUSAvowed Beta.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.21
                                  nebula.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.21
                                  WaveInstaller.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.19
                                  PC driver.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.19
                                  Server.exeGet hashmaliciousNjratBrowse
                                  • 147.185.221.21
                                  hack fivem.exeGet hashmaliciousNjratBrowse
                                  • 147.185.221.21
                                  WindowsHealthProtect.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.20
                                  Ym9RghQJbG.exeGet hashmaliciousNjratBrowse
                                  • 147.185.221.20
                                  $77wsappx.exeGet hashmaliciousSilverRatBrowse
                                  • 147.185.221.20
                                  XClient.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.19

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_real-al-d7ya.exe_8b8a742f78c3b3ba9d6ab9dc3f0483b183cda5d_d4ab0173_169ec0d9-760f-417d-853f-91af202d7383\Report.wer

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.309579767995521
                                  Encrypted:false
                                  SSDEEP:192:cfQaInmiKN0SthhaWz8iyXzplGqzuiFlZ24lO87:jaInmizSthha48iQLDzuiFlY4lO87
                                  MD5:25963C9EE7373B5432BE1A0558EBCF83
                                  SHA1:604939C4B21B83A6810F1250F0DB57D1102EBF53
                                  SHA-256:C0B1F0D8D3BE17A659F0356310A2866A85A3A406182037F131B5B61D7B7EA0DB
                                  SHA-512:91679C0A1524A9B5C155D5639318CDA4CB81FEF9229A75F16BAB459C21B35F851C1A70B4670D11FE4D68959FFD58A2920AC59F87A1718E738AB3102B5F60875E
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.4.5.1.4.8.4.6.6.4.0.2.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.5.4.5.1.4.8.5.5.3.9.0.0.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.9.e.c.0.d.9.-.7.6.0.f.-.4.1.7.d.-.8.5.3.f.-.9.1.a.f.2.0.2.d.7.3.8.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.2.9.8.7.c.c.-.2.4.3.0.-.4.3.8.8.-.b.6.8.4.-.2.0.e.b.7.d.8.d.a.2.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.e.a.l.-.a.l.-.d.7.y.a...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.r.e.a.l.-.a.l.-.d.7.y.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.0.-.0.0.0.1.-.0.0.1.4.-.9.9.2.d.-.0.a.5.a.1.2.d.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.e.d.7.5.3.8.8.5.2.8.6.2.7.8.c.4.1.e.f.c.3.7.4.b.9.8.b.e.b.6.5.0.0.0.0.0.0.0.0.!.0.0.0.0.c.c.0.2.2.6.2.1.5.4.9.7.c.e.c.7.a.d.a.d.4.b.6.d.d.b.e.3.7.c.2.8.b.c.1.e.c.a.7.4.!.r.e.a.l.-.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C7E.tmp.dmp

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:Mini DuMP crash report, 16 streams, Sun Jul 14 17:24:45 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):508190
                                  Entropy (8bit):2.96216542474295
                                  Encrypted:false
                                  SSDEEP:3072:+9q+ZYYs4THWhm48aoPYUcPcSfoFa1CCqQV4unfRK3+vDtdN9tdN9tdN9td2FYE4:+QEYYpLLaoQrz5qQmunpK3QK34K6
                                  MD5:AD20C441C508A8AFA7E3BE9EB0F54AC6
                                  SHA1:96F8C85A2C6F2163D1B657B204EF74DB4F45D7A8
                                  SHA-256:B53A99244FD1DB9995CC42298EEDB74F0321FA01349D5768BBEDC2CA180D0843
                                  SHA-512:0C41A60CE1B1B3D91D0D8B916EF49357AE97FC19436CB02C98298E64BC8C3FB78FE49133DCAB11D8FF39EB503B32E8646B722EE569933CAC22CA96B0BD154B1E
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... ..........f............4...........L$..T.......l................/.......4..*...........l.......8...........T...........XN...r...........;...........=..............................................................................eJ......d>......Lw......................T.......p...>..f....c........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F00.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8952
                                  Entropy (8bit):3.7030401533871413
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJAz+6Y930gmfZ6KprP89bVoJafMgHm:R6lXJs+6Y90gmfQXVeafS
                                  MD5:11DBA51AD902164B66502245A8FEE459
                                  SHA1:2FB16866F4CDA99594F70218E0F78D83190E7A81
                                  SHA-256:35E3D2FDB769AA216D3BEAE5A339D6501681FB5E709FFBEE128C0EC9C5F6A3C1
                                  SHA-512:5A8EE16D89419C82D4832BA0FA2F1F955E2C453EABE29632D843440927AD4220BBF236E86CE2D3C743898DCB6B82C738ACE6133F9747EADADFE3C8B5F4E3916E
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F2F.tmp.xml

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4805
                                  Entropy (8bit):4.442876946121759
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsnJg771I9OBWpW8VY1Ym8M4JixnHXB+FpCyq8v0nHXBrOeBuzs7d:uIjfJI7dQ7VNJixn3BjW0n3BrNBEs7d
                                  MD5:00C927F645A75ADE2B4E35D72BCBD56C
                                  SHA1:FEBCE56B0927CD10A83FE34CE6E7E46948802045
                                  SHA-256:C0A7923AFDAB9236B3342B84D7DC1E5CDE7B7ABDB41AD883B657AB65BF4BE294
                                  SHA-512:492D12E4A05B234CD10CFD393514093128C3EBE2C148FC8905EE4A8B929173D11B9707F1C66FCA572CBB0A52A920FDCA598DF56A975D05CC3D2FD06AE6771D25
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="410907" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\real-al-d7ya.exe.log

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  File Type:CSV text
                                  Category:dropped
                                  Size (bytes):654
                                  Entropy (8bit):5.380476433908377
                                  Encrypted:false
                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                  Malicious:true
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                  C:\Users\user\AppData\Roaming\real-al-d7ya.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\real-al-d7ya.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):36864
                                  Entropy (8bit):5.623355031929578
                                  Encrypted:false
                                  SSDEEP:768:kMiqTmJ4S2BnbHh9Q3B7DQX/Fu9y+Q0Ofh47O8:EqAMbHhOx7DQvFu9y8Ofz8
                                  MD5:2B4129DDC8FDDD48AEE75ADFAF4B59CC
                                  SHA1:CC0226215497CEC7ADAD4B6DDBE37C28BC1ECA74
                                  SHA-256:5C3E62C072C7BF77ABF2B6A087BB673121913113FABA905E02BD776D0BB1F4FB
                                  SHA-512:C04D82F47042022CAB0C8624F63BD392F78613DD8909E69C5F8DCA54D1C84DE5255E35ECAB36D3A451CBE56417F8BBB70DB8A438FA09FADBD6D230EBFC173B78
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, Author: ditekSHen
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 79%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.f............................^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.......(X...L............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.465638527775108
                                  Encrypted:false
                                  SSDEEP:6144:yIXfpi67eLPU9skLmb0b47WSPKaJG8nAgejZMMhA2gX4WABl0uNOdwBCswSbZ:3XD947WlLZMM6YFHM+Z
                                  MD5:AC14290288E3E52E45628F47A3F0D432
                                  SHA1:EFB2AC74AF242EC1F572752FCD4D97C9F6F3FB25
                                  SHA-256:F2E53C42826C030F8738EF4C07BF38EC2D5E0CFD65D880EABC6298CA2FE765A2
                                  SHA-512:E19FC7E702C6F7C39787A545439053DC21D0A0D961B4D9D57AC95C0D783AF812D5E0A1CAA41F2B63D061BE67C187871DF6592CAD346C2A2A99B037BC84766635
                                  Malicious:false
                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.623355031929578
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:real-al-d7ya.exe
                                  File size:36'864 bytes
                                  MD5:2b4129ddc8fddd48aee75adfaf4b59cc
                                  SHA1:cc0226215497cec7adad4b6ddbe37c28bc1eca74
                                  SHA256:5c3e62c072c7bf77abf2b6a087bb673121913113faba905e02bd776d0bb1f4fb
                                  SHA512:c04d82f47042022cab0c8624f63bd392f78613dd8909e69c5f8dca54d1c84de5255e35ecab36d3a451cbe56417f8bbb70db8a438fa09fadbd6d230ebfc173b78
                                  SSDEEP:768:kMiqTmJ4S2BnbHh9Q3B7DQX/Fu9y+Q0Ofh47O8:EqAMbHhOx7DQvFu9y8Ofz8
                                  TLSH:42F24B487BE08722D6BE6FB029B272054675F9079923DB6E0CD4859A2F77AC14E003E3
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3..f............................^.... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x40a55e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6693C533 [Sun Jul 14 12:31:47 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa50c0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4f0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x85640x8600e0c622cb7e4c9d2acbf43921ffc006e6False0.48874766791044777data5.758288191372098IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xc0000x4f00x600ee5a8de7a813224054178fc9c8fa40b4False0.3776041666666667data3.753041252162524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xe0000xc0x200617961a99054885bb3d98d3462521733False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0xc0a00x25cdata0.46192052980132453
                                  RT_MANIFEST0xc3000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  07/14/24-19:23:33.405583TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound524229165192.168.2.4147.185.221.20
                                  07/14/24-19:22:50.077254TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound524199165192.168.2.4147.185.221.20

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 14, 2024 19:22:14.193532944 CEST497309165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:14.201484919 CEST916549730147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:14.201725006 CEST497309165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:14.349015951 CEST497309165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:14.353897095 CEST916549730147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:25.844074011 CEST497309165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:25.850121975 CEST916549730147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:35.570930958 CEST916549730147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:35.571082115 CEST497309165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:37.717741013 CEST497309165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:37.719213009 CEST524199165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:37.722654104 CEST916549730147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:37.724060059 CEST916552419147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:37.724185944 CEST524199165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:37.750138044 CEST524199165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:37.755119085 CEST916552419147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:50.077254057 CEST524199165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:50.082186937 CEST916552419147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:59.122134924 CEST916552419147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:59.122391939 CEST524199165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:59.436393976 CEST524199165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:59.437803984 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:59.441379070 CEST916552419147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:59.442908049 CEST916552420147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:22:59.442986012 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:59.475014925 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:22:59.479999065 CEST916552420147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:10.577254057 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:10.582192898 CEST916552420147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:17.670890093 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:17.676192999 CEST916552420147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:19.077249050 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:19.082401991 CEST916552420147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:20.612468958 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:20.617552042 CEST916552420147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:20.823602915 CEST916552420147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:20.829576969 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:22.703777075 CEST524209165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:22.707556009 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:22.972414970 CEST916552420147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:22.972424030 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:22.975754023 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:23.255506039 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:23.260468960 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:23.311731100 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:23.316612005 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:24.766521931 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:24.771488905 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:24.889684916 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:24.895884991 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:25.280303001 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:25.285325050 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:30.249069929 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:30.254015923 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.405582905 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.410520077 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.436922073 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.441689968 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.452142000 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.456947088 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.467783928 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.472583055 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.530237913 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.535094023 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.562680006 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.567564011 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.671144009 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.675996065 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.686467886 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.691385031 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.702138901 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.707036972 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.733403921 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.738369942 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.780216932 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.785048008 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:33.795918941 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:33.800720930 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:34.823538065 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:34.828861952 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:35.288300037 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:35.530026913 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:35.842524052 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:35.905788898 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:35.905821085 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:35.907919884 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:35.933521032 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:35.938469887 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:36.125117064 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:36.130014896 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:37.830210924 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:37.835120916 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:38.472834110 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:38.477847099 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:40.108459949 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:40.113413095 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:40.233536005 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:40.238636017 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:41.366254091 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:41.371113062 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:41.862173080 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:41.867274046 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:42.177362919 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:42.182519913 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:43.182497978 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:43.187804937 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:43.247620106 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:43.252974987 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:43.279118061 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:43.284236908 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:44.336925983 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:44.336999893 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:49.108535051 CEST524229165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:49.110567093 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:49.113590956 CEST916552422147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:49.115391970 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:49.116044044 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:49.215598106 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:49.220499992 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:49.706060886 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:49.711085081 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:49.996490955 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:50.001472950 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:51.288109064 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:51.292956114 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:51.518116951 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:51.522986889 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:51.648062944 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:51.652983904 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:51.771359921 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:51.776242971 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:51.810911894 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:51.815818071 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:51.880340099 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:51.885318041 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:53.433121920 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:53.438241005 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:53.450666904 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:53.455549002 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:53.842312098 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:53.999396086 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:53.999463081 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:54.005079031 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:54.778568983 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:54.783639908 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:55.758121014 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:55.763569117 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:55.816140890 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:55.821163893 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:55.821218967 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:55.828334093 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:56.123467922 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:56.128658056 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:56.839576960 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:56.844685078 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:57.405622959 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:57.410675049 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:57.679503918 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:57.684705973 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:57.851789951 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:57.856965065 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:59.075258017 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:59.083548069 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:59.685894012 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:59.691698074 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:59.694103003 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:59.698889971 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:59.769551992 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:59.774497986 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:59.788630962 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:59.793497086 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:59.793546915 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:59.798404932 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:59.812262058 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:23:59.817146063 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:23:59.921319008 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:00.082684994 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:00.082739115 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:00.394501925 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:00.703670025 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:00.708585024 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:00.915884972 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:00.920803070 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:02.270618916 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:02.275500059 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:02.659169912 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:02.664040089 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:03.077198029 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:03.085741043 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:03.416708946 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:03.423410892 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:03.539424896 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:03.544682980 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:03.794936895 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:03.800271988 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:03.953906059 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:03.960587978 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:04.217401028 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:04.224467039 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:05.666125059 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:05.671200037 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:05.857630014 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:05.862646103 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:05.915275097 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:05.920301914 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:05.966809034 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:05.974409103 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:07.618117094 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:07.623058081 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:07.623110056 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:07.627861977 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:07.691246986 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:07.696162939 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:08.184746981 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:08.189958096 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:09.111305952 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:09.116143942 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:09.315228939 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:09.320167065 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:09.331459999 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:09.336340904 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:09.398816109 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:09.404050112 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:10.223429918 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:10.228627920 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:10.493671894 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:10.497652054 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:15.139584064 CEST524239165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:15.143682957 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:15.144476891 CEST916552423147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:15.148650885 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:15.151829004 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:15.334427118 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:15.340150118 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:15.402493000 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:15.414096117 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:15.584340096 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:15.589487076 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:15.629904985 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:15.634960890 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:16.215142965 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:16.224579096 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:16.517844915 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:16.523137093 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:16.553776979 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:16.558789968 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:18.129476070 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:18.134347916 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:19.302875996 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:19.308078051 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:20.292593002 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:20.297795057 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:21.086101055 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:21.091191053 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:21.175720930 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:21.180625916 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:21.368746996 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:21.373652935 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:21.408077955 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:21.412884951 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:22.992793083 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:22.997869015 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:23.126976967 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:23.131892920 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:23.207657099 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:23.212634087 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:23.581743002 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:23.591341972 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:23.788959026 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:23.793891907 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:23.798404932 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:23.804287910 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:23.958180904 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:23.964035034 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:23.967932940 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:23.972908020 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:23.984695911 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:23.989583969 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:24.003995895 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:24.009048939 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:24.010116100 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:24.016931057 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:24.243933916 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:24.248888016 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:24.325237036 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:24.330152988 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:25.331811905 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:25.336869955 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:25.409348965 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:25.414247036 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:25.612998009 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:25.617866039 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:25.790843964 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:25.795857906 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:26.006170034 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:26.011117935 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:26.036111116 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:26.041102886 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:27.457721949 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:27.462768078 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:27.551095963 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:27.558010101 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:27.664949894 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:27.669861078 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:27.725497961 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:27.731517076 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:27.731566906 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:27.736447096 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:27.939502954 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:27.944608927 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:27.965984106 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:27.971018076 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:28.046775103 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:28.051913977 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:28.114991903 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:28.120019913 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:28.143410921 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:28.148272991 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:28.156512022 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:28.161371946 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:28.197621107 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:28.203769922 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:28.263020992 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:28.268141031 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:28.639249086 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:28.644212961 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:28.720400095 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:28.725354910 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:29.383841038 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:29.388933897 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:29.557189941 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:29.562186956 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:29.662262917 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:29.667211056 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:29.761521101 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:29.766505003 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:29.902414083 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:29.908828974 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:29.989526033 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:29.995017052 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:29.998106003 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:30.003051043 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:30.003099918 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:30.008109093 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:30.109159946 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:30.114450932 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:30.260355949 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:30.265364885 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:30.292957067 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:30.297811985 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:31.853884935 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:32.044111013 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:32.044181108 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:32.051079035 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:32.310707092 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:32.315759897 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:32.315814018 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:32.320673943 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:32.514170885 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:32.781930923 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:32.931442976 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:32.933128119 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:32.933881998 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:32.938760996 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:33.452866077 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:33.458184958 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:33.585136890 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:33.590095997 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:33.603337049 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:33.608237028 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:33.674866915 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:33.682353020 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:33.786001921 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:33.793092012 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:33.793771982 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:33.799576998 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:35.470869064 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:35.475821972 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:35.605715036 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:35.610697031 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:35.654808998 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:35.660540104 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:35.733444929 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:35.747567892 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:35.801759958 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:35.808978081 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.029295921 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:36.034676075 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.042974949 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:36.047893047 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.080194950 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:36.085273981 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.109076023 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:36.114137888 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.117604017 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:36.122482061 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.141140938 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:36.146277905 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.151180983 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:36.156120062 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.189568043 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:36.194678068 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.511104107 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:36.515813112 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.331662893 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.331794977 CEST524249165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.336869955 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:41.336879015 CEST916552424147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:41.337090015 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.429686069 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.434736967 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:41.457072973 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.462075949 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:41.515796900 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.520750046 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:41.596168041 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.601994991 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:41.602039099 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.607029915 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:41.697232962 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:41.707632065 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:42.016617060 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:42.022888899 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:42.221532106 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:42.226650000 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.507021904 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.512280941 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.530950069 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.536734104 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.564275026 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.572097063 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.603507996 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.608550072 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.681314945 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.686592102 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.705821037 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.710824966 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.912503958 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.918582916 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.945538044 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.951520920 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.951570034 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.957163095 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.958899975 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.965257883 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:43.965521097 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:43.970351934 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:44.082109928 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:44.339358091 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:44.339431047 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:44.344993114 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:44.348778963 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:44.353750944 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:24:44.365825891 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:24:44.370748043 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:00.298998117 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:00.303875923 CEST916552425147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:00.898484945 CEST524259165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:09.701221943 CEST524379165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:10.604770899 CEST916552437147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:10.605307102 CEST524379165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:10.710093975 CEST524379165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:10.715249062 CEST916552437147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:21.803050995 CEST524379165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:21.809602976 CEST916552437147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:31.979491949 CEST916552437147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:31.979741096 CEST524379165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:34.932997942 CEST524379165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:34.939058065 CEST916552437147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:34.999908924 CEST524389165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:35.008735895 CEST916552438147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:35.008866072 CEST524389165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:35.066642046 CEST524389165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:35.072556019 CEST916552438147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:48.655900955 CEST524389165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:48.660887957 CEST916552438147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:56.370624065 CEST916552438147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:56.370980978 CEST524389165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:57.358805895 CEST524389165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:57.361958027 CEST524399165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:57.365628004 CEST916552438147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:57.368473053 CEST916552439147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:25:57.368644953 CEST524399165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:57.402632952 CEST524399165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:25:57.408304930 CEST916552439147.185.221.20192.168.2.4
                                  Jul 14, 2024 19:26:07.640381098 CEST524399165192.168.2.4147.185.221.20
                                  Jul 14, 2024 19:26:07.645493031 CEST916552439147.185.221.20192.168.2.4

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 14, 2024 19:22:14.173455954 CEST6069353192.168.2.41.1.1.1
                                  Jul 14, 2024 19:22:14.183490038 CEST53606931.1.1.1192.168.2.4
                                  Jul 14, 2024 19:22:30.740580082 CEST53639861.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 14, 2024 19:22:14.173455954 CEST192.168.2.41.1.1.10x5810Standard query (0)k-infectious.gl.at.ply.ggA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 14, 2024 19:22:14.183490038 CEST1.1.1.1192.168.2.40x5810No error (0)k-infectious.gl.at.ply.gg147.185.221.20A (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:13:22:06
                                  Start date:14/07/2024
                                  Path:C:\Users\user\Desktop\real-al-d7ya.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\real-al-d7ya.exe"
                                  Imagebase:0xec0000
                                  File size:36'864 bytes
                                  MD5 hash:2B4129DDC8FDDD48AEE75ADFAF4B59CC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1679599731.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1679599731.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:13:22:11
                                  Start date:14/07/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
                                  Imagebase:0x7ff76f990000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:13:22:11
                                  Start date:14/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:13:22:13
                                  Start date:14/07/2024
                                  Path:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Imagebase:0xda0000
                                  File size:36'864 bytes
                                  MD5 hash:2B4129DDC8FDDD48AEE75ADFAF4B59CC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\real-al-d7ya.exe, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 79%, ReversingLabs
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:13:22:21
                                  Start date:14/07/2024
                                  Path:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
                                  Imagebase:0x460000
                                  File size:36'864 bytes
                                  MD5 hash:2B4129DDC8FDDD48AEE75ADFAF4B59CC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:13:22:30
                                  Start date:14/07/2024
                                  Path:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
                                  Imagebase:0x820000
                                  File size:36'864 bytes
                                  MD5 hash:2B4129DDC8FDDD48AEE75ADFAF4B59CC
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:13:23:01
                                  Start date:14/07/2024
                                  Path:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Imagebase:0x160000
                                  File size:36'864 bytes
                                  MD5 hash:2B4129DDC8FDDD48AEE75ADFAF4B59CC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:13:24:01
                                  Start date:14/07/2024
                                  Path:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Imagebase:0x490000
                                  File size:36'864 bytes
                                  MD5 hash:2B4129DDC8FDDD48AEE75ADFAF4B59CC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:13:24:44
                                  Start date:14/07/2024
                                  Path:C:\Windows\System32\WerFault.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\WerFault.exe -u -p 7280 -s 2008
                                  Imagebase:0x7ff6b63e0000
                                  File size:570'736 bytes
                                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:13:25:00
                                  Start date:14/07/2024
                                  Path:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\AppData\Roaming\real-al-d7ya.exe
                                  Imagebase:0x5d0000
                                  File size:36'864 bytes
                                  MD5 hash:2B4129DDC8FDDD48AEE75ADFAF4B59CC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:17
                                  Start time:13:25:04
                                  Start date:14/07/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "real-al-d7ya" /tr "C:\Users\user\AppData\Roaming\real-al-d7ya.exe"
                                  Imagebase:0x7ff76f990000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:13:25:04
                                  Start date:14/07/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Executed Functions

                                    Function 00007FFD9B8935AE Relevance: 4.3, Strings: 3, Instructions: 580COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: >$B$cAN_^
                                    • API String ID: 0-3918363738
                                    • Opcode ID: c836c97fc52ec86c2d95cd0716f490d2ad19276b3723126edf4d47f2f53cb838
                                    • Instruction ID: 28ebd08d4a549ddf283d97fea7951df4cc124977951467de398b4a9675f1eb88
                                    • Opcode Fuzzy Hash: c836c97fc52ec86c2d95cd0716f490d2ad19276b3723126edf4d47f2f53cb838
                                    • Instruction Fuzzy Hash: E5126670B18A098BEB58EB688869BB9B7E2FF9C314F14417DE04DD32D5DF78A8418741
                                    Function 00007FFD9B892519 Relevance: 4.2, Strings: 2, Instructions: 1739COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: B$cAN_^
                                    • API String ID: 0-3129985804
                                    • Opcode ID: 36b357e472677ef6890185c8f6a5d88b648e937637cae23a2cfe63098282de9c
                                    • Instruction ID: 445c43ef50699f1985ac52af449334863885f5ea220b711ba2a9e7247c22b40b
                                    • Opcode Fuzzy Hash: 36b357e472677ef6890185c8f6a5d88b648e937637cae23a2cfe63098282de9c
                                    • Instruction Fuzzy Hash: 0BD27570B18A098FEB58EF68C8A9B79B7E1FF98304F544579E04DD3295DF38A8418B41
                                    Function 00007FFD9B8981D6 Relevance: .5, Instructions: 475COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ef22bec1f59eb2e544a20f99a216d3f7ce16552a22ae81d215fd9f901ec059f3
                                    • Instruction ID: a0753270f75bacb7a06084fdf0167857bf33e27095b06124eedd56902acefa7f
                                    • Opcode Fuzzy Hash: ef22bec1f59eb2e544a20f99a216d3f7ce16552a22ae81d215fd9f901ec059f3
                                    • Instruction Fuzzy Hash: 6EF1A530A09A4E4FEFA8DF68C8557E93BE1FF58350F04426EE84DC7295DB34A9458B81
                                    Function 00007FFD9B898F82 Relevance: .5, Instructions: 461COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: edb623ae6b28911b6211c78bfb32bfbd2c0d6b73443d30a1f43ecad61c6f9882
                                    • Instruction ID: f7208f4f385316c3e134da0ad5acf26fb4bc44e7cea4a1a7444e5f7cb7f75e4d
                                    • Opcode Fuzzy Hash: edb623ae6b28911b6211c78bfb32bfbd2c0d6b73443d30a1f43ecad61c6f9882
                                    • Instruction Fuzzy Hash: B0E1D730A09A4E4FEFA8DF68C8697E97BD1FF58310F04466ED84DC7295DE3899418781
                                    Function 00007FFD9B890E49 Relevance: 1.7, Strings: 1, Instructions: 490COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: cAN_^
                                    • API String ID: 0-2037741601
                                    • Opcode ID: 0bc1deb2aaac7b99e093dbcab5480fccfa22044df5c7c5f094067bcfa1986b40
                                    • Instruction ID: ef20e7f218bd65301991ccece51c5e7ce5c5641b3684e7033003c24f699c93d0
                                    • Opcode Fuzzy Hash: 0bc1deb2aaac7b99e093dbcab5480fccfa22044df5c7c5f094067bcfa1986b40
                                    • Instruction Fuzzy Hash: CDF1D821B199494FEB98F7688875BB977E2FF98304F5044B9E05EC32DBDE2CA8418741
                                    Function 00007FFD9B8922B1 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: cAN_^
                                    • API String ID: 0-2037741601
                                    • Opcode ID: 070056fd971a74ebb3547fe16ee42bd12656cee3d0116178a67029da64dc50ac
                                    • Instruction ID: 2c2ff7528aa6438165e0efcf73df3b93d591d38589d370dfe6c3203e7a6ec084
                                    • Opcode Fuzzy Hash: 070056fd971a74ebb3547fe16ee42bd12656cee3d0116178a67029da64dc50ac
                                    • Instruction Fuzzy Hash: 5F11EC10F1E68A0BE729A7F548311B87F61AF85350F9A01B9D04DCF0E7ED6C99464352
                                    Function 00007FFD9B899861 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: d
                                    • API String ID: 0-2564639436
                                    • Opcode ID: c47a9b8fb645338441b409a9c0c54cc743ce4f8df867194224aa07abd64e4450
                                    • Instruction ID: 32b954acbcbb753eaa6233d89ed127177b64d0763805c13fc425e70d2fa777af
                                    • Opcode Fuzzy Hash: c47a9b8fb645338441b409a9c0c54cc743ce4f8df867194224aa07abd64e4450
                                    • Instruction Fuzzy Hash: CF11D531E0E35D8FEF149BA888692FD7FA0EF19310F02057FC449E22E2DA2995448381
                                    Function 00007FFD9B892318 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: cAN_^
                                    • API String ID: 0-2037741601
                                    • Opcode ID: 395157462fe77d1fec3fb7bff9a15e0c02be21b59969dc30a19e0f8b008aa182
                                    • Instruction ID: 340be3a777fb79095ca40836680e2e2c6d915b131a20abe87bc869b5d09ab53e
                                    • Opcode Fuzzy Hash: 395157462fe77d1fec3fb7bff9a15e0c02be21b59969dc30a19e0f8b008aa182
                                    • Instruction Fuzzy Hash: 90F08630E0D51A4BE778EFD484612A8BB91FB88310F914679D01D871E5DF28B9519741
                                    Function 00007FFD9B8945FD Relevance: .4, Instructions: 363COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 75b0e823c6144c034a5fd71c34895da741cf20a120c2fe90955b5faacc1d31d0
                                    • Instruction ID: bb8dba141efce4250659a7bf87f3c45eb6fc68ad28af97d65ad89a73353fd960
                                    • Opcode Fuzzy Hash: 75b0e823c6144c034a5fd71c34895da741cf20a120c2fe90955b5faacc1d31d0
                                    • Instruction Fuzzy Hash: 1EB1D95071D9458BF799B7BC9C297B9B6D2EF98300F5441BAE059C32EBDD18AC428342
                                    Function 00007FFD9B898B96 Relevance: .3, Instructions: 334COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf18e13f318496a48c59967ee53416e07ce90d11e54113624506e30277a29b22
                                    • Instruction ID: 28fc804eebb452bd141ebe0845517415d188e250efd484b1d60d867ba9c4a562
                                    • Opcode Fuzzy Hash: bf18e13f318496a48c59967ee53416e07ce90d11e54113624506e30277a29b22
                                    • Instruction Fuzzy Hash: 58B1D83060DA4E4FDFA8DF28C8657E93BD1EF59350F04426EE84DC7296CA34A9458B82
                                    Function 00007FFD9B893B2F Relevance: .3, Instructions: 286COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0a64dc4998f09b956ce9a43bec746e04dfebcabaa80fc57621cf25340a7fbd3f
                                    • Instruction ID: 2b977217ceab73298823edd7fcc827e49cd3ed069fd0ba1e09fdba36da05f43d
                                    • Opcode Fuzzy Hash: 0a64dc4998f09b956ce9a43bec746e04dfebcabaa80fc57621cf25340a7fbd3f
                                    • Instruction Fuzzy Hash: 8AA1FC7090E7C98FDB57DBB88864A957FF0EF13314B0A00EBC085CB5A3D6689945CB62
                                    Function 00007FFD9B899DED Relevance: .3, Instructions: 279COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61c01e187595a1dafa8e6338f9ad6f8ed438ede0539836d5071ee2afb9a173db
                                    • Instruction ID: 8e2a3f1f33131fd5d3cc5870d0eb5d807bff9ee204274f489ca353b52f5dd0eb
                                    • Opcode Fuzzy Hash: 61c01e187595a1dafa8e6338f9ad6f8ed438ede0539836d5071ee2afb9a173db
                                    • Instruction Fuzzy Hash: AC81EA31B1D54C8FEF68EB789869AF97BE1EF59310F05017AE00DD72E2CD68A9418741
                                    Function 00007FFD9B896FD8 Relevance: .3, Instructions: 276COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb1409ea90fe193df18960f4f404b5d7cb2b42bf2fa3ebde471285d34238b0ce
                                    • Instruction ID: a9d796009774300bda67b9c94a7d2194a9f4c7567d6abde556c13e5bdef5d0a2
                                    • Opcode Fuzzy Hash: fb1409ea90fe193df18960f4f404b5d7cb2b42bf2fa3ebde471285d34238b0ce
                                    • Instruction Fuzzy Hash: 40911AB1E0DA4D8FEB58DBA8D8656A9BBF0FF68310F1541BAC449D3192DA346841CB81
                                    Function 00007FFD9B890590 Relevance: .2, Instructions: 244COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: de722911ee2ceb927836c4d3a5b6646dd9ac9171fb35f1b850d87d2f1da56a63
                                    • Instruction ID: b92bb576c5bc4982069321c280fb3b60d1881613671b238aed7c1941ef66741c
                                    • Opcode Fuzzy Hash: de722911ee2ceb927836c4d3a5b6646dd9ac9171fb35f1b850d87d2f1da56a63
                                    • Instruction Fuzzy Hash: 0A614B32F1990E4FEBA8E76C98656BD77E2EF88754F54017AD04DC32E6DD286C428381
                                    Function 00007FFD9B899E40 Relevance: .2, Instructions: 224COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1abf7c17018d257ba8786cf428476f504534d0d7fce9d4e05dc2558d051490b
                                    • Instruction ID: 54d2f9eba98fefa2d7dab97066d2d7eb59654ce45b19a50da8d8173010653d1b
                                    • Opcode Fuzzy Hash: e1abf7c17018d257ba8786cf428476f504534d0d7fce9d4e05dc2558d051490b
                                    • Instruction Fuzzy Hash: E461A731B1990C8FEBA8EB68D469ABD77E1EF58310F150179E01ED32E6DE74AC418741
                                    Function 00007FFD9B899939 Relevance: .2, Instructions: 217COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 34aa7dee795afe46108e00c2b0b25f7bf596aa255acca8104e0adcfaf64544a0
                                    • Instruction ID: 7dac5e123e436c8335f68bd401707a191358ab1e3ddc331cc3be50cbfc4ff93e
                                    • Opcode Fuzzy Hash: 34aa7dee795afe46108e00c2b0b25f7bf596aa255acca8104e0adcfaf64544a0
                                    • Instruction Fuzzy Hash: ED61B530A18A0D8FDB58DB68D855BFDBBF1FF58311F1042AAD40DD3296DA35A942CB81
                                    Function 00007FFD9B896F8D Relevance: .2, Instructions: 213COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a40ecbc3cce3a36dc6a141d28f53b9b9ad8485567ae296643b9f0c707250de23
                                    • Instruction ID: 026acfe5d5c23b55101310f3c65cb06b72671df188a61067a9786b8224395721
                                    • Opcode Fuzzy Hash: a40ecbc3cce3a36dc6a141d28f53b9b9ad8485567ae296643b9f0c707250de23
                                    • Instruction Fuzzy Hash: B6618470A08A0D8FDB58EF68D8556EDBBF1FF68310F10416AD44DD3296DA35A846CB81
                                    Function 00007FFD9B89402F Relevance: .2, Instructions: 212COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c1f85d85e86b531a77bf197c079c917f6a70869f6fdb7edb8f9aca8dfa4a73f9
                                    • Instruction ID: 5f8c8f977392caa613415d783cfb743703e4c62b6f4fd0482c569e8419e082c9
                                    • Opcode Fuzzy Hash: c1f85d85e86b531a77bf197c079c917f6a70869f6fdb7edb8f9aca8dfa4a73f9
                                    • Instruction Fuzzy Hash: A2513522F1D90E4BEFACAB6C54256BDB6D1EF9C354F54027ED04EC32DADD28A8424381
                                    Function 00007FFD9B890540 Relevance: .2, Instructions: 200COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e05f1d4e408f76fc3d3b6e785b57b322bd05284867e5f55635d7edbbb2026d5
                                    • Instruction ID: fa62a7a801d799ec42cc63b1f4729de6952240930a48d4f2af3625ebcf751af0
                                    • Opcode Fuzzy Hash: 4e05f1d4e408f76fc3d3b6e785b57b322bd05284867e5f55635d7edbbb2026d5
                                    • Instruction Fuzzy Hash: BD512731A0D64D9FEB68EF68C859AB97BE0EF55320F0541BED04DC31A2DB38A446CB41
                                    Function 00007FFD9B8956CC Relevance: .2, Instructions: 198COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3876bc54e1bd81be18872c34fcd66cedeb0886a0c1720b3d195a81e1c020b63a
                                    • Instruction ID: db0bf0768a575db7435cbc38107724cc1836d033e3af954728e163c90aca68c3
                                    • Opcode Fuzzy Hash: 3876bc54e1bd81be18872c34fcd66cedeb0886a0c1720b3d195a81e1c020b63a
                                    • Instruction Fuzzy Hash: 8A518230908B1C8FDF68DB58D855BE9BBF1FF59310F0082AAD44DD3296DE34A9858B81
                                    Function 00007FFD9B899B59 Relevance: .2, Instructions: 194COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2df843ad07dcef36be297b8df9ac674fadb891d23b0baca8ee03e4000b88104b
                                    • Instruction ID: c62021dd5b8db97946bcb88fc8cc4026e1c6c6b827181304c8049c49d7fc4996
                                    • Opcode Fuzzy Hash: 2df843ad07dcef36be297b8df9ac674fadb891d23b0baca8ee03e4000b88104b
                                    • Instruction Fuzzy Hash: 6C51C231B1D94E8FEB68FBA8D8656BC7BE1EF49314F4104B9D01DC32E6DE2868428701
                                    Function 00007FFD9B890708 Relevance: .2, Instructions: 172COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d5003a0c579ba7b5b05f98b5dd4b44697fafa293cb7f797eb16a5bad38f3415c
                                    • Instruction ID: e66ba7427f22cd3882c6ea8697b9588769827ee3834ee170e0fd11609e40d5bc
                                    • Opcode Fuzzy Hash: d5003a0c579ba7b5b05f98b5dd4b44697fafa293cb7f797eb16a5bad38f3415c
                                    • Instruction Fuzzy Hash: 3F516130F1990D9FEBA8FB68D869ABC77E1FF88704F514479E01ED3295CE28A9418741
                                    Function 00007FFD9B890BCE Relevance: .2, Instructions: 156COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0b69a756260c2539b3c9df5864a1d0cc22d5e4c139d3d9dde8ca152aa4e1bb9d
                                    • Instruction ID: d4af9c6eead075515412f3181fec92874208237bff0d294ece95bdd3083bdc4e
                                    • Opcode Fuzzy Hash: 0b69a756260c2539b3c9df5864a1d0cc22d5e4c139d3d9dde8ca152aa4e1bb9d
                                    • Instruction Fuzzy Hash: 0D413B21B1DA8A0FE7AAB77C58255793BD2DF8A614B0900FBD04DC31EBDD1CAC428341
                                    Function 00007FFD9B893EA0 Relevance: .2, Instructions: 151COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b3339295e3fb0b840d0e52f5872ef83fef2448269182e5a0b6a0778d420fd912
                                    • Instruction ID: 153f9694635c7be8b34f25d4cd2928503a36d6040a035e61187cfb05b623c928
                                    • Opcode Fuzzy Hash: b3339295e3fb0b840d0e52f5872ef83fef2448269182e5a0b6a0778d420fd912
                                    • Instruction Fuzzy Hash: 19412730A0EBC64FE76AA37848256957FA1EF47354F1802A9E099C76D7CE6C1803C352
                                    Function 00007FFD9B890700 Relevance: .1, Instructions: 143COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 024710844ee4cbe3ca76758a1569d7ff8c6cc5e08feb635a0fa6ff2946282e92
                                    • Instruction ID: 3b74c34896618c5c0ffee1fd2714df8f16e8900598f0bceda0ab026e98ec4377
                                    • Opcode Fuzzy Hash: 024710844ee4cbe3ca76758a1569d7ff8c6cc5e08feb635a0fa6ff2946282e92
                                    • Instruction Fuzzy Hash: D4416E30B1981D9FEFA8FB68D869ABC77E1FF98304F514479E01ED3295DE28A9418740
                                    Function 00007FFD9B890730 Relevance: .1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a6adf9da195c5fe61f1a89c64461ffc10db02a04e0aae2d282001a0816e43f4e
                                    • Instruction ID: a1738825d8260c622ffc397d0e90cc645bf7bfb8b6f2dd1a7584c24380cbd919
                                    • Opcode Fuzzy Hash: a6adf9da195c5fe61f1a89c64461ffc10db02a04e0aae2d282001a0816e43f4e
                                    • Instruction Fuzzy Hash: 7D41BF70A09A1CCFDFA8EF58C499AA97BE0FB18305F10416EE04AC36A1CB75A841CB41
                                    Function 00007FFD9B890A69 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f9145726fcb5faa349b02ed6b2e219fd941205bf54cc345f3246122c9f0ef7cd
                                    • Instruction ID: 1d0d30558534a1c64cd9a8fdf9b2789b21eaa73f01cbb53a4b1715dd23b632e2
                                    • Opcode Fuzzy Hash: f9145726fcb5faa349b02ed6b2e219fd941205bf54cc345f3246122c9f0ef7cd
                                    • Instruction Fuzzy Hash: 4831B351B19A5A4FEB99BBAC5C697BC7AD1EF98601F0402B7E01CC31D7DD2869424381
                                    Function 00007FFD9B890925 Relevance: .1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cde389320c9d783444e9402cb5a6d31ed3146857d9f150a3e95cfc96db9b4f3f
                                    • Instruction ID: 5f35a92977aef92e83d1dc62651f99af6f53f3f81af0eba8b7183c812cb6b184
                                    • Opcode Fuzzy Hash: cde389320c9d783444e9402cb5a6d31ed3146857d9f150a3e95cfc96db9b4f3f
                                    • Instruction Fuzzy Hash: C4315230B18A0E8FDB48FBA89865AFD77A1FF98304F514179D059D32DADE38A8428741
                                    Function 00007FFD9B890A80 Relevance: .1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3ae21cb30df8b60d7c80a87e281715a8d5b78d124b47e2d8b34306416aa95266
                                    • Instruction ID: df548a3b73fb6ecc4fce8f200a664ae5b077061298369a8674259a1fbc3c5b4b
                                    • Opcode Fuzzy Hash: 3ae21cb30df8b60d7c80a87e281715a8d5b78d124b47e2d8b34306416aa95266
                                    • Instruction Fuzzy Hash: B431C451B2491A4BEB98BBEC5C697BC66D2FF9C701F04017BE01DC32DAED286C424381
                                    Function 00007FFD9B891565 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8afc3236b38524536618a49fd06b8cf035dd431394c20a595cb0cf1004ba91eb
                                    • Instruction ID: 1e03cc1787200931cb2b2614a4580d5e331bf0e628a32f97fce3da945fff23f6
                                    • Opcode Fuzzy Hash: 8afc3236b38524536618a49fd06b8cf035dd431394c20a595cb0cf1004ba91eb
                                    • Instruction Fuzzy Hash: 8A316421B189484FDB88FB2C986A67876D2EF98715F0545BEE04EC32D7DD689C418741
                                    Function 00007FFD9B89A715 Relevance: .1, Instructions: 102COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5930995d86ff3d2d8096ba616dd5f4811b7b8844d9a17dc05ab83e731096188f
                                    • Instruction ID: 9660b0d329677602ddc69a6521ba042df001a9833d72480ed1913aaa65e99a7b
                                    • Opcode Fuzzy Hash: 5930995d86ff3d2d8096ba616dd5f4811b7b8844d9a17dc05ab83e731096188f
                                    • Instruction Fuzzy Hash: 6331A13150C7488FDB19DBA8D84ABEABBF0EF56320F0482AFD089C7562D774A406CB51
                                    Function 00007FFD9B892021 Relevance: .1, Instructions: 93COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 35e99e50295db70823c3990a2d943293a0cb4175dc77f59cdc669d3f10efab42
                                    • Instruction ID: 949561a7ae445c3e85611720ba9d64b44e07a1afc679bc4d8114790f9c79666c
                                    • Opcode Fuzzy Hash: 35e99e50295db70823c3990a2d943293a0cb4175dc77f59cdc669d3f10efab42
                                    • Instruction Fuzzy Hash: 8A212C22A0FADD0FEB5A9B785C345A5BFB1EF4634074941FBD089C70E7DA186905C381
                                    Function 00007FFD9B8906E0 Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4bbb30fca2fac2428ac9e014a3a5e38a57962e022300118c51a16dba107112ab
                                    • Instruction ID: dcaa52a20e3ff5c829666e2a1396fb272dd342728868569bc82209437a18b85e
                                    • Opcode Fuzzy Hash: 4bbb30fca2fac2428ac9e014a3a5e38a57962e022300118c51a16dba107112ab
                                    • Instruction Fuzzy Hash: D421F770B19E098FE7A8B72884687697AE2FF98314FA04179F05AC33D5DE385C428742
                                    Function 00007FFD9B89A631 Relevance: .1, Instructions: 84COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5592668b357c639be5e2e275dde1c9e9e31f93239be82c0eb02a088d442baf48
                                    • Instruction ID: 705b42242321370a6a5934f075582db4ca582d6136cc3a23d994bf9aebfa6673
                                    • Opcode Fuzzy Hash: 5592668b357c639be5e2e275dde1c9e9e31f93239be82c0eb02a088d442baf48
                                    • Instruction Fuzzy Hash: FF213025B5E68E1FEB569BA488256F53FD1EF8E304F0541B6D08DC3192CD2CD9468351
                                    Function 00007FFD9B89A521 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1982fc3c8890ad2b1cfddbffcb5104a6344a8decd0f3611a78325a81ea32c63a
                                    • Instruction ID: ff057dfc01625330a82a2e64b2968cb8ea1e3ff3fc5eefd1facfee83f160a427
                                    • Opcode Fuzzy Hash: 1982fc3c8890ad2b1cfddbffcb5104a6344a8decd0f3611a78325a81ea32c63a
                                    • Instruction Fuzzy Hash: A321D550B2C9598BEB5AB7E85826BB877D1FF58300F5501BAE05CC31D7DD28A9018382
                                    Function 00007FFD9B89A31D Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6b4ff828e428fd58cd9f85bdf3cacb32329a7c49649dac1b74da062474bddbd0
                                    • Instruction ID: bb16d283b01c7b4150233f2be588f5015ae3f8fb2e61fb2c4f092bc9fe1b6d17
                                    • Opcode Fuzzy Hash: 6b4ff828e428fd58cd9f85bdf3cacb32329a7c49649dac1b74da062474bddbd0
                                    • Instruction Fuzzy Hash: 2D213631A0E64E8FE765EB6488655603FA0EF5A314B5A40FAC448CB1E3EA3CA4468701
                                    Function 00007FFD9B8996E0 Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 61ad96244bf105297aa8923a0179810ee2976cedaf30671beaf8c14da7f7c3d7
                                    • Instruction ID: 4bf2a4fd5cf1417d3bd19f8f51e546d30d98d4498290be3fb4c5bfb5a56d11c9
                                    • Opcode Fuzzy Hash: 61ad96244bf105297aa8923a0179810ee2976cedaf30671beaf8c14da7f7c3d7
                                    • Instruction Fuzzy Hash: F4112931F0D95D4FEBA2F76C58255AD7BA0EF89310B0902B7D008C3292DE1869424792
                                    Function 00007FFD9B891AD8 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7e83b0657bb11081cd774cf263418c7a998eb63a5f6dcbca22b57954d32b76c6
                                    • Instruction ID: 6bb7a5225de3c295e68ec1a3ae440f1b8f88a45b5b41b362df4e9ffcf0652ae7
                                    • Opcode Fuzzy Hash: 7e83b0657bb11081cd774cf263418c7a998eb63a5f6dcbca22b57954d32b76c6
                                    • Instruction Fuzzy Hash: 3901DE22F0991D4FDF44FBA848291FE7BE0EF58301F00017BE119D219ADE389A048381
                                    Function 00007FFD9B891AF0 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3c3091a1391d9ae1afc66e1dffd6437fb15c78c2f0e5ee213e732de50d8f33bc
                                    • Instruction ID: c745601339601ba8cd2a5272e21eb28de338c54189997da5341c01aefc9f7c50
                                    • Opcode Fuzzy Hash: 3c3091a1391d9ae1afc66e1dffd6437fb15c78c2f0e5ee213e732de50d8f33bc
                                    • Instruction Fuzzy Hash: C5F06931E0482D4ADB80ABA898195EE77F0EB58305F00016AE519D2299DE3459448781
                                    Function 00007FFD9B891661 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 36327407217485110dfd91aaff0cab231ed2c22a6f1f447c84458e3b51dae066
                                    • Instruction ID: 5de3c2f7657e244db0088088d83cb489147c878d0d800ec07c4f2ee52c4dcd51
                                    • Opcode Fuzzy Hash: 36327407217485110dfd91aaff0cab231ed2c22a6f1f447c84458e3b51dae066
                                    • Instruction Fuzzy Hash: 4D012614A0EB890FEB56B73C98790757FE19F96300B4900BAE4C9C70E7E908AA458382
                                    Function 00007FFD9B892429 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d4bbd8a1452cca7ad63e4b7ff338ba0910e76e4158c1957dc8be73f268084e32
                                    • Instruction ID: f998939b7bf1ed2894e40bc5e04c4156d0efc7b608b8477b2e9aaa6abaef94f0
                                    • Opcode Fuzzy Hash: d4bbd8a1452cca7ad63e4b7ff338ba0910e76e4158c1957dc8be73f268084e32
                                    • Instruction Fuzzy Hash: 1901A710F1E7894FFB696BB848752782F90DF9A304F5601FAD049C71E7DE5C59418342
                                    Function 00007FFD9B892121 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1a87ea898611807d98f5367e5ce351f3efd84ada6e42d0851708784492afe76b
                                    • Instruction ID: 0df06473e0c0315e2936eff27b019d94689a8c808a57623a911b91e8703e046c
                                    • Opcode Fuzzy Hash: 1a87ea898611807d98f5367e5ce351f3efd84ada6e42d0851708784492afe76b
                                    • Instruction Fuzzy Hash: 67F0E93189E2D91FDB2A5BB41C234E67F64DF06210F0642ABE45C8B4A3C51D636683A2
                                    Function 00007FFD9B8924A5 Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8e30b1ffc71b4ed82ebc0b76413ccca426868b068ef1f708d120eb64dbf98587
                                    • Instruction ID: 8f069c21ca2e69b0404b070a1b37e2b6426f133f1e007b222d0b883001391749
                                    • Opcode Fuzzy Hash: 8e30b1ffc71b4ed82ebc0b76413ccca426868b068ef1f708d120eb64dbf98587
                                    • Instruction Fuzzy Hash: 7AF0A43091D64D5FDBB1DB64C8B9BEA7FB1EF49304F1000B6E009C6292CB395549C741
                                    Function 00007FFD9B899D40 Relevance: .0, Instructions: 30COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 509c54ac01381ba7d92ffd08178dbd550b98526f653d056760d79a4dc1beacae
                                    • Instruction ID: b5defae0e4e2f4a0db01569f1eba754fea52680f404a289f5c639da401894b26
                                    • Opcode Fuzzy Hash: 509c54ac01381ba7d92ffd08178dbd550b98526f653d056760d79a4dc1beacae
                                    • Instruction Fuzzy Hash: 46E06871A1990C4BEF20AB5CF864AD87FA4EF88318F00046AF01CC22A1C1215691C340
                                    Function 00007FFD9B892274 Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3409164561.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aed8536c8ad6a0fa01fb5c678654551c2f308d80539c098d9f77e2635ceb4b12
                                    • Instruction ID: 84588bbfe349605c60f4539db8131c0a6ba81408e59624a52bf7f73a536e3c52
                                    • Opcode Fuzzy Hash: aed8536c8ad6a0fa01fb5c678654551c2f308d80539c098d9f77e2635ceb4b12
                                    • Instruction Fuzzy Hash: F9D01201C5F2870AEB1B23F40DA65957F509A4B1A0B8A02D1D494CB0E7E89D559A5372

                                    Executed Functions

                                    Function 00007FFD9B890E49 Relevance: .5, Instructions: 490COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1781758356.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c6af47bef1b02f250deefbbd7ebd1fac942eeb8a6e8b95b7afe5db2095061350
                                    • Instruction ID: e1e8f907dca209099fbecdd32fb7a5513b86d89e24b2e2b710a9a9266fdfcf52
                                    • Opcode Fuzzy Hash: c6af47bef1b02f250deefbbd7ebd1fac942eeb8a6e8b95b7afe5db2095061350
                                    • Instruction Fuzzy Hash: 72F1F861B199494FEB98F7789875BB9B7E2FF88300F4104B9E01EC32DBDD28A9418741
                                    Function 00007FFD9B890BCE Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1781758356.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2100ee3a7dd085d8809d2ba64564bc42fb17fd7509bf48a095dae5ee6eb8bdd5
                                    • Instruction ID: 13f2e0c5ea615fb169f8ea4d769fbd3d7569625affc0b3c0dc9839acefdb198c
                                    • Opcode Fuzzy Hash: 2100ee3a7dd085d8809d2ba64564bc42fb17fd7509bf48a095dae5ee6eb8bdd5
                                    • Instruction Fuzzy Hash: DC717C22F1D94E0FEB95A76C98656BD7FE1EF89664F0901BAD04DC31E7DC186C428381
                                    Function 00007FFD9B890A69 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1781758356.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f9145726fcb5faa349b02ed6b2e219fd941205bf54cc345f3246122c9f0ef7cd
                                    • Instruction ID: 1d0d30558534a1c64cd9a8fdf9b2789b21eaa73f01cbb53a4b1715dd23b632e2
                                    • Opcode Fuzzy Hash: f9145726fcb5faa349b02ed6b2e219fd941205bf54cc345f3246122c9f0ef7cd
                                    • Instruction Fuzzy Hash: 4831B351B19A5A4FEB99BBAC5C697BC7AD1EF98601F0402B7E01CC31D7DD2869424381
                                    Function 00007FFD9B890925 Relevance: .1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1781758356.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fd4d2d5d7bb9b633f3975c4cf3bd78b63925f721d10ba6f6af91bd5172ed760c
                                    • Instruction ID: 0c9796e775c5ffd5fe4804d36d3560bf177d5460db589677b8b06cccf5852f8e
                                    • Opcode Fuzzy Hash: fd4d2d5d7bb9b633f3975c4cf3bd78b63925f721d10ba6f6af91bd5172ed760c
                                    • Instruction Fuzzy Hash: 3C317371B1894E8FDB48EBA89875AFDBBA1FF48300F510579D119D32D6DE38A8418741
                                    Function 00007FFD9B891565 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1781758356.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ffe92c2ba44a948016f5b36ae03b5f8d1685053df4fc808cc709473cf483d0d7
                                    • Instruction ID: 37b8bbceb225d593727b71eeb8d05dac28d7f99d5608ef3d76724c3c68a65fb6
                                    • Opcode Fuzzy Hash: ffe92c2ba44a948016f5b36ae03b5f8d1685053df4fc808cc709473cf483d0d7
                                    • Instruction Fuzzy Hash: 0E317321B1C9484FEB88EB2C986A778B6D2EF9C715F0545BEE04EC32E7DD689C418741
                                    Function 00007FFD9B891661 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000003.00000002.1781758356.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_3_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 42140aa837522765444961e28ac544e3d871ec58ab43ca0fe5f9d2365f1d7452
                                    • Instruction ID: c01696e8a23b95fb4182cd746aa86eaf650e5380dd2b458ca8487aa73e9e0339
                                    • Opcode Fuzzy Hash: 42140aa837522765444961e28ac544e3d871ec58ab43ca0fe5f9d2365f1d7452
                                    • Instruction Fuzzy Hash: 59012655A0E7890FEB56A73C98790757FE19F96300B4904BEE4C9C70E3E904AA458382

                                    Executed Functions

                                    Function 00007FFD9B880E49 Relevance: .5, Instructions: 491COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1861351709.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6966ced3d797d175dd68573d82a85f561ecdb1b441639c7a3eae4a1b565a5b75
                                    • Instruction ID: 410af0689c800bd1501c016a868750c4cb5cafc549cd8b19d425207c1b0e31fe
                                    • Opcode Fuzzy Hash: 6966ced3d797d175dd68573d82a85f561ecdb1b441639c7a3eae4a1b565a5b75
                                    • Instruction Fuzzy Hash: E5F1B120B19E4E4FE798F7689865BB976D2EF9C300F5004B9E41EC32DBDE38A9418741
                                    Function 00007FFD9B880BCE Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1861351709.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 369acead8f72679d2fb3bcc7cdcb437b8c17573a10263aaccde9fccce0cb2afe
                                    • Instruction ID: a7e20fa3b22c2598da7e86fb13062ef46ae1e072c1c32246868a396003fe9bd7
                                    • Opcode Fuzzy Hash: 369acead8f72679d2fb3bcc7cdcb437b8c17573a10263aaccde9fccce0cb2afe
                                    • Instruction Fuzzy Hash: C4715A21B1EE4E0FE7A5A76C98656BD7BE2EFC9610F0901BAD05DC31E7DC286C428351
                                    Function 00007FFD9B880A69 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1861351709.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5a9fb9f926b6c09fc1650274f439133a094b382c476ec0ad3b3de1d63faf7e09
                                    • Instruction ID: 707bab010c840d778fc66faf9f8d4bd4a282e2b303c2f22b80b7614c0a73fe91
                                    • Opcode Fuzzy Hash: 5a9fb9f926b6c09fc1650274f439133a094b382c476ec0ad3b3de1d63faf7e09
                                    • Instruction Fuzzy Hash: 9931D311B19D4A4FEB99BBBC5C297BC66D1EF98611F0402B7E01DC32D6DD286D424381
                                    Function 00007FFD9B880925 Relevance: .1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1861351709.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: faf6e4e05bfcc63b44155da8cb6aa741fee321e4b7fd53f505e99276dcf72541
                                    • Instruction ID: cb0b9c863883a40c128d687bf3d1f38ce0e0d0459de422a02243d84286ff3e7a
                                    • Opcode Fuzzy Hash: faf6e4e05bfcc63b44155da8cb6aa741fee321e4b7fd53f505e99276dcf72541
                                    • Instruction Fuzzy Hash: 3A31A474B18A0E8FDB48EBA89865AFE7BB1FF88300F410579D419D32D6DE38A841C751
                                    Function 00007FFD9B881565 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1861351709.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d819076ccdd41b071905941ba67090cfed61f31b4ef544b2f023e01c3cde7330
                                    • Instruction ID: b46904e17b6f9c56852c3567e116c5618d1db293e3e6787993287b0986ca1000
                                    • Opcode Fuzzy Hash: d819076ccdd41b071905941ba67090cfed61f31b4ef544b2f023e01c3cde7330
                                    • Instruction Fuzzy Hash: 8A31A421B189484FE788EB2C986A778B6C2EF9C705F0545BEE05EC32E7DD689C418741
                                    Function 00007FFD9B881661 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.1861351709.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 20a4ac301d613b101164e35b0195ca52aad9d32710e83a1bee31aafc8cb7e2af
                                    • Instruction ID: 7ee840ad9d78f6fffd86376d6d0016792147d1a81f9cea0527ef939c82405ed6
                                    • Opcode Fuzzy Hash: 20a4ac301d613b101164e35b0195ca52aad9d32710e83a1bee31aafc8cb7e2af
                                    • Instruction Fuzzy Hash: BF012654A0EB890FE355E73C58750757FE29F9A300B0904BAE4D9C70E3ED24AA458342

                                    Executed Functions

                                    Function 00007FFD9B8A0E49 Relevance: .5, Instructions: 497COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1942154438.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b8a0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 23a9679f575e596add0e94896f712eb0bfaf2134475270c4f1ecba94c97eb4df
                                    • Instruction ID: cd280895e0b496d799929efff90baa35dea15c896312ef54c64f2828d87cc831
                                    • Opcode Fuzzy Hash: 23a9679f575e596add0e94896f712eb0bfaf2134475270c4f1ecba94c97eb4df
                                    • Instruction Fuzzy Hash: 59F1B160B1994A4FE798FB7C9875BB977D2EF98300F5404BDE01EC32DADD28A8418351
                                    Function 00007FFD9B8A0BCE Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1942154438.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b8a0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6545720a381f977e7058663e7fe92c81116e89549b225b7be85fa985a3ee6f5a
                                    • Instruction ID: f3752a24623395918061ac20ff6144886aec485f9e7e071e6f771f3db563f428
                                    • Opcode Fuzzy Hash: 6545720a381f977e7058663e7fe92c81116e89549b225b7be85fa985a3ee6f5a
                                    • Instruction Fuzzy Hash: 67714B22F1EA4E4FE795A76C98255BD7BE2EF89750F0902BAD04DC31E7DC286C428351
                                    Function 00007FFD9B8A0A69 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1942154438.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b8a0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 783146fb124c8c532a435610230db7ccf3e0d3e8e8de9721b9318b9be4caa9da
                                    • Instruction ID: aed2df57be0d99619a4911162f18131146ff1c8139f661fb291e200e872e3102
                                    • Opcode Fuzzy Hash: 783146fb124c8c532a435610230db7ccf3e0d3e8e8de9721b9318b9be4caa9da
                                    • Instruction Fuzzy Hash: 1631D311B1994A4FEB99BBAC5C297BC77D1EF98701F0402B7E01DC31D6DD1869024391
                                    Function 00007FFD9B8A0925 Relevance: .1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1942154438.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b8a0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e30356fc6b9eed2945ad74824e8c49c50066284a5cdb301a9f514df428c6fa45
                                    • Instruction ID: d81bac21abf0f64f3750823b15e067ef0812f1d96a6d4285a8bea11adceccec5
                                    • Opcode Fuzzy Hash: e30356fc6b9eed2945ad74824e8c49c50066284a5cdb301a9f514df428c6fa45
                                    • Instruction Fuzzy Hash: 20316D70B18A0E8FDB48EBB89865AFDB7E1FF88300F500579D019D32D6DE38A9428751
                                    Function 00007FFD9B8A1565 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1942154438.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b8a0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3879d16d2bb8545597372df9126cb7e8443d5d5ef6158c36d1f1ed92ae2a0a84
                                    • Instruction ID: af065a9375162306da83ad1ae60ecf9a371db23ed72f1e8ae98a78c01a1552ab
                                    • Opcode Fuzzy Hash: 3879d16d2bb8545597372df9126cb7e8443d5d5ef6158c36d1f1ed92ae2a0a84
                                    • Instruction Fuzzy Hash: 0831A421B1C9484FD788EB2C986A778B6C2EF9D705F0545BEE04EC32E7DD689C418741
                                    Function 00007FFD9B8A1661 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.1942154438.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ffd9b8a0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 358e227e8d3ae99462ad8c2b64f3c0d05a5faa650c1f1f5f59f0778a4f5beadd
                                    • Instruction ID: 1f429f59a0a45e14c695007b78ffd5324f06aacf202dfee89eb2ecdc06145b9e
                                    • Opcode Fuzzy Hash: 358e227e8d3ae99462ad8c2b64f3c0d05a5faa650c1f1f5f59f0778a4f5beadd
                                    • Instruction Fuzzy Hash: 0F012654A0EB890FE355B73C58754757FE19F9A740B0904BEE4C8CB0E7E904AA45C352

                                    Executed Functions

                                    Function 00007FFD9B880E49 Relevance: .5, Instructions: 490COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.2260732530.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d93038de3f4771cc315ded2595ca427ef3c91b40bee7081a4d116224c8d38f4e
                                    • Instruction ID: 00080665e31bbc84066782f396538d3d2519834bc869a2fe74a5d536f4cb8552
                                    • Opcode Fuzzy Hash: d93038de3f4771cc315ded2595ca427ef3c91b40bee7081a4d116224c8d38f4e
                                    • Instruction Fuzzy Hash: 0BF1C460B19D4A4FEB98F7689865BB973D2EF9C310F5504B9E01EC32DBDE38A9418341
                                    Function 00007FFD9B880BCE Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.2260732530.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 59d37b578ee43cea61ae0b2c8e93d6b9f42c6640d62368439f89571df71d7db1
                                    • Instruction ID: 4255b984c85b1468887fec39518d2e3ec3a6c5295a6cfb4ea6166cd1a19151c9
                                    • Opcode Fuzzy Hash: 59d37b578ee43cea61ae0b2c8e93d6b9f42c6640d62368439f89571df71d7db1
                                    • Instruction Fuzzy Hash: 4A714821B1ED4E0FE7A5AB6C98656B97BE2EF89610F0901BAD05DC31E7DC286C428351
                                    Function 00007FFD9B880A69 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.2260732530.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5a9fb9f926b6c09fc1650274f439133a094b382c476ec0ad3b3de1d63faf7e09
                                    • Instruction ID: 707bab010c840d778fc66faf9f8d4bd4a282e2b303c2f22b80b7614c0a73fe91
                                    • Opcode Fuzzy Hash: 5a9fb9f926b6c09fc1650274f439133a094b382c476ec0ad3b3de1d63faf7e09
                                    • Instruction Fuzzy Hash: 9931D311B19D4A4FEB99BBBC5C297BC66D1EF98611F0402B7E01DC32D6DD286D424381
                                    Function 00007FFD9B880925 Relevance: .1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.2260732530.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e67ccc670761f4e42bc7315a8152d14892788f80e3ca0e7480656eb1b671d3f7
                                    • Instruction ID: d0cf6902b99228a85c1eeb829b09bbbbf20b30ecabd01c205829f73a7916556b
                                    • Opcode Fuzzy Hash: e67ccc670761f4e42bc7315a8152d14892788f80e3ca0e7480656eb1b671d3f7
                                    • Instruction Fuzzy Hash: 5C319174B18A0E8FDB48EBA89865AFD77A1FF88300F810579D01DD32D6DE38A941C751
                                    Function 00007FFD9B881565 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.2260732530.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5bc3de3518b6e4f428b067d0b7497a89ef8c05ff3f849dcc7970bcc1c5959be9
                                    • Instruction ID: fb24fff0eb3cadb0659686983fa27aef74db51f051d5a7f5174c94e8b2ffffe5
                                    • Opcode Fuzzy Hash: 5bc3de3518b6e4f428b067d0b7497a89ef8c05ff3f849dcc7970bcc1c5959be9
                                    • Instruction Fuzzy Hash: F831A421B189484FD788EB2C986A778B6C2EF9C705F0545BEE05EC32E7DD689C418741
                                    Function 00007FFD9B881661 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.2260732530.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b880000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 246dc0f9d790b03ce8ff6aa7d5e0c18a80596e39f15561eb26ff0c02ab93db31
                                    • Instruction ID: 9f38a9449c59dac81abc2d130fdbf6cf62f9a0c97559c66571931529c3564c45
                                    • Opcode Fuzzy Hash: 246dc0f9d790b03ce8ff6aa7d5e0c18a80596e39f15561eb26ff0c02ab93db31
                                    • Instruction Fuzzy Hash: 2C012654A0EB890FE355E73C58750757FE29F9A300B4904BEE4D9C70E3ED24AA458342

                                    Executed Functions

                                    Function 00007FFD9B890E49 Relevance: .5, Instructions: 497COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3215767455.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ec269d7083c7760cb2877966cf843f0af6382fc2d7c81d55895aa9eee2c967ee
                                    • Instruction ID: 31b0b223a62186cfe702a8523a535cca6d531d7e970bb06bd62b5398ac2a5861
                                    • Opcode Fuzzy Hash: ec269d7083c7760cb2877966cf843f0af6382fc2d7c81d55895aa9eee2c967ee
                                    • Instruction Fuzzy Hash: 15F1E361B199494FEB98F7689875BBD77E2EF98300F5504B9E00EC32DBDD28AD428341
                                    Function 00007FFD9B890BCE Relevance: .3, Instructions: 266COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3215767455.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 56a608e40bb0fcf0a1d066fa26c123e0833126fff18600bbb16c2d7f15d253de
                                    • Instruction ID: a67d5f957863ad8dadd40338d3847654dffb226a3e7cccff597f7e51d13c3d2f
                                    • Opcode Fuzzy Hash: 56a608e40bb0fcf0a1d066fa26c123e0833126fff18600bbb16c2d7f15d253de
                                    • Instruction Fuzzy Hash: 12717C22B1DA4E0FEB95A76C98756BD7FE1EF89664F0901BAD04DC31E7DC186C428381
                                    Function 00007FFD9B890A69 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3215767455.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f9145726fcb5faa349b02ed6b2e219fd941205bf54cc345f3246122c9f0ef7cd
                                    • Instruction ID: 1d0d30558534a1c64cd9a8fdf9b2789b21eaa73f01cbb53a4b1715dd23b632e2
                                    • Opcode Fuzzy Hash: f9145726fcb5faa349b02ed6b2e219fd941205bf54cc345f3246122c9f0ef7cd
                                    • Instruction Fuzzy Hash: 4831B351B19A5A4FEB99BBAC5C697BC7AD1EF98601F0402B7E01CC31D7DD2869424381
                                    Function 00007FFD9B890925 Relevance: .1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3215767455.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 966417b0813b3a366dcb4c188331f5be2c33dfb7470197bcf3c071f4766148d4
                                    • Instruction ID: f730cb6da35b85185151487d98c2436feb6030e2cfce0a8d914ac2270b8faff0
                                    • Opcode Fuzzy Hash: 966417b0813b3a366dcb4c188331f5be2c33dfb7470197bcf3c071f4766148d4
                                    • Instruction Fuzzy Hash: 7E317070B18A4E8FDF48EBA89875AFD7BA1FF98300F550579D019D32D6DE38A8428741
                                    Function 00007FFD9B891565 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3215767455.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f8296a69657e4f8a47baa8ccc3e9857233c09647aa2cac09cfd3a8cdc0805ea0
                                    • Instruction ID: af3f637746968447fc2fc21ffccfc6bedb05fa777f35aefce4bca9533e92d015
                                    • Opcode Fuzzy Hash: f8296a69657e4f8a47baa8ccc3e9857233c09647aa2cac09cfd3a8cdc0805ea0
                                    • Instruction Fuzzy Hash: BE317321B1C9484FEB88EB2C986A778B6D2EF9C715F0545BEE04EC32E7DD689C418741
                                    Function 00007FFD9B891661 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.3215767455.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4822bfcdf555309bba5f22552cc47c645b81b28808248a51b00b3a672bb3aeb3
                                    • Instruction ID: 402cacb29774b772a8c46f9d4e219b389612e526efc287b10f0d3eff20f05a79
                                    • Opcode Fuzzy Hash: 4822bfcdf555309bba5f22552cc47c645b81b28808248a51b00b3a672bb3aeb3
                                    • Instruction Fuzzy Hash: 31012655A0E7890FEB56A73C98750757FE29F96300B4904BEE4C9C70E3E904AA458382

                                    Executed Functions

                                    Function 00007FFD9BAB35AE Relevance: 4.3, Strings: 3, Instructions: 580COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: >$B$cAN_^
                                    • API String ID: 0-3918363738
                                    • Opcode ID: 73ea02e1d0771cecfad3688dd412cd54638fbb054a0443a2d36329197e9a4993
                                    • Instruction ID: 5b9c3d61c7a03852fba99079d2f35afb2efd9f02c723945f34afefdeb7e8802b
                                    • Opcode Fuzzy Hash: 73ea02e1d0771cecfad3688dd412cd54638fbb054a0443a2d36329197e9a4993
                                    • Instruction Fuzzy Hash: 90129070B18A194BEB58EF6888A6779B7E2FF9C315F04467DE01DC32D5CE74A8418B42
                                    Function 00007FFD9BAB2519 Relevance: 4.2, Strings: 2, Instructions: 1739COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: B$cAN_^
                                    • API String ID: 0-3129985804
                                    • Opcode ID: b3d3d63cbc424d0332dd4d73f7f8bd19fbd0e34272cb76935fa14cbb4b28bdc7
                                    • Instruction ID: fe1a52cd187d7c0105ab9e690d0c798f34933bf76e474dd997fc641cc917c262
                                    • Opcode Fuzzy Hash: b3d3d63cbc424d0332dd4d73f7f8bd19fbd0e34272cb76935fa14cbb4b28bdc7
                                    • Instruction Fuzzy Hash: E9D29170B18B198FEB58EF6888A9769B7E2FF9C315F104579E01DC3295DF34A8418B42
                                    Function 00007FFD9BAB83A6 Relevance: .5, Instructions: 472COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c078bfec78ffe66d2b02e178a5044289eb4b72aa49a982d2cf1625fa5994a8d7
                                    • Instruction ID: 07dc9bb331d27d4172ba8ff5de7103603eece8fefeeab6106a8259215c4ff4ee
                                    • Opcode Fuzzy Hash: c078bfec78ffe66d2b02e178a5044289eb4b72aa49a982d2cf1625fa5994a8d7
                                    • Instruction Fuzzy Hash: B7F1C430A09A8D8FEBA8DF2CC855BE937D1FF59310F04426EE85DC7295DB7499418B82
                                    Function 00007FFD9BAB9152 Relevance: .5, Instructions: 459COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f807153ebe4eeb972011f554af89c05910ac6bb81ac537260a430f8747fce050
                                    • Instruction ID: 424f1977e337c55e576b109b5315d26cdb7631eb0bde546d064e9bb01416c510
                                    • Opcode Fuzzy Hash: f807153ebe4eeb972011f554af89c05910ac6bb81ac537260a430f8747fce050
                                    • Instruction Fuzzy Hash: D7E1B330A09A8E8FEBA8DF28C8597F977D1FF54310F04426ED85DC72A5CA7499458B81
                                    Function 00007FFD9BAB0E49 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: cAN_^
                                    • API String ID: 0-2037741601
                                    • Opcode ID: 54cc5fcef0ff6c12bffcd32aecf33fb53d040795b25d5d68f820324da99acde4
                                    • Instruction ID: a3e6c81c323fff557d98331441ec3e61610bee2cec6f821f4cedbbaea1b2d789
                                    • Opcode Fuzzy Hash: 54cc5fcef0ff6c12bffcd32aecf33fb53d040795b25d5d68f820324da99acde4
                                    • Instruction Fuzzy Hash: C702F831B19A1D4FDBA8FB688865AB977E1EF9C324F400679E01EC32D6CD28A9418741
                                    Function 00007FFD9BAB1E70 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %N_^
                                    • API String ID: 0-2103188914
                                    • Opcode ID: 3a46908fa38c6abd23dd8e86d6fa749b4142e34f6865da91fc753401f70296ce
                                    • Instruction ID: 0110770853abc6ad44253d0f204ee3ea5afb94e15f947d97781b3be1ac06ee41
                                    • Opcode Fuzzy Hash: 3a46908fa38c6abd23dd8e86d6fa749b4142e34f6865da91fc753401f70296ce
                                    • Instruction Fuzzy Hash: 4251F712F1FAD91EE726A7BC5C751947FA0DF62229B0A05F7D4A4CB1E3EC085909C352
                                    Function 00007FFD9BAB9A31 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: d
                                    • API String ID: 0-2564639436
                                    • Opcode ID: d883ce803959c72467562b67a2df4839428d125eb9870e7474f7cc39e4fe5a9c
                                    • Instruction ID: 64c399f6802ab39520bb545e4913ee1cb17d56d95edec86df2afe48a03ba9663
                                    • Opcode Fuzzy Hash: d883ce803959c72467562b67a2df4839428d125eb9870e7474f7cc39e4fe5a9c
                                    • Instruction Fuzzy Hash: F4313431E0D66D4FEF60ABA488555FDBBB0EF49320F0502BBD42DD31E2DA39A6458781
                                    Function 00007FFD9BAB1E10 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: d
                                    • API String ID: 0-2564639436
                                    • Opcode ID: 18e3caf0da5d8c236790186b107e12c30c10ffcf7773b4bddf23345462cfdcc0
                                    • Instruction ID: 53d61cd091b5320cb35710554f6f9925141a6e4d485bf28cc5da7903036f6aba
                                    • Opcode Fuzzy Hash: 18e3caf0da5d8c236790186b107e12c30c10ffcf7773b4bddf23345462cfdcc0
                                    • Instruction Fuzzy Hash: 6E210831E0852D4AEF20BBA888196FDB7B0EF45314F01013ED92DE21E1DA6966518B91
                                    Function 00007FFD9BAB22D9 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: cAN_^
                                    • API String ID: 0-2037741601
                                    • Opcode ID: c8ada0083e1438d3a4aba83af4d51526dbe69426a4376347993188211dbdd5da
                                    • Instruction ID: f766aaa2ed85e384a4dae614777ece28be0fb8359394cae7587185db08aa1af5
                                    • Opcode Fuzzy Hash: c8ada0083e1438d3a4aba83af4d51526dbe69426a4376347993188211dbdd5da
                                    • Instruction Fuzzy Hash: ECF0C821F0D32A07E738E7F954316BD25526FC4730F954279E02DCA1EADE7CE9014A45
                                    Function 00007FFD9BAB8D66 Relevance: .3, Instructions: 327COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ba46b9b2f35f8763d670f112395a729672b5e463b7ea116afbc24dca91c7b26b
                                    • Instruction ID: 974e26d19880cb72bb5bac5de3de37a9971cc54eea7cdcf24ac0ecba1266bceb
                                    • Opcode Fuzzy Hash: ba46b9b2f35f8763d670f112395a729672b5e463b7ea116afbc24dca91c7b26b
                                    • Instruction Fuzzy Hash: 7DB1D630A09A8D8FDB68DF28C8557E93BD1FF59310F04426EE85DC7296CA749945CB82
                                    Function 00007FFD9BAB4841 Relevance: .3, Instructions: 300COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 201615b0ab9f8e2e4f9f13889485229a9210bb972693b6a635db369bb97522d4
                                    • Instruction ID: 1723c1c3d9f70041159de6bb417a0893d5e08a51c2ba5952d90f97bc6f0d7f74
                                    • Opcode Fuzzy Hash: 201615b0ab9f8e2e4f9f13889485229a9210bb972693b6a635db369bb97522d4
                                    • Instruction Fuzzy Hash: 0A91B720719A554BE748F76C8866BB5B3D2EFA8315F1406B9E01DC32FBCD68AC42C742
                                    Function 00007FFD9BAB0742 Relevance: .2, Instructions: 245COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eae76d89541a9a388d58a2e75bfe7549ea44d7e9f36908562e0d943bca02bdb3
                                    • Instruction ID: a53f6a3452799a4ed996230a6ef21171452091f16dcf349db3a7590481648fc0
                                    • Opcode Fuzzy Hash: eae76d89541a9a388d58a2e75bfe7549ea44d7e9f36908562e0d943bca02bdb3
                                    • Instruction Fuzzy Hash: 11711671F0A91D4FEBA4EBBCC865AE937E1EF58324F0501B6D06DC71A2DD24A842CB40
                                    Function 00007FFD9BAB0590 Relevance: .2, Instructions: 244COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b215a7df0469216acfeccf41675983f4b0518d5082cc8089e851f700a7d0c612
                                    • Instruction ID: cd8f802581983586a728f765046148d17f9e2a461b8e9d98857d4b9008d6dcf9
                                    • Opcode Fuzzy Hash: b215a7df0469216acfeccf41675983f4b0518d5082cc8089e851f700a7d0c612
                                    • Instruction Fuzzy Hash: 57616A32F1991E0FE7A4A76C98656FD77D1EF88364F05027AD01DC32E6DD646C428784
                                    Function 00007FFD9BAB05D3 Relevance: .2, Instructions: 242COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d8d86e5b1457c3861a7b790e70ea0f1574ce1cf7340398b290159465a05cad1
                                    • Instruction ID: 8db8ecdb03d815b4d50efe9b1221b2d850cb11136b704484fcd21fe93b8d8366
                                    • Opcode Fuzzy Hash: 2d8d86e5b1457c3861a7b790e70ea0f1574ce1cf7340398b290159465a05cad1
                                    • Instruction Fuzzy Hash: 10616B12F0D9A90FE378AB7D583A5B977C1EF95321B0901BBD09DC21E7CD58A8028345
                                    Function 00007FFD9BAB456A Relevance: .2, Instructions: 236COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0189f6c2d15d75a89d807deb16a0cf5e090ae6503001c7eef449e8ac4c3981ba
                                    • Instruction ID: 67597804d38ad1023f84b916992c29550897308368fe7d5acde115224799e370
                                    • Opcode Fuzzy Hash: 0189f6c2d15d75a89d807deb16a0cf5e090ae6503001c7eef449e8ac4c3981ba
                                    • Instruction Fuzzy Hash: CE617C71B09E1D0FDBA8EB6844656B977D1EF98364F04027DE01EC32D6DE38A802CB81
                                    Function 00007FFD9BAB0540 Relevance: .2, Instructions: 228COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 81170e189f99be6f5b6babbd661f3d3846ca618cebf9fde7378f78f3b7c9609d
                                    • Instruction ID: 83ceddfbd9e8d2884331085e4f1f50f4562ba2f8ed992f5a2f6c4897ecf79c09
                                    • Opcode Fuzzy Hash: 81170e189f99be6f5b6babbd661f3d3846ca618cebf9fde7378f78f3b7c9609d
                                    • Instruction Fuzzy Hash: 8B618931A0E69D4FD769DBA88821AB57FE0EF56324F0441BBD05DC71E3DA686406CB40
                                    Function 00007FFD9BAB9B09 Relevance: .2, Instructions: 224COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d7cf994311bc177fe89a448cc94b1b7ada132309f3a06e186af82dc63df6d1fd
                                    • Instruction ID: 344838c5111afdc040667841ccfa253fdd79241a95685eb868bcfa316e27438f
                                    • Opcode Fuzzy Hash: d7cf994311bc177fe89a448cc94b1b7ada132309f3a06e186af82dc63df6d1fd
                                    • Instruction Fuzzy Hash: B761B230A18A1C8FDB58EF58D855BEDBBF1FF98311F10426AD01DD3296CA74A942CB81
                                    Function 00007FFD9BAB3B13 Relevance: .2, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: db0f3771a7f35b735d30cd71900ddf7b73440d065e8b8e94016f5ca2d71373b2
                                    • Instruction ID: ae6389840af466592c3a3c83e0d893edbc0676fc9255899870d3ea235c083eef
                                    • Opcode Fuzzy Hash: db0f3771a7f35b735d30cd71900ddf7b73440d065e8b8e94016f5ca2d71373b2
                                    • Instruction Fuzzy Hash: F881556194E3C68FD7538BB48C705917FF0AF13224B0E45EBC494CB1E3E658595ACB62
                                    Function 00007FFD9BAB6D35 Relevance: .2, Instructions: 217COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 14e627d4942821694fbe667856de3bbd6f5f4a900e5f64c2496444113c117fa9
                                    • Instruction ID: 1040fd7929f7c0cb381d071ed5c732508cb4cd182338f6552850afe232bf4e6b
                                    • Opcode Fuzzy Hash: 14e627d4942821694fbe667856de3bbd6f5f4a900e5f64c2496444113c117fa9
                                    • Instruction Fuzzy Hash: 2661C331A18A1D8FEB68DBA8C855BADB7F1FF58310F10426AD01DD7292CE74A841CB81
                                    Function 00007FFD9BAB9CD6 Relevance: .2, Instructions: 215COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a704c4b43d9ed135c0a0e60763de5bd1ee4bebca0fd34bd22cd8611369cfcb6b
                                    • Instruction ID: 3e5e605f9d839005965c2127452feeb386a15afbc25b0f28e8cce5241055e42a
                                    • Opcode Fuzzy Hash: a704c4b43d9ed135c0a0e60763de5bd1ee4bebca0fd34bd22cd8611369cfcb6b
                                    • Instruction Fuzzy Hash: D2611830F1DA5D8FEB58EB68C865AB877E1EF46314F0501B9E019C32E2DE646942CB41
                                    Function 00007FFD9BAB588C Relevance: .2, Instructions: 196COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 50d64dbcfee87b546ab946f6fa9af1632a87e1cf01dfc61112a5ab7d271319c7
                                    • Instruction ID: 701a1dcb5fe49802fa434e7c422d2a7a079b49a4871e3fa0da61054877881ebd
                                    • Opcode Fuzzy Hash: 50d64dbcfee87b546ab946f6fa9af1632a87e1cf01dfc61112a5ab7d271319c7
                                    • Instruction Fuzzy Hash: 85519331D08A1C8FDB68DB58D855BE9BBF1FF59310F0482AAD04DD3292DE74A9848F81
                                    Function 00007FFD9BAB9FBD Relevance: .2, Instructions: 191COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c97050e90de79c97aed1380e03e85ed34f1559ec18f26fd50a474ba8faf24614
                                    • Instruction ID: 09cfc894cbd310d7003372baea6834fd068b87edd1f0f41d2edd134592739755
                                    • Opcode Fuzzy Hash: c97050e90de79c97aed1380e03e85ed34f1559ec18f26fd50a474ba8faf24614
                                    • Instruction Fuzzy Hash: 82511830B1D55C5FDB95EB78C869AF97BE1EF48321F0501BAE01DC72A2CD29A842C741
                                    Function 00007FFD9BAB0708 Relevance: .2, Instructions: 174COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1828f2c76c83945677623517ed460cdac9a4ce9d2124081ed7009b98d8cfd4c8
                                    • Instruction ID: 6759c7d16e8e66e9d4663441d061d218b11f7fe4f8e256d5259f05756e6afc4b
                                    • Opcode Fuzzy Hash: 1828f2c76c83945677623517ed460cdac9a4ce9d2124081ed7009b98d8cfd4c8
                                    • Instruction Fuzzy Hash: 6D518230F2991D8FEB98EB69C8A5ABD73E1FF48314F414579E01DD32A5CE34A9418B41
                                    Function 00007FFD9BABA010 Relevance: .2, Instructions: 155COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6861c45b6899d679649912eabed0dfa96026f7cb9730a8abd6f5a5c74c019b89
                                    • Instruction ID: b7303a28d722a3db3f894d94dc3880277c52ce9a8902eaa8baef283319a30e04
                                    • Opcode Fuzzy Hash: 6861c45b6899d679649912eabed0dfa96026f7cb9730a8abd6f5a5c74c019b89
                                    • Instruction Fuzzy Hash: 4D41A431B1991C4FDB98EB68C459AB977E2EF9C321F450179E01ED32A6CE35AC418B40
                                    Function 00007FFD9BAB0BCE Relevance: .2, Instructions: 155COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 059f6f3ec19a0b8ac2b3734da4965abb91838498e5baf4828483eb082b67906d
                                    • Instruction ID: 59cb86b73e3b6b8de9fcc4e4e5b2d3ef845793385c9b3d95cf48360e6776a3e1
                                    • Opcode Fuzzy Hash: 059f6f3ec19a0b8ac2b3734da4965abb91838498e5baf4828483eb082b67906d
                                    • Instruction Fuzzy Hash: 8C417D21B0DA990FE7A5A77C48255753BD2DF96224B0D01FBE45DC72EBDD58AC038341
                                    Function 00007FFD9BAB3E20 Relevance: .2, Instructions: 152COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 549c0592e27e62a7e2806ef3dc9f0a384af745f347483a51859d9fcb41f86fcc
                                    • Instruction ID: c28357d0e687723bb2be0a0aadded079f1a4c0f3fe660372e00756778535cb81
                                    • Opcode Fuzzy Hash: 549c0592e27e62a7e2806ef3dc9f0a384af745f347483a51859d9fcb41f86fcc
                                    • Instruction Fuzzy Hash: FF419170A09A5D8FDF68EF68D455AA97BE0FF59311F00016FE05AC36A2CB75A842CB41
                                    Function 00007FFD9BAB9D6A Relevance: .1, Instructions: 143COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4d32c8d8f82f8fdc7ec4ae419b85fecdf3535e39e406568ceaed938410f28287
                                    • Instruction ID: 39946b894b689e4b70b2ec02059deea7e3b2b488428813e91c40d61b4a7039ac
                                    • Opcode Fuzzy Hash: 4d32c8d8f82f8fdc7ec4ae419b85fecdf3535e39e406568ceaed938410f28287
                                    • Instruction Fuzzy Hash: 27417F30B1992D8FEBA8EB68C4A5ABC73E1FF58314F414579E019D32A5DE74AD418B40
                                    Function 00007FFD9BAB0730 Relevance: .1, Instructions: 140COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea20ce764546140bc6b67b9e6a735056ddf1193f8b609eda59557d4b2d4a0067
                                    • Instruction ID: 3c9e65ccc3288c694c3281144e3af8c2f65727b3160b23168d23dc1db3198a1d
                                    • Opcode Fuzzy Hash: ea20ce764546140bc6b67b9e6a735056ddf1193f8b609eda59557d4b2d4a0067
                                    • Instruction Fuzzy Hash: 5D418070A09A1D8FDFA8EF58C459BA977E0FB58311F00417EE00AD36A1CB71A842CB41
                                    Function 00007FFD9BAB0A69 Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d7ade1ac91f84d24293b32e8aa40b6ad166c4158049dda61bfa652dfc8a4ccd
                                    • Instruction ID: cebd212e730e9da5c2ed837feb5bfd816962479f2d73df4a5d4c1ac0aef0c6cd
                                    • Opcode Fuzzy Hash: 2d7ade1ac91f84d24293b32e8aa40b6ad166c4158049dda61bfa652dfc8a4ccd
                                    • Instruction Fuzzy Hash: D131E511B19A5A0FE794BBAC4C297BCB6D1EFA8715F0502BAF01CC31E6DD6869018781
                                    Function 00007FFD9BAB4465 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 93a1e3ef7d3c67ca57b61caf3efcb24d4fe98928e050d36a1499ed5bdf40ee00
                                    • Instruction ID: 29b444753a4e12e25d3326110cbc8ab7807b5c7cbbc6936e21dda410d3057285
                                    • Opcode Fuzzy Hash: 93a1e3ef7d3c67ca57b61caf3efcb24d4fe98928e050d36a1499ed5bdf40ee00
                                    • Instruction Fuzzy Hash: 2B11E952E1EBC90FE76A972C08396A52FA4EF96310F4502FFE099CB2E3DD581C018752
                                    Function 00007FFD9BAB2021 Relevance: .1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5120e57860fe8326acbbb6fe2cd8deb2208c5d9d6ea846c01d1dcb25863f3475
                                    • Instruction ID: 74179b53f18af92d9f50ea4a414a1b6112fcca7c51972f0ba40f69f9d3d1c172
                                    • Opcode Fuzzy Hash: 5120e57860fe8326acbbb6fe2cd8deb2208c5d9d6ea846c01d1dcb25863f3475
                                    • Instruction Fuzzy Hash: D2313E32A0EA9D0FD7259B7458205E57FB0FF86354F4402FBE099C70DBDA196905C791
                                    Function 00007FFD9BAB0925 Relevance: .1, Instructions: 115COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eea70c39813a1f62f4f800691ab512030a9755dc5945c4202fae6b78895d107d
                                    • Instruction ID: 0b9b6a18f57e76f5d05301fdb630a218bdd9791dc8d04a1afcd79153c64410e7
                                    • Opcode Fuzzy Hash: eea70c39813a1f62f4f800691ab512030a9755dc5945c4202fae6b78895d107d
                                    • Instruction Fuzzy Hash: 6731A631B18A1E4FDB58EBA8C865AEE77A1FF5C314F410679E019D72D6CE38A841CB40
                                    Function 00007FFD9BAB0A80 Relevance: .1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b99bc4b713e477f5f68c2abea37e7049e354865930e5d2c7d0179c406aae66c
                                    • Instruction ID: 376b44e1586ad1deb54809d18bc4f6dfa53bf7b7528d73564b446e55e3efd672
                                    • Opcode Fuzzy Hash: 2b99bc4b713e477f5f68c2abea37e7049e354865930e5d2c7d0179c406aae66c
                                    • Instruction Fuzzy Hash: EF31E911B1491D0BEB98BBAC4C297BC72D2EFAC716F04027AF01DC32D6DD686C018781
                                    Function 00007FFD9BAB1565 Relevance: .1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c4ae80a426b501f19c62adab608c3ec45facb27b26075d3dd88589c27e231f9e
                                    • Instruction ID: 1fcdd3caee269b20118ef6d4a04b52aa743fd67a6b4c2dc347a4e7cc6db7b178
                                    • Opcode Fuzzy Hash: c4ae80a426b501f19c62adab608c3ec45facb27b26075d3dd88589c27e231f9e
                                    • Instruction Fuzzy Hash: 6A314321B28A490FD788EB6C946A779B2C2EF9C315F0505BEB05EC73D7DD649C418741
                                    Function 00007FFD9BABA715 Relevance: .1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5366882ad23bb2b642de1bdc51d614994831e8502ed8137025759efe63335b3e
                                    • Instruction ID: 446618887b9487dd1f05458b086e568437bcefec3989db7f2044cdc06937db02
                                    • Opcode Fuzzy Hash: 5366882ad23bb2b642de1bdc51d614994831e8502ed8137025759efe63335b3e
                                    • Instruction Fuzzy Hash: D031833150D7888FC755DBA8C855AEABFF0EF56320F0482AFD089C7563D764A80ACB51
                                    Function 00007FFD9BABA521 Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 60eb013abb30e6f8ea4e7bf281c2629de37979d8bdcd85ddd8a1b4e48504e8fc
                                    • Instruction ID: 3c68eecabced21cfc0376e8dd00dd3aab9804aec11f12aaf11e206f2122a9adc
                                    • Opcode Fuzzy Hash: 60eb013abb30e6f8ea4e7bf281c2629de37979d8bdcd85ddd8a1b4e48504e8fc
                                    • Instruction Fuzzy Hash: B121F620B1DA5D4BEB58F7A89822BA977D1FF58324F4002B9F02CC71D7DD28A9518782
                                    Function 00007FFD9BABA631 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7abe4607c864e0c0a5dc27f677b2fd1beb0a379dc46e23a6a7a001e1d92b67a5
                                    • Instruction ID: 9fd69619c3c49fd4414db56caa1f1f7a2bc9a69d700753e41da394ce195daa16
                                    • Opcode Fuzzy Hash: 7abe4607c864e0c0a5dc27f677b2fd1beb0a379dc46e23a6a7a001e1d92b67a5
                                    • Instruction Fuzzy Hash: 8B216D30B4E69E0FD7559BA888316F577D1EF9A210F0542BAE099C71A2CD6C9D078741
                                    Function 00007FFD9BABA171 Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c4d33e0a7711ad4eea604925cc454df1789bd71c66aeb6f1f84acbbe4514c84b
                                    • Instruction ID: bea47c14b8c797f31606ca98ae707aadf9134b9b62455d542ace421a05362ed6
                                    • Opcode Fuzzy Hash: c4d33e0a7711ad4eea604925cc454df1789bd71c66aeb6f1f84acbbe4514c84b
                                    • Instruction Fuzzy Hash: EC214531F0E91C0FDBA8DB68D4A56BCB3E1EF44250F00017ED41EC32A6CE7969018B82
                                    Function 00007FFD9BAB236D Relevance: .1, Instructions: 69COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 948245d5eeb7a04a63611922a509ed6fbecee2094ab16ba0a5651733bbc02e4d
                                    • Instruction ID: 8fb407e000bf3239ea3caf0be2dc901f9bbfb93fddaa60ad5a0a66836e8c9a73
                                    • Opcode Fuzzy Hash: 948245d5eeb7a04a63611922a509ed6fbecee2094ab16ba0a5651733bbc02e4d
                                    • Instruction Fuzzy Hash: 9D1104B1A0965C4FDB5CCF6894A96BA7FE1EF9D224F0542BFE409D32A2CBB415018B00
                                    Function 00007FFD9BAB98B0 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e64c4be3d7f23c21a7f30f3c013b9c38d019159a91b2ed75a471b3dcfd15c2c9
                                    • Instruction ID: eea26b995601ed683c4ce7269fddca5ae6a5c5958c18deb573480986c2716858
                                    • Opcode Fuzzy Hash: e64c4be3d7f23c21a7f30f3c013b9c38d019159a91b2ed75a471b3dcfd15c2c9
                                    • Instruction Fuzzy Hash: EC114822F0D96D0FEB65F7AC58265FD77A1EF99360F0502B2E418C31E2DE54290247D2
                                    Function 00007FFD9BAB4749 Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 71be92b163e1012455c04f1cd3ad1c979e1a84c81ba10d02b4d1d8ba3a5e8ba3
                                    • Instruction ID: 0cc896828f5e4914f86eec946e797b6f5f3b94c2239346b15994e07cdeb25cca
                                    • Opcode Fuzzy Hash: 71be92b163e1012455c04f1cd3ad1c979e1a84c81ba10d02b4d1d8ba3a5e8ba3
                                    • Instruction Fuzzy Hash: 3C01F931B0C51D0BEB28BB5C68165FAB7D1EF86330F50023EE11EC21C6DD1995124385
                                    Function 00007FFD9BAB06E0 Relevance: .1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4393c51a51cc833efc39c71536060ec5550d6f74237de9cd28dd2c3b6ac3eb89
                                    • Instruction ID: 1edf26472c7f015bd81c78f68fb63a6fcf8e4b19e2a937ee4f0d30d3fad3d972
                                    • Opcode Fuzzy Hash: 4393c51a51cc833efc39c71536060ec5550d6f74237de9cd28dd2c3b6ac3eb89
                                    • Instruction Fuzzy Hash: AA01F562F1AA5D0BE7789B6C18297AA6A95EF98324F41027DF06EC32D6DD2818424642
                                    Function 00007FFD9BAB1AD2 Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 780102c3f936684a67c64fa0be78ad5a68e5fe185f33b2fed49fe8efd908eff1
                                    • Instruction ID: 98a1a4e5cdb50c073a809030f84af82ddb3c3d31404804b4e25ed884dca52913
                                    • Opcode Fuzzy Hash: 780102c3f936684a67c64fa0be78ad5a68e5fe185f33b2fed49fe8efd908eff1
                                    • Instruction Fuzzy Hash: A101ED32F0495D4FDB40EBB888295EE7BF0EF28214F00017BE529D3195DF786A108B81
                                    Function 00007FFD9BAB1FC0 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 481f1c2c35dc30cbb1a492603729c9dad0ab9630802cde74443a8918c4cd9e3a
                                    • Instruction ID: 11d4a2307399f71ba32d89da48eae21fde6362ba51016996c791c29b5e825711
                                    • Opcode Fuzzy Hash: 481f1c2c35dc30cbb1a492603729c9dad0ab9630802cde74443a8918c4cd9e3a
                                    • Instruction Fuzzy Hash: 85F0D631B19D0E4FDBA4EB6CE054A65B3D1FFD8360B5006B7E01CC7289DA64DC828740
                                    Function 00007FFD9BAB06F0 Relevance: .1, Instructions: 51COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a679ebccc87760ffaf8ccd1d8bbcea94bc56ec446aec6e197fac8073250c3e9e
                                    • Instruction ID: 703f5f7f39b68c4e6f6e47a7cf0d387210475fc019b63865528e59a90ebccb15
                                    • Opcode Fuzzy Hash: a679ebccc87760ffaf8ccd1d8bbcea94bc56ec446aec6e197fac8073250c3e9e
                                    • Instruction Fuzzy Hash: DBF0D131B18D2D0BEBA4FB9C9429ABE73E1EBC8320F000276E41DC3255CE24290247C5
                                    Function 00007FFD9BAB1AF0 Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f6ef17f1fc52fd247a901d38fa9259a6582130fd77049e1b915f393aa75078ee
                                    • Instruction ID: 3949e467fb1316077193196c3049205896fb98e75be913553065ef5b8d201e7c
                                    • Opcode Fuzzy Hash: f6ef17f1fc52fd247a901d38fa9259a6582130fd77049e1b915f393aa75078ee
                                    • Instruction Fuzzy Hash: 3DF08C31F1492D4BDB40EBA898595FEB7F0FF58305F400176E519D2299DF355A4187C1
                                    Function 00007FFD9BAB1661 Relevance: .0, Instructions: 43COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05fcdc35e0049eb778e1094c01696c3bbe61092414bce9fb1b1a26064357195a
                                    • Instruction ID: cd8dbf032d38dbc0af375571bd5a009cc3aa6b590659d57b06015e3159346716
                                    • Opcode Fuzzy Hash: 05fcdc35e0049eb778e1094c01696c3bbe61092414bce9fb1b1a26064357195a
                                    • Instruction Fuzzy Hash: 46017B55A1E7D80FE755A73818790357FE28FA5200F0800BEE488C70E3EC1456018742
                                    Function 00007FFD9BAB211D Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1e7e6ede48b17b24cff4aa74dc24863feaf759560cbef1737afd8bc26a1de14
                                    • Instruction ID: 28ae4e338efa926c2d7ac67b5fcc41ebd8344247c63681c8391a5d618c5d2472
                                    • Opcode Fuzzy Hash: a1e7e6ede48b17b24cff4aa74dc24863feaf759560cbef1737afd8bc26a1de14
                                    • Instruction Fuzzy Hash: 82F0E2328CE3D91FD72657A03C234E67F64EF12210F0B019BF46C8B4A2C95C63568BA2
                                    Function 00007FFD9BAB24A5 Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8448d77d0f8a7207017e1ac8601c5268a180cf94ebbfdb065f6811920bee0612
                                    • Instruction ID: 5cdde211a2e7ceb9cf101459b33b18c9e36182d0e133569c0a39fd900357452b
                                    • Opcode Fuzzy Hash: 8448d77d0f8a7207017e1ac8601c5268a180cf94ebbfdb065f6811920bee0612
                                    • Instruction Fuzzy Hash: EF01D13091A75C5FDBB19B64C8B5BEA7FB1FF04300F0101B6E019C3291DA786945CB01
                                    Function 00007FFD9BAB2429 Relevance: .0, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 89155912d58976ecf0fc838e1a3bc62dd463cce7d21fadcdb69f47dec6df405c
                                    • Instruction ID: 805daa0a05c7598cbed8a4ecd8c02f407650ba18f667a78ce9428a2abb723503
                                    • Opcode Fuzzy Hash: 89155912d58976ecf0fc838e1a3bc62dd463cce7d21fadcdb69f47dec6df405c
                                    • Instruction Fuzzy Hash: E701F720F1E7690FFBB96BB854752682B90DF95314F0601F6D419C71E7CDACA9428342
                                    Function 00007FFD9BAB22A0 Relevance: .0, Instructions: 7COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.4151578913.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ffd9bab0000_real-al-d7ya.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 238184ad72d8e079e0984cbebcf05cf3a3cec2beb0f4c5c4de218c8ed348afd2
                                    • Instruction ID: c367aff9678a78b47d9125ae8fcd1effc12d2a12ed9c4e17355529f21dbc8fe6
                                    • Opcode Fuzzy Hash: 238184ad72d8e079e0984cbebcf05cf3a3cec2beb0f4c5c4de218c8ed348afd2
                                    • Instruction Fuzzy Hash: 16A00204DD781E01D86832FB1DD74ED74505B89514FC65260E82C8099AE8CE16E906A7