Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Insidious_protected.exe

Overview

General Information

Sample name:Insidious_protected.exe
Analysis ID:1495153
MD5:d9ccde3b728fba6d6e3f1b92c75a11a8
SHA1:b0bbe87ae7519b5d6dcd7f6282e891922971942d
SHA256:d5a18b44a40e9bc1952bce6e187b81926ffd358aa5ebe95921cde2b9a72b172f
Tags:exe
Infos:

Detection

44Caliber Stealer, BlackGuard, Rags Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected 44Caliber Stealer
Yara detected BlackGuard
Yara detected Rags Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Insidious_protected.exe (PID: 4540 cmdline: "C:\Users\user\Desktop\Insidious_protected.exe" MD5: D9CCDE3B728FBA6D6E3F1B92C75A11A8)
    • WerFault.exe (PID: 4348 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1492 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BlackGuardAccording to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Malware Configuration

Threatname: 44Caliber Stealer

{"Discord Webhook": "https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HouSEGlNyNzsrVH6EfQxrh8\u0001Logs"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1465383484.0000000003615000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
    00000000.00000002.1465383484.00000000036AF000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
    • 0x24ffc:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
    • 0x254c4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
    00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
      00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Insidious_protected.exe.3e0000.0.unpackJoeSecurity_BlackGuardYara detected BlackGuardJoe Security
            0.2.Insidious_protected.exe.3e0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Insidious_protected.exe.3e0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.Insidious_protected.exe.3e0000.0.unpackJoeSecurity_RagsStealerYara detected Rags StealerJoe Security
                  0.2.Insidious_protected.exe.3e0000.0.unpackJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
                    Click to see the 3 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Insidious_protected.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.Insidious_protected.exe.3e0000.0.unpackMalware Configuration Extractor: 44Caliber Stealer {"Discord Webhook": "https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HouSEGlNyNzsrVH6EfQxrh8\u0001Logs"}
                    Multi AV Scanner detection for submitted file
                    Source: Insidious_protected.exeReversingLabs: Detection: 65%
                    Yara detected BlackGuard
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: Insidious_protected.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: freegeoip.app

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\Insidious_protected.exeUnpacked PE file: 0.2.Insidious_protected.exe.3e0000.0.unpack
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49699 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49722 version: TLS 1.2
                    Source: Binary string: diasymreader.dllib.pdbpdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: FC:\Windows\symbols\dll\mscorlib.pdb4.0.30319\diasymreader.dllllFiles source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: Fc:\windows\symbols\dll\mscorlib.pdbC_MG source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: .C:\Windows\mscorlib.pdbpdb> source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: |C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll_b77a5c561934e089\mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: HPlo0C:\Windows\mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1468265993.000000000622A000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: c:\windows\microsoft.net\assembly\gac_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Configuration.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: \mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: .C:\Windows\mscorlib.pdbpdbbZ source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Core.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: |C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll_b77a5c561934e089\mscorlib.pdb} source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Fc:\windows\symbols\dll\mscorlib.pdbC_ source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1465383484.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, WER43FE.tmp.dmp.4.dr
                    Source: Binary string: .C:\Windows\mscorlib.pdbpdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \Stealler\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Core.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Core.pdbh source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: .c:\windows\mscorlib.pdbpdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER43FE.tmp.dmp.4.dr
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_00461490 FindFirstFileW,0_2_00461490
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 4x nop then jmp 033C7B94h0_2_033C7910
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 4x nop then jmp 033C6AFCh0_2_033C69F0
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 4x nop then jmp 033C708Ah0_2_033C6EED
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 4x nop then inc dword ptr [ebp-30h]0_2_033C5370
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 4x nop then inc dword ptr [ebp-24h]0_2_033C92E7
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 4x nop then inc dword ptr [ebp-30h]0_2_05A90278

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: freegeoip.app
                    Source: Insidious_protected.exe, 00000000.00000002.1465383484.000000000363F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.app
                    Source: Insidious_protected.exe, 00000000.00000002.1465383484.000000000363F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freegeoip.appd
                    Source: Insidious_protected.exe, 00000000.00000002.1465383484.0000000003738000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
                    Source: Insidious_protected.exe, 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                    Source: Insidious_protected.exe, 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1465383484.00000000035F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.vimeworld.ru/user/name/
                    Source: Insidious_protected.exe, 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_Ho
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: Insidious_protected.exe, 00000000.00000002.1465383484.0000000003627000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000000.00000002.1465383484.000000000363F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app
                    Source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app/
                    Source: Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1465383484.00000000035F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://freegeoip.app/xml/
                    Source: Insidious_protected.exeString found in binary or memory: https://steamcommunity.com/profiles/
                    Source: Insidious_protected.exe, 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
                    Source: tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://support.mozilla.org
                    Source: tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org
                    Source: tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
                    Source: tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.00000000046A8000.00000004.00000800.00020000.00000000.sdmp, tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                    Source: tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: Insidious_protected.exe, 00000000.00000002.1466534877.00000000046A8000.00000004.00000800.00020000.00000000.sdmp, tmp414F.tmp.tmpdb.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49699 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49722 version: TLS 1.2

                    E-Banking Fraud

                    barindex
                    Yara detected BlackGuard
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                    Source: 00000000.00000002.1465383484.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: Process Memory Space: Insidious_protected.exe PID: 4540, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    PE file has nameless sections
                    Source: Insidious_protected.exeStatic PE information: section name:
                    Source: Insidious_protected.exeStatic PE information: section name:
                    Source: Insidious_protected.exeStatic PE information: section name:
                    Source: Insidious_protected.exeStatic PE information: section name:
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_00489634 NtClose,0_2_00489634
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0069B19F0_2_0069B19F
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CD3080_2_033CD308
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033C41400_2_033C4140
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CE6790_2_033CE679
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CF8280_2_033CF828
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CD8E00_2_033CD8E0
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033C532A0_2_033C532A
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033C53700_2_033C5370
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033C53660_2_033C5366
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CD2F80_2_033CD2F8
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033C92E70_2_033C92E7
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CBBF80_2_033CBBF8
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CF8180_2_033CF818
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033C8E900_2_033C8E90
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CBC080_2_033CBC08
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_05A902690_2_05A90269
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_05A902780_2_05A90278
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: String function: 00438264 appears 48 times
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1492
                    Source: Insidious_protected.exe, 00000000.00000000.1216136666.0000000000432000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInsidious.exe6 vs Insidious_protected.exe
                    Source: Insidious_protected.exeBinary or memory string: OriginalFilenameInsidious.exe6 vs Insidious_protected.exe
                    Source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                    Source: 00000000.00000002.1465383484.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: Process Memory Space: Insidious_protected.exe PID: 4540, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: Insidious_protected.exeStatic PE information: Section: ZLIB complexity 0.9968701972336066
                    Source: Insidious_protected.exeStatic PE information: Section: dhnhbfg ZLIB complexity 0.9962756849315069
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/14@1/1
                    Source: C:\Users\user\Desktop\Insidious_protected.exeMutant created: NULL
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4540
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile created: C:\Users\user\AppData\Local\Temp\tmp413E.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000E37000.00000004.00000020.00020000.00000000.sdmp, Insidious_protected.exe, 00000000.00000002.1465383484.00000000036E1000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000000.00000002.1465383484.000000000360F000.00000004.00000800.00020000.00000000.sdmp, tmp416F.tmp.dat.0.dr, tmp425F.tmp.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Insidious_protected.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile read: C:\Users\user\Desktop\Insidious_protected.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Insidious_protected.exe "C:\Users\user\Desktop\Insidious_protected.exe"
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1492
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Insidious_protected.exeStatic file information: File size 1241088 > 1048576
                    Source: Binary string: diasymreader.dllib.pdbpdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: FC:\Windows\symbols\dll\mscorlib.pdb4.0.30319\diasymreader.dllllFiles source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: Fc:\windows\symbols\dll\mscorlib.pdbC_MG source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: .C:\Windows\mscorlib.pdbpdb> source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: |C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll_b77a5c561934e089\mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: HPlo0C:\Windows\mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1468265993.000000000622A000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: c:\windows\microsoft.net\assembly\gac_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Configuration.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: \mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: .C:\Windows\mscorlib.pdbpdbbZ source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Xml.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS# source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Core.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: |C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll_b77a5c561934e089\mscorlib.pdb} source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Fc:\windows\symbols\dll\mscorlib.pdbC_ source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb source: Insidious_protected.exe, 00000000.00000002.1465383484.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, WER43FE.tmp.dmp.4.dr
                    Source: Binary string: .C:\Windows\mscorlib.pdbpdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \Stealler\44CALIBER-main\44CALIBER\obj\Debug\Insidious.pdb source: Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Core.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Core.pdbh source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: .c:\windows\mscorlib.pdbpdb source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER43FE.tmp.dmp.4.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER43FE.tmp.dmp.4.dr

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\Insidious_protected.exeUnpacked PE file: 0.2.Insidious_protected.exe.3e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;dhnhbfg:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;.rsrc:ER;Unknown_Section4:ER;dhnhbfg:ER;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\Insidious_protected.exeUnpacked PE file: 0.2.Insidious_protected.exe.3e0000.0.unpack
                    Source: Insidious_protected.exeStatic PE information: 0x90591ACE [Fri Sep 28 14:44:30 2046 UTC]
                    Source: Insidious_protected.exeStatic PE information: section name:
                    Source: Insidious_protected.exeStatic PE information: section name:
                    Source: Insidious_protected.exeStatic PE information: section name:
                    Source: Insidious_protected.exeStatic PE information: section name:
                    Source: Insidious_protected.exeStatic PE information: section name: dhnhbfg
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043C3EA push 0043C418h; ret 0_2_0043C410
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044D3A0 push 0044D400h; ret 0_2_0044D3F8
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044E454 push 0044E4A1h; ret 0_2_0044E499
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044D456 push 0044D5A4h; ret 0_2_0044D59C
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043C45C push 0043C488h; ret 0_2_0043C480
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043C424 push 0043C450h; ret 0_2_0043C448
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043C4F8 push 0043C52Ch; ret 0_2_0043C524
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043C494 push 0043C4C0h; ret 0_2_0043C4B8
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044C536 push 0044C5B5h; ret 0_2_0044C5AD
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043A5F0 push 0043A641h; ret 0_2_0043A639
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044B62C push 0044B6A2h; ret 0_2_0044B69A
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_004446DA push 0044474Bh; ret 0_2_00444743
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044B6A4 push 0044B74Ch; ret 0_2_0044B744
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044B74E push 0044B79Ch; ret 0_2_0044B794
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044485E push 0044488Ch; ret 0_2_00444884
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044C804 push 0044C830h; ret 0_2_0044C828
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0044D8F4 push ecx; mov dword ptr [esp], ecx0_2_0044D8F6
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043A8AA push 0043A8D8h; ret 0_2_0043A8D0
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043A968 push 0043A994h; ret 0_2_0043A98C
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043BA48 push ecx; mov dword ptr [esp], eax0_2_0043BA49
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043BCF2 push 0043BD20h; ret 0_2_0043BD18
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_00443D60 push ecx; mov dword ptr [esp], edx0_2_00443D65
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_0043BD2C push 0043BD58h; ret 0_2_0043BD50
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_00436F90 push eax; ret 0_2_00436FCC
                    Source: Insidious_protected.exeStatic PE information: section name: entropy: 7.996321345870958
                    Source: Insidious_protected.exeStatic PE information: section name: dhnhbfg entropy: 7.978903931994907
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeMemory allocated: 3380000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeMemory allocated: 35F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeMemory allocated: 3400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exe TID: 7468Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exe TID: 7468Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_00461490 FindFirstFileW,0_2_00461490
                    Source: C:\Users\user\Desktop\Insidious_protected.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeThread delayed: delay time: 600000Jump to behavior
                    Source: Amcache.hve.4.drBinary or memory string: VMware
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: outlook.office.comVMware20,11696492231s
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: AMC password management pageVMware20,11696492231
                    Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                    Source: Insidious_protected.exe, 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
                    Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: discord.comVMware20,11696492231f
                    Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                    Source: Insidious_protected.exe, 00000000.00000002.1463958954.0000000000E4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7!
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: global block list test formVMware20,11696492231
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: tasks.office.comVMware20,11696492231o
                    Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                    Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                    Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                    Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                    Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                    Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Insidious_protected.exe, 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: dev.azure.comVMware20,11696492231j
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                    Source: Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1462882603.000000000057A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
                    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1462882603.000000000057A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                    Source: Insidious_protected.exe, 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
                    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Insidious_protected.exe, 00000000.00000002.1462882603.000000000057A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                    Source: tmp424E.tmp.dat.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Hides threads from debuggers
                    Source: C:\Users\user\Desktop\Insidious_protected.exeThread information set: HideFromDebuggerJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeThread information set: HideFromDebuggerJump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                    Source: C:\Users\user\Desktop\Insidious_protected.exeOpen window title or class name: ollydbg
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: SIWDEBUG
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: NTICE
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: SICE
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeCode function: 0_2_033CB610 LdrInitializeThunk,0_2_033CB610
                    Source: C:\Users\user\Desktop\Insidious_protected.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeQueries volume information: C:\Users\user\Desktop\Insidious_protected.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected 44Caliber Stealer
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Insidious_protected.exe PID: 4540, type: MEMORYSTR
                    Yara detected BlackGuard
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Yara detected Rags Stealer
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1465383484.0000000003615000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Insidious_protected.exe PID: 4540, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: Insidious_protected.exeString found in binary or memory: Electrum
                    Source: Insidious_protected.exe, 00000000.00000002.1465383484.0000000003676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: Insidious_protected.exeString found in binary or memory: JaxxDir
                    Source: Insidious_protected.exeString found in binary or memory: \Exodus\exodus.wallet\
                    Source: Insidious_protected.exeString found in binary or memory: \Wallets\Ethereum\
                    Source: Insidious_protected.exeString found in binary or memory: ExodusDir
                    Source: Insidious_protected.exeString found in binary or memory: Ethereum
                    Source: Insidious_protected.exeString found in binary or memory: \Exodus\exodus.wallet\
                    Source: Insidious_protected.exeString found in binary or memory: \Ethereum\keystore
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\Insidious_protected.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\Jump to behavior
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1465383484.0000000003676000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Insidious_protected.exe PID: 4540, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected 44Caliber Stealer
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Insidious_protected.exe PID: 4540, type: MEMORYSTR
                    Yara detected BlackGuard
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Yara detected Rags Stealer
                    Source: Yara matchFile source: 0.2.Insidious_protected.exe.3e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1465383484.0000000003615000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Insidious_protected.exe PID: 4540, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                    DLL Side-Loading                    		1
                    Process Injection                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		251
                    Virtualization/Sandbox Evasion                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Process Injection                    		Security Account Manager251
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    File and Directory Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script4
                    Obfuscated Files or Information                    		LSA Secrets12
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                    Software Packing                    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Insidious_protected.exe66%ReversingLabsWin32.Trojan.ProtectorEnigma
                    Insidious_protected.exe100%AviraHEUR/AGEN.1351863
                    Insidious_protected.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    https://support.mozilla.org0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://freegeoip.app/0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    http://freegeoip.appd0%Avira URL Cloudsafe
                    https://freegeoip.app0%Avira URL Cloudsafe
                    https://freegeoip.app/xml/0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/ASOFTWARE0%Avira URL Cloudsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    http://www.enigmaprotector.com/openU0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_Ho0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/0%Avira URL Cloudsafe
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK0%Avira URL Cloudsafe
                    http://freegeoip.app0%Avira URL Cloudsafe
                    https://api.vimeworld.ru/user/name/0%Avira URL Cloudsafe
                    http://www.enigmaprotector.com/0%Avira URL Cloudsafe
                    https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    freegeoip.app
                    		188.114.96.3
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://freegeoip.app/xml/Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1465383484.00000000035F1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabInsidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoInsidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://steamcommunity.com/profiles/ASOFTWAREInsidious_protected.exe, 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.enigmaprotector.com/openUInsidious_protected.exe, 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://freegeoip.app/Insidious_protected.exe, 00000000.00000002.1463958954.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://freegeoip.appInsidious_protected.exe, 00000000.00000002.1465383484.0000000003627000.00000004.00000800.00020000.00000000.sdmp, Insidious_protected.exe, 00000000.00000002.1465383484.000000000363F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://freegeoip.appdInsidious_protected.exe, 00000000.00000002.1465383484.000000000363F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://upx.sf.netAmcache.hve.4.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtmp414F.tmp.tmpdb.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HoInsidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchInsidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://steamcommunity.com/profiles/Insidious_protected.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.vimeworld.ru/user/name/Insidious_protected.exe, Insidious_protected.exe, 00000000.00000002.1465383484.00000000035F1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/Insidious_protected.exe, 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://support.mozilla.orgtmp414F.tmp.tmpdb.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.enigmaprotector.com/Insidious_protected.exe, 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInsidious_protected.exe, 00000000.00000002.1465383484.0000000003738000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Insidious_protected.exe, 00000000.00000002.1466534877.0000000004669000.00000004.00000800.00020000.00000000.sdmp, tmp413E.tmp.dat.0.dr, tmp4180.tmp.dat.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLKtmp414F.tmp.tmpdb.0.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://freegeoip.appInsidious_protected.exe, 00000000.00000002.1465383484.000000000363F000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      188.114.96.3
                      		freegeoip.appEuropean Union
                      		13335CLOUDFLARENETUStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1495153
                      Start date and time:2024-08-19 18:48:07 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 58s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:22
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Insidious_protected.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@2/14@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:Failed
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
                      • Excluded IPs from analysis (whitelisted): 20.189.173.22
                      • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.
                      • VT rate limit hit for: Insidious_protected.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:49:22API Interceptor1x Sleep call for process: WerFault.exe modified
                      12:49:22API Interceptor1x Sleep call for process: Insidious_protected.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      188.114.96.3SecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                      • www.katasoo.com/7qad/
                      QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • filetransfer.io/data-package/kaTwqiM5/download
                      S#U0435tup.exeGet hashmaliciousCryptbotBrowse
                      • neintyy19sb.top/v1/upload.php
                      PO 4500118077.pdf.exeGet hashmaliciousFormBookBrowse
                      • www.bo-2024-001-v1-d1.xyz/rn10/?pPX=66dLyAzLaA92QJtP+ncKCtihnZgQCb156m6Ri470HP3Fq7nMSSIB6n3llyCNj9XFFykk&067=ilNDu4JPm
                      Injector.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                      • 753139cl.nyashtop.top/PythonPhpPollProtectTrackcdnUploadsDownloads.php
                      set-up.exeGet hashmaliciousCryptbotBrowse
                      • neintyy19sb.top/v1/upload.php
                      set-up.exeGet hashmaliciousCryptbotBrowse
                      • neintyy19sb.top/v1/upload.php
                      rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.xlsGet hashmaliciousUnknownBrowse
                      • jiourl.com/anbdld
                      QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • filetransfer.io/data-package/9sUie4yY/download
                      PRODUCTS SHEET 0051937.exeGet hashmaliciousFormBookBrowse
                      • www.ediancai.cn/x7r2/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      freegeoip.appnyen2eabmfb.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                      • 188.114.97.3
                      Cheat.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                      • 188.114.97.3
                      B5U2ccQ8H1.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                      • 188.114.97.3
                      xj40xovMsm.exeGet hashmaliciousAsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLineBrowse
                      • 188.114.96.3
                      Pots.exeGet hashmalicious44userber Stealer, Rags StealerBrowse
                      • 104.21.73.97
                      qdHMT36Tn9.exeGet hashmalicious44Caliber Stealer, Njrat, Rags StealerBrowse
                      • 172.67.160.84
                      64drop.exeGet hashmalicious44Caliber Stealer, Rags StealerBrowse
                      • 104.21.73.97
                      123.scr.exeGet hashmaliciousUnknownBrowse
                      • 104.21.73.97
                      123.scr.exeGet hashmaliciousRags StealerBrowse
                      • 104.21.73.97
                      123.scr.exeGet hashmaliciousRags StealerBrowse
                      • 172.67.160.84

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CLOUDFLARENETUShttps://is.gd/a58x5n?wWs=2qKDRCC96T?ECt=JihQOqqO0NGet hashmaliciousUnknownBrowse
                      • 104.25.233.53
                      nyen2eabmfb.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                      • 188.114.97.3
                      SecuriteInfo.com.Win32.CrypterX-gen.10777.11381.exeGet hashmaliciousLummaCBrowse
                      • 104.21.17.213
                      https://klo.ua/wp-admin/ivwaj.php?7-797967704b5369323074665053797a4c54453873535532714c456c4e3153736f7974635071437a4f31776341-EMAILBASE64Get hashmaliciousPhisherBrowse
                      • 104.18.95.41
                      file.exeGet hashmaliciousLummaCBrowse
                      • 104.21.42.119
                      https://na4.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAgtmudCdipeGj991qUjM8egV6814sux3rgVxmpQ9ZUPP1ghEiBFZhGbeUOXRNN8jh0-dHyQbAhKeqZWA47C7EGYTdl0WfoRVsVtug9eoPZA7XQynIL6EntGVhDjys02My&Get hashmaliciousHTMLPhisherBrowse
                      • 104.18.69.40
                      0calendarscope.exeGet hashmaliciousLummaC, Go InjectorBrowse
                      • 104.21.16.74
                      401(k) Form - 2024-Benefits_Payroll Increment forms August 19, 2024 Ref_ DZQYC08093.emlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                      • 1.1.1.1
                      0calendarscope.exeGet hashmaliciousLummaC, Go InjectorBrowse
                      • 104.21.16.74
                      http://www.schoolsfirstfcu.org/Get hashmaliciousHTMLPhisherBrowse
                      • 104.18.86.42

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      3b5074b1b5d032e5620f69f9f700ff0enyen2eabmfb.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                      • 188.114.96.3
                      https://procore-drive.s3.amazonaws.com/ProcoreDriveSetup.exeGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      https://shared.outlook.inky.com/link?domain=urldefense.proofpoint.com&t=h.eJxVUE2PmzAU_CsrDpxK-AazEuqyS5JqE9Jmg9IoF8sYQ0jABtvANlX_eyGHSr08vfdmNKOZ30rPa-X5SblI2YpnXZ_OnBSECrJoOWNFyyoqF5g1-mDN4Nc-fFA1O4KwRFT2dJq3nuLqhjh5UCEcW82KK4rrPicCtqxhMJtYAjYVJVDNw3hMVtGo4pD067OQGKVxXQ9Vs9yBzL-e-Nh9L7TBjeBb3pb0WFRVkqg8fIXd7u7ffby-lqdsKIVxMQ7yLfnx06k3JzJoxLu6EBvQitQmBGP3vi9cfgCb66cZO4BdtpvOWtXYGjbgWwnPbZWIAzp3MoW_Rin2BMS7Na8OOydFGVNFCCInhbL-vBDf-xg-_KPdrtDyCMHyvt5v35k2bFPZs9fs7KgkVL48Kbe5TUok42Uhfd-37CDQy4JP8QvG5cu_DdFcMCoe3XrIJ7nrBHaW2aZrmJ4BDDezPexlhmvngW5OOi5wbDdYmLMLebigehJgL-guCUZNM0vNYD6D_z3__AXAcKQ4.MEUCIB-PNKp_9-d3drOD5owphdjbOwtYz5OQxdgeN5g2hPNUAiEAleTizC6zi0EZIypSMBPG6kkRYgzdslitxgPkKL9II8MGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      http://uspsmyr.infoGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      http://uspsnye.infoGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      file.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, zgRATBrowse
                      • 188.114.96.3
                      buidl.exeGet hashmaliciousXWormBrowse
                      • 188.114.96.3
                      IB987650098000044.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • 188.114.96.3
                      Legal Action Documents PDF.bat.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                      • 188.114.96.3
                      PAGO.08.12.2024.lnk.lnkGet hashmaliciousUnknownBrowse
                      • 188.114.96.3

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:ASCII text
                      Category:dropped
                      Size (bytes):105
                      Entropy (8bit):3.8863455911790052
                      Encrypted:false
                      SSDEEP:3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
                      MD5:2E9D094DDA5CDC3CE6519F75943A4FF4
                      SHA1:5D989B4AC8B699781681FE75ED9EF98191A5096C
                      SHA-256:C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
                      SHA-512:D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Insidious_protec_ad20de64d4f8f9f5d0b130c7f4277878f342ab27_e4ee48d4_724411df-ce66-4bf9-8f36-8c7475390197\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):1.1587780593433137
                      Encrypted:false
                      SSDEEP:192:uOAoQr7Fq80BU/gjOBdFyUy0zuiFoZ24IO8e:HAo+7FiBU/gjeyL0zuiFoY4IO8e
                      MD5:FF96641B9E7E983444D2F644D9C00F5B
                      SHA1:10B314301E3C3A16EF8B97068C76D6F974D06277
                      SHA-256:FD4D746F00ECAE11DD8AD4A0E38C6F29CB734C4CD49486DE2DFC4941CFFE190E
                      SHA-512:6E89950C6052C19AB49BD4BE44FE330A597A3CFD72938953ADE74035D4D5BDA984DE5A9219270124CEFAC1B65688196F97870B099EA5EC60F9DD5823B00B6578
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.8.5.5.9.7.3.8.6.4.3.0.2.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.8.5.5.9.7.4.0.0.9.6.1.4.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.4.4.1.1.d.f.-.c.e.6.6.-.4.b.f.9.-.8.f.3.6.-.8.c.7.4.7.5.3.9.0.1.9.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.1.c.c.4.f.7.-.f.b.0.f.-.4.7.4.a.-.9.5.9.2.-.6.f.e.0.d.0.9.0.a.f.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.s.i.d.i.o.u.s._.p.r.o.t.e.c.t.e.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.n.s.i.d.i.o.u.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.b.c.-.0.0.0.1.-.0.0.1.4.-.a.3.e.3.-.3.a.a.f.5.7.f.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.1.8.6.e.c.8.a.7.1.b.7.6.8.8.5.0.a.d.2.d.f.e.6.a.d.f.3.7.6.7.0.0.0.0.0.0.0.0.!.0.0.0.0.b.0.b.b.e.8.7.a.e.7.5.1.9.b.5.d.6.d.c.d.7.f.6.2.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER43FE.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Mon Aug 19 16:48:59 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):358613
                      Entropy (8bit):4.023083795665072
                      Encrypted:false
                      SSDEEP:6144:e33ey99fTSievPDIa74bXKsZ3WTgulVcq:e+Q9fGrvLIasrZ3WTPlVcq
                      MD5:EE75FD0FDB08AE35E15B15C5DF937053
                      SHA1:45FA2C4D1E7C98E5EFF2B825506905E42D2718C6
                      SHA-256:6C45F0804CBC97B171B12409D6D48A42ED04CC287EB2EBC96EBD5E0273D4DD08
                      SHA-512:4C5EA634D7F7485A1295493B66A4458B6F6CE3E7F816467E4AB282559B94977D2519464A68EE78E034D8BCAD6B3AC593B19D36195626DF78C6328B9B31744F5E
                      Malicious:false
                      Reputation:low
                      Preview:MDMP..a..... .......{w.f............4...........H...H.......$....&......d?...c..........`.......8...........T............J..=............&...........(..............................................................................eJ......8)......GenuineIntel............T...........yw.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER48A2.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8440
                      Entropy (8bit):3.6906582876224423
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJwX6t6YNwSUU2gmfZbspr789bh0sfPLm:R6lXJw6t6YKSU9gmfV1hnfa
                      MD5:B78D3D2C43D8BAA9E375AEFBFA4E05E5
                      SHA1:1315361E382C878814DFED405AEA95915DF38C1A
                      SHA-256:29614BDEF380B708D3E49B6DAC665674200238D3F5684AABF65D61492D13654B
                      SHA-512:BF07BE6D24622E658DAD32A202E20D94F83E8F90D26A99B42DB48DE7F2F535C8A64D12CEEB19CC83AFB89D8BED3F6A015CA26F745DB6CEE7CA3FAF86AD25BB32
                      Malicious:false
                      Reputation:low
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.4.0.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER48D2.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4807
                      Entropy (8bit):4.477585387592433
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zslJg77aI9x+rWpW8VYyKa5Ym8M4JbSFM+q8vp2XCGs/rhd:uIjf/I7Hf7VGaoJvKAXCF/rhd
                      MD5:B0E867A9D94B597F732DC24D4F4E0432
                      SHA1:C97F6CD0362AF25B56B55492277A9CFE87BA19D3
                      SHA-256:9D2299D9631612D4F26E420DAEF868F3A4E0032D1904863F779951D1AE9D8532
                      SHA-512:30104F6BAB640B4DDD1553213A0706E55BCE5C84249A83655C7BFAD3E2B47D6BD22C36B943F0CD606EB81C3450EC7B42154170CE5E2F80B91FE4E03573E63071
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="462711" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\Users\user\AppData\Local\Temp\tmp413E.tmp.dat

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.137181696973627
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                      MD5:2D903A087A0C793BDB82F6426B1E8EFB
                      SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                      SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                      SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp414F.tmp.tmpdb

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):5242880
                      Entropy (8bit):0.03786218306281921
                      Encrypted:false
                      SSDEEP:192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
                      MD5:4BB4A37B8E93E9B0F5D3DF275799D45E
                      SHA1:E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
                      SHA-256:89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
                      SHA-512:F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp416F.tmp.dat

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp4180.tmp.dat

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.137181696973627
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                      MD5:2D903A087A0C793BDB82F6426B1E8EFB
                      SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                      SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                      SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp41BF.tmp.dat

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                      Category:dropped
                      Size (bytes):196608
                      Entropy (8bit):1.1215420383712111
                      Encrypted:false
                      SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                      MD5:9A809AD8B1FDDA60760BB6253358A1DB
                      SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                      SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                      SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                      Malicious:false
                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp421E.tmp.tmpdb

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):98304
                      Entropy (8bit):0.08235737944063153
                      Encrypted:false
                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp424E.tmp.dat

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                      Category:dropped
                      Size (bytes):196608
                      Entropy (8bit):1.1215420383712111
                      Encrypted:false
                      SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                      MD5:9A809AD8B1FDDA60760BB6253358A1DB
                      SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                      SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                      SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                      Malicious:false
                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp425F.tmp.dat

                      Download File
                      Process:C:\Users\user\Desktop\Insidious_protected.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):51200
                      Entropy (8bit):0.8746135976761988
                      Encrypted:false
                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Windows\appcompat\Programs\Amcache.hve

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.416832297353469
                      Encrypted:false
                      SSDEEP:6144:bcifpi6ceLPL9skLmb0m+SWSPtaJG8nAgex285i2MMhA20X4WABlGuN15+:Ai58+SWIZBk2MM6AFB/o
                      MD5:4C8D366B5A46BF691AA21E5DFC34B5DC
                      SHA1:474AE1B757D790F9A9BDE9EDE5CC16D5CBC61487
                      SHA-256:443EC9CE2FC44F484079F99EE117C5841B2736715AA05C4F84C78A0EBD358512
                      SHA-512:528EAE9A31A4EB88AE48024399144FCCA4F7AFB92A5DB78369F7D16FC6D13286BC942308471D837DB679AD19082F95BC122955FB15CE6DCDDC7E5BF2DE2FC946
                      Malicious:false
                      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmbb..W................................................................................................................................................................................................................................................................................................................................................j..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.9864201442596885
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.94%
                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:Insidious_protected.exe
                      File size:1'241'088 bytes
                      MD5:d9ccde3b728fba6d6e3f1b92c75a11a8
                      SHA1:b0bbe87ae7519b5d6dcd7f6282e891922971942d
                      SHA256:d5a18b44a40e9bc1952bce6e187b81926ffd358aa5ebe95921cde2b9a72b172f
                      SHA512:738f1b568009a6df2fcaf2f1c8aba6aee91b4a66474e095d6e483b72ebf1d5309d33908dd1531407a69520b657bdfa75c6b3eda796c20bf1542b632030e58db4
                      SSDEEP:24576:c1VJqwlZcf4XH1yfEXk3vc8W/jr1STXLmPz63V2HTiViv4qWVLiO6:c1VrlSfI1WlE7/ITq76lslAZxiO6
                      TLSH:DA4533C08F5D000ECB499B3CD743779AA92634A33A75FB429ECE95832CD252D3A91DE0
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Y..........."...................... ........@.. ........................;...........`................................

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x41a3ec
                      Entrypoint Section:
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x90591ACE [Fri Sep 28 14:44:30 2046 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:2e5467cba76f44a088d39f78c5e807b6

                      Entrypoint Preview

                      Instruction
                      call 00007F8B7C6C6FF6h
                      jmp 00007F8B7C6C6E0Eh
                      push 0044BB60h
                      push dword ptr fs:[00000000h]
                      mov eax, dword ptr [esp+10h]
                      mov dword ptr [esp+10h], ebp
                      lea ebp, dword ptr [esp+10h]
                      sub esp, eax
                      push ebx
                      push esi
                      push edi
                      mov eax, dword ptr [00466ECCh]
                      xor dword ptr [ebp-04h], eax
                      xor eax, ebp
                      push eax
                      mov dword ptr [ebp-18h], esp
                      push dword ptr [ebp-08h]
                      mov eax, dword ptr [ebp-04h]
                      mov dword ptr [ebp-04h], FFFFFFFEh
                      mov dword ptr [ebp-08h], eax
                      lea eax, dword ptr [ebp-10h]
                      mov dword ptr fs:[00000000h], eax
                      ret
                      mov ecx, dword ptr [ebp-10h]
                      mov dword ptr fs:[00000000h], ecx
                      pop ecx
                      pop edi
                      pop edi
                      pop esi
                      pop ebx
                      mov esp, ebp
                      pop ebp
                      push ecx
                      ret
                      int3
                      int3
                      int3
                      add esp, 04h
                      jmp 00007F8B7CA6235Fh
                      out F1h, eax
                      hlt
                      push ebx
                      or byte ptr [ebx+13794A26h], 00000040h
                      and esi, dword ptr [eax+7Ch]
                      pop ds
                      inc eax
                      mov al, 40h
                      pop ebx
                      pushfd
                      jns 00007F8B7C6C7003h
                      movsd
                      lodsd
                      leave
                      int1
                      test esi, edx
                      push edi
                      and edi, edx
                      push ds
                      xor eax, 89FB8D4Fh
                      sub byte ptr [esi+esi*2], dl
                      mov bl, 2Bh
                      ret
                      xchg dword ptr [edx+0Ah], ecx
                      salc
                      fldenv [3DB629E0h]
                      push edi
                      or al, 78h
                      push ebx
                      bound edx, dword ptr [eax+ebp*8-36h]
                      movsd
                      leave
                      and byte ptr [ecx+01h], 00000035h
                      ror dword ptr [edi], 1
                      aam 7Ch
                      ror dword ptr [eax], cl
                      in al, A1h

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2d40200x210dhnhbfg
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x5f4.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2d40000xcdhnhbfg
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x20000x4c0000x1e8003103d85add6f89c6f49df447bf565eddFalse0.9968701972336066data7.996321345870958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x4e0000x20000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x500000x20000x2000f106722cda3deb30fbf0ad47016ebfeFalse0.0546875data0.30531305731160896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x520000x20000x600cf9115e00a8fc3ab133ad07a95927209False0.435546875data4.2601645307149845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x540000x2800000x2ba004b18a74359dee4931252b8a912245472unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      dhnhbfg0x2d40000xe60000xe42008aebb51761c4788a832a5ea0d1e1baacFalse0.9962756849315069data7.978903931994907IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x520a00x368data0.4231651376146789
                      RT_MANIFEST0x524080x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                      user32.dllMessageBoxA
                      advapi32.dllRegCloseKey
                      oleaut32.dllSysFreeString
                      gdi32.dllCreateFontA
                      shell32.dllShellExecuteA
                      version.dllGetFileVersionInfoA
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Aug 19, 2024 18:48:58.919907093 CEST49699443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:48:58.919955969 CEST44349699188.114.96.3192.168.2.7
                      Aug 19, 2024 18:48:58.920053959 CEST49699443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:48:58.931947947 CEST49699443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:48:58.931982040 CEST44349699188.114.96.3192.168.2.7
                      Aug 19, 2024 18:48:59.421158075 CEST44349699188.114.96.3192.168.2.7
                      Aug 19, 2024 18:48:59.421262980 CEST49699443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:49:14.477858067 CEST44349699188.114.96.3192.168.2.7
                      Aug 19, 2024 18:49:14.477932930 CEST49699443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:49:22.809595108 CEST49699443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:49:22.809623957 CEST44349699188.114.96.3192.168.2.7
                      Aug 19, 2024 18:49:22.938496113 CEST49722443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:49:22.938535929 CEST44349722188.114.96.3192.168.2.7
                      Aug 19, 2024 18:49:22.938613892 CEST49722443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:49:22.939107895 CEST49722443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:49:22.939116955 CEST44349722188.114.96.3192.168.2.7
                      Aug 19, 2024 18:49:23.451993942 CEST44349722188.114.96.3192.168.2.7
                      Aug 19, 2024 18:49:23.452095032 CEST49722443192.168.2.7188.114.96.3
                      Aug 19, 2024 18:49:23.564193964 CEST49722443192.168.2.7188.114.96.3

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Aug 19, 2024 18:48:58.904263973 CEST4978453192.168.2.71.1.1.1
                      Aug 19, 2024 18:48:58.912347078 CEST53497841.1.1.1192.168.2.7

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Aug 19, 2024 18:48:58.904263973 CEST192.168.2.71.1.1.10xd26bStandard query (0)freegeoip.appA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Aug 19, 2024 18:48:58.912347078 CEST1.1.1.1192.168.2.70xd26bNo error (0)freegeoip.app188.114.96.3A (IP address)IN (0x0001)false
                      Aug 19, 2024 18:48:58.912347078 CEST1.1.1.1192.168.2.70xd26bNo error (0)freegeoip.app188.114.97.3A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:12:48:57
                      Start date:19/08/2024
                      Path:C:\Users\user\Desktop\Insidious_protected.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Insidious_protected.exe"
                      Imagebase:0x3e0000
                      File size:1'241'088 bytes
                      MD5 hash:D9CCDE3B728FBA6D6E3F1B92C75A11A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Yara matches:
                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000000.00000002.1465383484.0000000003615000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1465383484.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RagsStealer, Description: Yara detected Rags Stealer, Source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_44CaliberStealer, Description: Yara detected 44Caliber Stealer, Source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1465383484.0000000003676000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:4
                      Start time:12:48:58
                      Start date:19/08/2024
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1492
                      Imagebase:0x220000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:10.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:27.3%
                        Total number of Nodes:11
                        Total number of Limit Nodes:1
                        execution_graph 23376 5a1598 23377 5a15a5 VirtualAlloc 23376->23377 23379 50e846 23380 50e8d1 23379->23380 23381 50e8de 23380->23381 23383 50fc8c 23380->23383 23384 50fc98 23383->23384 23385 50fcdd 23383->23385 23384->23385 23387 489634 23384->23387 23385->23381 23388 48963d 23387->23388 23389 489646 NtClose 23387->23389 23388->23385 23389->23385

                        Executed Functions

                        Function 0069B19F Relevance: 1.7, Instructions: 1703COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1462882603.0000000000595000.00000040.00000001.01000000.00000003.sdmp, Offset: 00434000, based on PE: true
                        • Associated: 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3e0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 51fc6be66a5fee29d9eef0c64d01b5536a21df23181155b62d6b30acbc605ad6
                        • Instruction ID: 5cad4763eb6d765d39f06ea2002a25e1b4b84e00f704fc63296dc3665c19b63e
                        • Opcode Fuzzy Hash: 51fc6be66a5fee29d9eef0c64d01b5536a21df23181155b62d6b30acbc605ad6
                        • Instruction Fuzzy Hash: AD1247719583D15FEF22AF3894645EABFBAEF27B7070840DAC0805FF52D2206916C796
                        Function 00489634 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 400 489634-48963b 401 48963d-489645 400->401 402 489646-48964d NtClose 400->402
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmp, Offset: 00434000, based on PE: true
                        • Associated: 00000000.00000002.1462882603.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3e0000_Insidious_protected.jbxd
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 0559e9e2985f7c4f9d5fada973dea9c1f4ae9340689b193e7619559d092c10b1
                        • Instruction ID: 21abc642fe3eb66e35d30c63fd5943547a1744a83b9a194f7cd89bbdbd623ceb
                        • Opcode Fuzzy Hash: 0559e9e2985f7c4f9d5fada973dea9c1f4ae9340689b193e7619559d092c10b1
                        • Instruction Fuzzy Hash: 85B09290C05B402EDF11A7E89D3CB6A2B8D6B90303F4804857000D21F0EA284948F3A4
                        Function 033C69F0 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 439 33c69f0-33c69fe 440 33c6a05-33c6a1a 439->440 441 33c6a00-33c6a04 439->441 442 33c6a1c 440->442 443 33c6a21-33c6a71 440->443 441->440 442->443 447 33c6a7f-33c6a94 443->447 448 33c6a73-33c6a7d 443->448 456 33c6a97 call 33c70fc 447->456 457 33c6a97 call 33c6b18 447->457 458 33c6a97 call 33c6ef8 447->458 459 33c6a97 call 33c707b 447->459 460 33c6a97 call 33c70d5 447->460 461 33c6a97 call 33c70d7 447->461 462 33c6a97 call 33c6e93 447->462 463 33c6a97 call 33c6eed 447->463 464 33c6a97 call 33c70ee 447->464 465 33c6a97 call 33c6eef 447->465 466 33c6a97 call 33c6b09 447->466 467 33c6a97 call 33c6f09 447->467 468 33c6a97 call 33c70e0 447->468 451 33c6aec-33c6b02 448->451 449 33c6a9d-33c6ab2 469 33c6ab5 call 33c70fc 449->469 470 33c6ab5 call 33c6b18 449->470 471 33c6ab5 call 33c6ef8 449->471 472 33c6ab5 call 33c707b 449->472 473 33c6ab5 call 33c70d5 449->473 474 33c6ab5 call 33c70d7 449->474 475 33c6ab5 call 33c6e93 449->475 476 33c6ab5 call 33c6eed 449->476 477 33c6ab5 call 33c70ee 449->477 478 33c6ab5 call 33c6eef 449->478 479 33c6ab5 call 33c6b09 449->479 480 33c6ab5 call 33c6f09 449->480 481 33c6ab5 call 33c70e0 449->481 452 33c6abb-33c6ae1 482 33c6ae4 call 33c70fc 452->482 483 33c6ae4 call 33c70ee 452->483 484 33c6ae4 call 33c6b18 452->484 485 33c6ae4 call 33c6ef8 452->485 486 33c6ae4 call 33c6b09 452->486 487 33c6ae4 call 33c6f09 452->487 488 33c6ae4 call 33c70d5 452->488 489 33c6ae4 call 33c70d7 452->489 490 33c6ae4 call 33c70e0 452->490 491 33c6ae4 call 33c6e93 452->491 455 33c6aea-33c6aeb 455->451 456->449 457->449 458->449 459->449 460->449 461->449 462->449 463->449 464->449 465->449 466->449 467->449 468->449 469->452 470->452 471->452 472->452 473->452 474->452 475->452 476->452 477->452 478->452 479->452 480->452 481->452 482->455 483->455 484->455 485->455 486->455 487->455 488->455 489->455 490->455 491->455
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID: `S
                        • API String ID: 0-3154622632
                        • Opcode ID: 225325000099df2064cac345d58b682ea586bc44dd1f161ebd61bec45c027be3
                        • Instruction ID: 4b22a566bc2585850abffc058cddd6a8eec4d6ee5cbb60d4c5010eb66127bd12
                        • Opcode Fuzzy Hash: 225325000099df2064cac345d58b682ea586bc44dd1f161ebd61bec45c027be3
                        • Instruction Fuzzy Hash: 17319CB5D10244DFCB04CFA8D895AEEBBBAFB8A300F148158E901A7264CB356D09DB61
                        Function 033CD8E0 Relevance: .3, Instructions: 287COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 975 33cd8e0-33cd911 976 33cd918-33cd9db 975->976 977 33cd913 975->977 980 33cd9dd-33cd9de 976->980 981 33cd9e3-33cda4b 976->981 977->976 982 33cdd25-33cdd2c 980->982 987 33cdaf6-33cdaff 981->987 988 33cdb05-33cdb15 987->988 989 33cda50-33cda59 987->989 990 33cdce8-33cdcf4 988->990 991 33cda5b 989->991 992 33cda60-33cdac1 call 33c7250 989->992 993 33cdb1a-33cdb26 990->993 994 33cdcfa-33cdcfc 990->994 991->992 1006 33cdaf2-33cdaf3 992->1006 1007 33cdac3-33cdaf1 992->1007 995 33cdb2d-33cdbca call 33c040c call 33c041c 993->995 996 33cdb28 993->996 994->982 1012 33cdbcc 995->1012 1013 33cdbd2-33cdbd4 995->1013 996->995 1006->987 1007->1006 1015 33cdbce-33cdbd0 1012->1015 1016 33cdbd6 1012->1016 1017 33cdbdb-33cdbe2 1013->1017 1015->1013 1015->1016 1016->1017 1018 33cdbea-33cdc04 1017->1018 1019 33cdbe4-33cdbe5 1017->1019 1022 33cdc26-33cdc28 1018->1022 1023 33cdc06-33cdc24 1018->1023 1020 33cdce5 1019->1020 1020->990 1024 33cdc2b-33cdc36 1022->1024 1023->1024 1026 33cdc38-33cdc54 call 33c7280 1024->1026 1027 33cdc59-33cdc73 1024->1027 1026->1020 1031 33cdc75-33cdc8f 1027->1031 1032 33cdcb0 1027->1032 1031->1032 1037 33cdc91-33cdcae 1031->1037 1033 33cdcb7-33cdcc2 1032->1033 1035 33cdcde-33cdce4 1033->1035 1036 33cdcc4-33cdcdd call 33c7280 1033->1036 1035->1020 1036->1035 1037->1033
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1d4a944f90584950b48034944bf2041912c9da2ae49d3e91f994fa297b2c72b6
                        • Instruction ID: c17183a0f62b94eeb64d9a2639da4895ad34cad4a517d51a5b002f2c6506c64d
                        • Opcode Fuzzy Hash: 1d4a944f90584950b48034944bf2041912c9da2ae49d3e91f994fa297b2c72b6
                        • Instruction Fuzzy Hash: 21D1AD74E11268CFDB24DFA9C980B9DBBB2BF89301F2491A9D409AB355DB319D81CF50
                        Function 033CF828 Relevance: .3, Instructions: 284COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1041 33cf828-33cf850 1042 33cf857-33cf915 call 33c4d00 call 33c7de8 1041->1042 1043 33cf852 1041->1043 1049 33cf917-33cf91e 1042->1049 1050 33cf923 call 33cfe00 1042->1050 1043->1042 1051 33cfc41-33cfc4a 1049->1051 1052 33cf929-33cf949 1050->1052 1053 33cf94b-33cf952 1052->1053 1054 33cf957-33cf980 1052->1054 1053->1051 1056 33cf98e-33cfa7d 1054->1056 1057 33cf982-33cf989 1054->1057 1068 33cfc2a-33cfc3f 1056->1068 1069 33cfa83-33cfaa1 1056->1069 1057->1051 1068->1051 1072 33cfaaf-33cfabc 1069->1072 1073 33cfaa3-33cfaae 1069->1073 1074 33cfc13-33cfc1c 1072->1074 1073->1072 1076 33cfac1-33cfaca 1074->1076 1077 33cfc22-33cfc29 1074->1077 1078 33cfacc 1076->1078 1079 33cfad1-33cfb8d 1076->1079 1077->1068 1078->1079 1087 33cfc0f-33cfc10 1079->1087 1088 33cfb93-33cfc0e 1079->1088 1087->1074 1088->1087
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 962251d59080b181302e38674d20fd49848489c77a1cfbb2a61f07d051d1e758
                        • Instruction ID: c8d2c519d6c111b2e76e6adfcaa9461f9dd73883b33016e90eb44e73f13bf985
                        • Opcode Fuzzy Hash: 962251d59080b181302e38674d20fd49848489c77a1cfbb2a61f07d051d1e758
                        • Instruction Fuzzy Hash: 2DD19074E11218CFDB18DFA9D984B9DBBB2FF89301F2481AAD409A7354DB349A85CF50
                        Function 033C4140 Relevance: .3, Instructions: 283COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1096 33c4140-33c4178 1097 33c417f-33c41f2 1096->1097 1098 33c417a 1096->1098 1100 33c41f4 1097->1100 1101 33c4203-33c4212 1097->1101 1098->1097 1105 33c41fc-33c4202 1100->1105 1102 33c4593-33c459c 1101->1102 1103 33c4217-33c4220 1102->1103 1104 33c45a2-33c45a9 1102->1104 1106 33c4227-33c424d 1103->1106 1107 33c4222 1103->1107 1105->1101 1109 33c426f-33c4283 1106->1109 1110 33c424f-33c426d 1106->1110 1107->1106 1113 33c4286-33c429c 1109->1113 1110->1113 1115 33c458f-33c4590 1113->1115 1116 33c42a2-33c42bb 1113->1116 1115->1102 1118 33c4580-33c4589 1116->1118 1118->1115 1119 33c42c0-33c42c9 1118->1119 1120 33c42cb 1119->1120 1121 33c42d0-33c42e7 1119->1121 1120->1121 1149 33c42ea call 33c4620 1121->1149 1150 33c42ea call 33c4610 1121->1150 1122 33c42f0-33c4339 1151 33c433f call 33c4710 1122->1151 1152 33c433f call 33c4700 1122->1152 1126 33c4345-33c4368 1153 33c436e call 33c4acf 1126->1153 1154 33c436e call 33c4ae0 1126->1154 1128 33c4374-33c43c6 1157 33c43cc call 33c5138 1128->1157 1158 33c43cc call 33c5128 1128->1158 1132 33c43d2-33c4506 1155 33c450c call 33c5e28 1132->1155 1156 33c450c call 33c5e18 1132->1156 1144 33c4512-33c4539 1146 33c4545-33c457d 1144->1146 1146->1118 1149->1122 1150->1122 1151->1126 1152->1126 1153->1128 1154->1128 1155->1144 1156->1144 1157->1132 1158->1132
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ce423caad8184b10c431c81175afb5430acb7811589da206c9747a3463a6b0e
                        • Instruction ID: c0dfba01f05634ebfafb0249d2aabb32ef1c83303cb11eeb44b1383234073df8
                        • Opcode Fuzzy Hash: 4ce423caad8184b10c431c81175afb5430acb7811589da206c9747a3463a6b0e
                        • Instruction Fuzzy Hash: 24E17FB4E01258CFDB64CFA9D994B9DBBB2BF88300F1081AAD419A7355DB345E85CF50
                        Function 033CE679 Relevance: .2, Instructions: 232COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7604be1de1987555eedc5fbe5307602f8060bbc2c30f713a5ab1a60d576ece2b
                        • Instruction ID: 0e20b05281e41b454589a9f9875c2863b341ec20d61768f84f77812bd889632e
                        • Opcode Fuzzy Hash: 7604be1de1987555eedc5fbe5307602f8060bbc2c30f713a5ab1a60d576ece2b
                        • Instruction Fuzzy Hash: 45B183B4E112189FDB64DFA9D890B9EBBB2FF89300F1081AAD419A7354DB345E85CF50
                        Function 033CD308 Relevance: .2, Instructions: 221COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a78e20bbca2f29c3aeb28a621d05cf3933f9eff4d243d5bbd4fc16e4ef19949f
                        • Instruction ID: e8ffc3f04a128e9f0c81d77af57c806d94484f3fd610438770c8eddf0fb3054a
                        • Opcode Fuzzy Hash: a78e20bbca2f29c3aeb28a621d05cf3933f9eff4d243d5bbd4fc16e4ef19949f
                        • Instruction Fuzzy Hash: 6BA1A174E10258CFDB14DFAAC980A9DFBF6BF89300F2491A9D409AB255DB349D86CF50
                        Function 033C7910 Relevance: .2, Instructions: 181COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a98639358db785464ad91dc583e915881ba53536a7c8a0191e5f7cf633eda80b
                        • Instruction ID: 47ae120fb0719c598a39d531c812562b8cad78487a12b82c19d364f693ed9d66
                        • Opcode Fuzzy Hash: a98639358db785464ad91dc583e915881ba53536a7c8a0191e5f7cf633eda80b
                        • Instruction Fuzzy Hash: BF81A2B4E11218CFDB54DFA9D890A9DFBB2BF89300F1091AAD819AB354DB30AD45CF50
                        Function 033C6EED Relevance: .1, Instructions: 96COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 215b64ecb7cde1617de1f616087b09befe2ac0c9d41e24621925aa63d3f57180
                        • Instruction ID: 9bbfd293fabd124d44ce2d0f24dc54d4c50b2f91e9f3295c5445c7e4321c5c6d
                        • Opcode Fuzzy Hash: 215b64ecb7cde1617de1f616087b09befe2ac0c9d41e24621925aa63d3f57180
                        • Instruction Fuzzy Hash: FB419974D00229CFCB68DF24C999BEDBBB5BB49305F1085EAD80AA3651DB749E81CF40
                        Function 033CF818 Relevance: .1, Instructions: 84COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 644fd1a379497c8a6196dc8d948a5f3a03146b23717a0e22feb4fb188d5520f6
                        • Instruction ID: b29786decdd667ba56d1b0ce3c2ce828d3bd95034c206e09ef4de5e0a9f746e3
                        • Opcode Fuzzy Hash: 644fd1a379497c8a6196dc8d948a5f3a03146b23717a0e22feb4fb188d5520f6
                        • Instruction Fuzzy Hash: 5E3192B5E006588BEB18DFABD95479DFBF3AF88304F14C06AC418AB255EB740946CF40
                        Function 033CB610 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 90f328efd891da7b62f72262f8e759ad7544e24f551895d9cb8c975978b7c5fd
                        • Instruction ID: f642231d4fbf67472efb355bb95980e9544b7583c868870b4a5295b2d56fa449
                        • Opcode Fuzzy Hash: 90f328efd891da7b62f72262f8e759ad7544e24f551895d9cb8c975978b7c5fd
                        • Instruction Fuzzy Hash: 8631CD74E11248DFCB54DFA8E49099DBBB6FF89300F60516AD815AB360DB35AC42CFA0
                        Function 00461490 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmp, Offset: 00434000, based on PE: true
                        • Associated: 00000000.00000002.1462882603.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3e0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 79687caf601d83059aae41c96fe3ee84f00d1313c0cddcf756aeac92607cc307
                        • Instruction ID: f7b4a37e011780636f5d72dfffd1a5f8a8b78f0361e8be32aec5fdd3bff563a1
                        • Opcode Fuzzy Hash: 79687caf601d83059aae41c96fe3ee84f00d1313c0cddcf756aeac92607cc307
                        • Instruction Fuzzy Hash: 5101F7306043146FC725EA398C82A9BB7ECDB4D304F5405BAF50ED3272FA789E40C959
                        Function 005A1598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 492 5a1598-5a15a3 493 5a15ac-5a15af 492->493 494 5a15a5-5a15aa 492->494 495 5a15b1 493->495 496 5a15b6-5a15ca VirtualAlloc 493->496 494->496 495->496
                        APIs
                        • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 005A15C3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1462882603.0000000000595000.00000040.00000001.01000000.00000003.sdmp, Offset: 00434000, based on PE: true
                        • Associated: 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3e0000_Insidious_protected.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 21d2f7007219879967a8339f9f0fe147fe641ad1f4a49b19da4310085980d9bc
                        • Instruction ID: 880f1512565eec692d51314651109408954b36bb98090de476a93b50680883b3
                        • Opcode Fuzzy Hash: 21d2f7007219879967a8339f9f0fe147fe641ad1f4a49b19da4310085980d9bc
                        • Instruction Fuzzy Hash: 2CE0ECB5B04108ABDB10DE4CD944B5E37DDBB9E310F108411F60AD7240D234EC109B69
                        Function 033CA0B0 Relevance: 1.1, Instructions: 1052COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 05e95c2dee8527c77a8803499a69c5871c92b041e0908c6a9ef7931bbe98ab19
                        • Instruction ID: 4430cddd743f4f9107f61d5a7fa11994a8cd50a81693f01c49d2bed568094d22
                        • Opcode Fuzzy Hash: 05e95c2dee8527c77a8803499a69c5871c92b041e0908c6a9ef7931bbe98ab19
                        • Instruction Fuzzy Hash: 76B2C174E112698FDB64CF68C984BDDFBB5BB48300F1482A9D848AB355D731AE81CF90
                        Function 033CB710 Relevance: .4, Instructions: 378COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 755 33cb710-33cb72d 756 33cb78f-33cb7e6 755->756 757 33cb72f-33cb733 755->757 775 33cb7ed-33cb814 756->775 776 33cb7e8-33cb7ec 756->776 758 33cb74e-33cb751 757->758 759 33cb735-33cb74d 757->759 761 33cb789-33cb78e 758->761 762 33cb753-33cb765 758->762 767 33cb76c 762->767 768 33cb767-33cb76a 762->768 770 33cb76e-33cb782 767->770 768->770 770->761 777 33cb81b-33cb874 775->777 778 33cb816 775->778 776->775 779 33cb8dc-33cb8f5 777->779 778->777 780 33cb8fb-33cb90c 779->780 781 33cb876-33cb883 779->781 784 33cb90e-33cb914 780->784 785 33cb919-33cb925 780->785 782 33cb88a-33cb8cc 781->782 783 33cb885 781->783 796 33cb8ce-33cb8d6 782->796 797 33cb8d8-33cb8d9 782->797 783->782 788 33cbbe9-33cbbf3 784->788 786 33cb92c-33cb945 785->786 787 33cb927 785->787 789 33cb94c-33cb9a7 786->789 790 33cb947 786->790 787->786 799 33cb9ae-33cb9dc 789->799 800 33cb9a9 789->800 790->789 796->780 797->779 802 33cbb62-33cbb7b 799->802 800->799 803 33cb9e1-33cb9eb 802->803 804 33cbb81-33cbb8d 802->804 805 33cb9ed 803->805 806 33cb9f2-33cba4c 803->806 807 33cbb8f 804->807 808 33cbb94-33cbbc0 804->808 805->806 814 33cba4e 806->814 815 33cba53-33cba7d 806->815 807->808 812 33cbbc9-33cbbd4 808->812 812->788 814->815 817 33cba7f-33cba97 815->817 818 33cbad4-33cbadd 815->818 819 33cba9e-33cbacc 817->819 820 33cba99 817->820 821 33cbadf 818->821 822 33cbae4-33cbb17 818->822 819->818 820->819 821->822 825 33cbb5e-33cbb5f 822->825 826 33cbb19-33cbb44 822->826 825->802 828 33cbb4b-33cbb5d 826->828 829 33cbb46 826->829 828->825 829->828
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b726b12ee32b78d3a5bbeef6773839fa3a24a6b85d66b24c941881bc29e5d1d
                        • Instruction ID: 274a99bd9366506793adc8ed8be61b8027cf7790c49b4af7b80276914b9c88cd
                        • Opcode Fuzzy Hash: 0b726b12ee32b78d3a5bbeef6773839fa3a24a6b85d66b24c941881bc29e5d1d
                        • Instruction Fuzzy Hash: C8F1F574E012188FDB14DFA9C981B9DFBB6BF88310F2481A9D459AB355CB31AD85CF50
                        Function 033C1468 Relevance: .3, Instructions: 310COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 831 33c1468-33c1490 832 33c1497-33c14c7 831->832 833 33c1492 831->833 835 33c14cd-33c1504 call 33c1074 832->835 836 33c2860-33c2867 832->836 833->832 841 33c285f 835->841 842 33c150a-33c156c 835->842 841->836 846 33c15be-33c161d 842->846 847 33c156e-33c15b8 842->847 854 33c166f-33c16ce 846->854 855 33c161f-33c1669 846->855 847->846 862 33c1720-33c177f 854->862 863 33c16d0-33c171a 854->863 855->854 870 33c17d1-33c1830 862->870 871 33c1781-33c17cb 862->871 863->862 878 33c1882-33c18e1 870->878 879 33c1832-33c187c 870->879 871->870 886 33c1933-33c198a 878->886 887 33c18e3-33c192d 878->887 879->878 895 33c19b3-33c19cd 886->895 887->886 897 33c198c-33c19ab 895->897 898 33c19cf-33c19f3 895->898 902 33c19b2 897->902 898->841 902->895
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c137daa90b1b5792fbf0dd88697c7f70dab955b13c18dbbb2424d7ab0772216c
                        • Instruction ID: 4a71f6fbc63939677ac2bef478158d4f912f0908c22d7d4b83ff4dc2e997ccc3
                        • Opcode Fuzzy Hash: c137daa90b1b5792fbf0dd88697c7f70dab955b13c18dbbb2424d7ab0772216c
                        • Instruction Fuzzy Hash: CEE1C074E022298FDB64EF68D998B99BBB1FB48301F1095E9D408A7354DB34AE85CF44
                        Function 033C1458 Relevance: .3, Instructions: 297COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 903 33c1458-33c1490 904 33c1497-33c14c7 903->904 905 33c1492 903->905 907 33c14cd 904->907 908 33c2860-33c2867 904->908 905->904 909 33c14d4-33c14dc call 33c1074 907->909 911 33c14e1-33c1504 909->911 913 33c285f 911->913 914 33c150a-33c150c 911->914 913->908 915 33c1517-33c156c 914->915 918 33c15be-33c161d 915->918 919 33c156e-33c15b8 915->919 926 33c166f-33c16ce 918->926 927 33c161f-33c1669 918->927 919->918 934 33c1720-33c177f 926->934 935 33c16d0-33c171a 926->935 927->926 942 33c17d1-33c1830 934->942 943 33c1781-33c17cb 934->943 935->934 950 33c1882-33c18e1 942->950 951 33c1832-33c187c 942->951 943->942 958 33c1933-33c198a 950->958 959 33c18e3-33c192d 950->959 951->950 967 33c19b3-33c19cd 958->967 959->958 969 33c198c-33c198f 967->969 970 33c19cf-33c19f3 967->970 972 33c1999-33c19ab 969->972 970->913 974 33c19b2 972->974 974->967
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0c00b4efd3ad1890065912d28b4d7bf0820937aec8fda7855b820918791c30a1
                        • Instruction ID: 01575d877bd673d7b3ae2892c4600d3d82e749680e5606accf58ed75ca2d7ca6
                        • Opcode Fuzzy Hash: 0c00b4efd3ad1890065912d28b4d7bf0820937aec8fda7855b820918791c30a1
                        • Instruction Fuzzy Hash: 1FE1D174E022298FDB65EF28D998B9DBBB1FB48301F1085E9D408A7355DB34AE85CF44
                        Function 033C6B18 Relevance: .3, Instructions: 266COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1159 33c6b18-33c6b44 1160 33c6b4b-33c6c0b 1159->1160 1161 33c6b46 1159->1161 1224 33c6c0e call 33c781d 1160->1224 1225 33c6c0e call 33c775a 1160->1225 1226 33c6c0e call 33c77c5 1160->1226 1227 33c6c0e call 33c7630 1160->1227 1228 33c6c0e call 33c7711 1160->1228 1161->1160 1167 33c6c14-33c6c27 1168 33c710b-33c7129 1167->1168 1170 33c6c2c-33c6caf 1168->1170 1171 33c712f-33c7142 1168->1171 1180 33c6ea3 1170->1180 1181 33c6eaf-33c6eb6 1180->1181 1182 33c6ebc-33c6ed0 1181->1182 1183 33c6cb4-33c6d2d 1181->1183 1184 33c6ed2-33c6ed9 1182->1184 1192 33c6d2f-33c6d31 1183->1192 1193 33c6d36-33c6dcc call 33c040c call 33c041c 1183->1193 1186 33c6ee8 1184->1186 1187 33c6edb-33c6ee7 1184->1187 1186->1168 1187->1186 1192->1180 1203 33c6dce 1193->1203 1204 33c6dd4-33c6dd6 1193->1204 1205 33c6dd8 1203->1205 1206 33c6dd0-33c6dd2 1203->1206 1207 33c6ddd-33c6de4 1204->1207 1205->1207 1206->1204 1206->1205 1208 33c6e8f-33c6ea2 1207->1208 1209 33c6dea-33c6e56 call 33c040c call 33c041c 1207->1209 1208->1180 1217 33c6e5f-33c6e61 1209->1217 1218 33c6e58 1209->1218 1221 33c6e68-33c6e6f 1217->1221 1219 33c6e5a-33c6e5d 1218->1219 1220 33c6e63 1218->1220 1219->1217 1219->1220 1220->1221 1222 33c6e88-33c6e8e 1221->1222 1223 33c6e71-33c6e86 1221->1223 1222->1208 1223->1184 1224->1167 1225->1167 1226->1167 1227->1167 1228->1167
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: adc68940a3f3580afd0ef07a1ccaad9fa841d316b76708143b12db3ba66392c1
                        • Instruction ID: 018cba6a6c852b59e5349639eeb7ced064b5c3bb8848e219736f2f068fe5fb0f
                        • Opcode Fuzzy Hash: adc68940a3f3580afd0ef07a1ccaad9fa841d316b76708143b12db3ba66392c1
                        • Instruction Fuzzy Hash: D5C1E274D11268CFDB28DFA9C994B9DBBB2BF89300F2480AAD409B7251DB355E85CF50
                        Function 033CB208 Relevance: .3, Instructions: 260COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f2f345cee837e4e6b3c5a4f974661319493cdad00c87ba742af1b7ac37814d7b
                        • Instruction ID: 0f24c1c57bd606460b7098dedd2545623421820a56c48bd27ef6c2babb9302eb
                        • Opcode Fuzzy Hash: f2f345cee837e4e6b3c5a4f974661319493cdad00c87ba742af1b7ac37814d7b
                        • Instruction Fuzzy Hash: 41B1E274D142588FDB14CFA9C985BEDFBB2BF88300F28C169D448AB296DB349985CF50
                        Function 033C979F Relevance: .2, Instructions: 205COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7f27838181fcf11b22a75659e2ff383c5520b2b67490c1de0b8698014989a50c
                        • Instruction ID: 9b323cb1c54ca33029f0c75cca96098eb456cdf034564ea18a536715500c4fd0
                        • Opcode Fuzzy Hash: 7f27838181fcf11b22a75659e2ff383c5520b2b67490c1de0b8698014989a50c
                        • Instruction Fuzzy Hash: ADA19F74E04268CFDB14DFA9C984B9DBBB6BF89304F2180AAD409AB345DB349D85CF11
                        Function 033CF4D8 Relevance: .2, Instructions: 185COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6001f59a63902dc86f64da57259e80feef595d598cd756dc47c19b8f17fee01f
                        • Instruction ID: c821d59883929c7311aa86f9f6810fdd274adf2e5c730d0348b64fcb18331219
                        • Opcode Fuzzy Hash: 6001f59a63902dc86f64da57259e80feef595d598cd756dc47c19b8f17fee01f
                        • Instruction Fuzzy Hash: 7E81F074D11358DFCB14CFA5D984AADBBB2FF89301F20852AD409AB254EB71AE46CF40
                        Function 033CEA28 Relevance: .2, Instructions: 181COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ccb69798ca8234f7969f1b44d5ce921c7c66a29d768c6703dc63c62c635300ce
                        • Instruction ID: b6b682d90f3d5f9a283c44173b4be87f2c73a91283a97800fae1fb5d15a72128
                        • Opcode Fuzzy Hash: ccb69798ca8234f7969f1b44d5ce921c7c66a29d768c6703dc63c62c635300ce
                        • Instruction Fuzzy Hash: 3E816E74D11218DFDB14DFA5D988A9CBBB2FF89305F20856AD409AB350DB319D86CF10
                        Function 033CC9CA Relevance: .2, Instructions: 172COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 657de0dc1a5b42cb861999c2e915c03155746663e92af3ad8c5434963afcdc54
                        • Instruction ID: 01c25b4ebb649ba78289a11b509a9b73b2a1b98db18eb1987ac0ef10bd9570c8
                        • Opcode Fuzzy Hash: 657de0dc1a5b42cb861999c2e915c03155746663e92af3ad8c5434963afcdc54
                        • Instruction Fuzzy Hash: 1371F374E11248DFCB14DFA8D490A9DBBB6FF89300F649169D409AB365EB35AC42CF44
                        Function 033C0839 Relevance: .2, Instructions: 169COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dbc115680adce1537ad62e942fe9087b05681aaa5b0fe2934d5f2393e032fb7d
                        • Instruction ID: 54bfc9eee2a6dad041eaaa70e50022b94971abad8a233225ca5fcee10d745828
                        • Opcode Fuzzy Hash: dbc115680adce1537ad62e942fe9087b05681aaa5b0fe2934d5f2393e032fb7d
                        • Instruction Fuzzy Hash: 44710C74D003198FEB55DFA8E890A9DBBB2FF44301F108565D405AB358DB34AD4ADF92
                        Function 033C7BC8 Relevance: .2, Instructions: 166COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d3358b140dfcfcc789ccb08db5f3cf7f91777033cea8cd64cd211674365d3c8
                        • Instruction ID: 2881f4728fdf63841ee64e91cc18206d08a09a9d8b8d33209cdd2a76315f1a82
                        • Opcode Fuzzy Hash: 7d3358b140dfcfcc789ccb08db5f3cf7f91777033cea8cd64cd211674365d3c8
                        • Instruction Fuzzy Hash: 7F71CEB4D10218CFCB18CFA5D9986EDBBB2FF89301F20812AE815AB254DB756946CF50
                        Function 033C0848 Relevance: .2, Instructions: 166COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: acd3abb6fb85792e9c9a7ab9157ebb49cb6de679ea4d17300de98614b58fb566
                        • Instruction ID: c5a1809c8e53a80200ad68faef8324df8f868bc21e90dc6c34fc2359b67fc420
                        • Opcode Fuzzy Hash: acd3abb6fb85792e9c9a7ab9157ebb49cb6de679ea4d17300de98614b58fb566
                        • Instruction Fuzzy Hash: A771FB74D00319CFEB55DFA8E890A9DBBB2FF48301F108564D405AB358DB74AD4ADB92
                        Function 033C4710 Relevance: .2, Instructions: 163COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dec9421baa51f9f255990c06de078cc9e89e5183a48256cefb76402fc846a997
                        • Instruction ID: b9864a49ea738ff4b6a08a515c79a9e0ed78b6e3aa733e73d532266473574de8
                        • Opcode Fuzzy Hash: dec9421baa51f9f255990c06de078cc9e89e5183a48256cefb76402fc846a997
                        • Instruction Fuzzy Hash: AC71AC74D01218DFCB14CFA5D998ADCBBB2FF89301F20856AE819AB254DB31AD46CF10
                        Function 033C4AE0 Relevance: .2, Instructions: 161COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 295d8aa8f187e33d4726dced31d59f416b1f587a7122c01887ec5d26189a9db2
                        • Instruction ID: 756cc1e876c501e5e74dcfb9d5ef06e8200487fffe65627e02c16ab8411daede
                        • Opcode Fuzzy Hash: 295d8aa8f187e33d4726dced31d59f416b1f587a7122c01887ec5d26189a9db2
                        • Instruction Fuzzy Hash: 1961CE74D01218DFCB14DFA5D998ADDBBB6FF89311F20852AE409AB260DB359D86CF00
                        Function 033CCA60 Relevance: .1, Instructions: 137COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 08113aef300c429e6ebcbbe3fd5d77fb77831d8a508e186703f35149e43e0e20
                        • Instruction ID: 9393961b80d5d6a77dac2fa74ec4fca1f60c45857d83e7621dcf24ba99b984da
                        • Opcode Fuzzy Hash: 08113aef300c429e6ebcbbe3fd5d77fb77831d8a508e186703f35149e43e0e20
                        • Instruction Fuzzy Hash: 8E51BC74E01248DFCB14DFA8D590A9DBBB2FF89310F649169D809AB364DB35AC82CF54
                        Function 033CFC68 Relevance: .1, Instructions: 129COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 36bb73940bee634fae2d1eeb84c121fdb747eb591e9f137d8bce0df1b78d9cb8
                        • Instruction ID: 5485c0455d1aa0d125999b97f29837026488e9ad3ac3d92a53ba9eb19221d198
                        • Opcode Fuzzy Hash: 36bb73940bee634fae2d1eeb84c121fdb747eb591e9f137d8bce0df1b78d9cb8
                        • Instruction Fuzzy Hash: 8351AB74E11218CFDB14DFA9D988ADCBBB6FF89301F20852AD405BB254DB31AD46CB50
                        Function 033C28A8 Relevance: .1, Instructions: 125COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a2361973718ff3e218659a57ecf4b9d6f2412068d875773b391933afe24cbd40
                        • Instruction ID: eec603a7efb4fb2d967a59eecc682f39245a5013f9ef5a188488670eff947f67
                        • Opcode Fuzzy Hash: a2361973718ff3e218659a57ecf4b9d6f2412068d875773b391933afe24cbd40
                        • Instruction Fuzzy Hash: 7351DB74D00218CFDB24DFA9D850BAEBBB2BF89300F5085A9D419AB255DF30AD45CF51
                        Function 033C5138 Relevance: .1, Instructions: 123COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7df0075f48f60fd5d52853f20a8b9630c95f42f3a9bd1af629930440672d8be8
                        • Instruction ID: 6d20f3111ae218272264885e593109a10ec45aeef4d8b4976b22731f1e8d1b65
                        • Opcode Fuzzy Hash: 7df0075f48f60fd5d52853f20a8b9630c95f42f3a9bd1af629930440672d8be8
                        • Instruction Fuzzy Hash: 2F51AC74D11218CFDB14CFA5D988ADDBBF6FF89301F24812AE806AB250DB35AD46CB50
                        Function 033C7DE8 Relevance: .1, Instructions: 117COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 18c5064dbb07d8e0ebfd8abc0303b0913024fe6eb85789cac21c0d88c73da33b
                        • Instruction ID: d50e9ffa1a9586d4bb361379b302ede07b709c746019d9ede05a2682ed33b01f
                        • Opcode Fuzzy Hash: 18c5064dbb07d8e0ebfd8abc0303b0913024fe6eb85789cac21c0d88c73da33b
                        • Instruction Fuzzy Hash: 8141C0B0E112588FDB14CFA9D8906DDFBF6BF88300F14916AD815AB294DB346D46CF54
                        Function 033C6B09 Relevance: .1, Instructions: 94COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ae48d965b24245f5912a06fefc14f5b680241e3455b3d0139b6d9caae09b8365
                        • Instruction ID: 1478bcf56c91387551316133fe4b36a923dad9761e09ee632e10330d6bdb6c6a
                        • Opcode Fuzzy Hash: ae48d965b24245f5912a06fefc14f5b680241e3455b3d0139b6d9caae09b8365
                        • Instruction Fuzzy Hash: 5E41F2B1D00218DFEB28CFAAD99479DBBB2EF88304F2481AAD418A7351DB355985CF50
                        Function 033C49B8 Relevance: .1, Instructions: 91COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d95892b2534c08530ba6159d8fff40b1979f2689433d47b9318ed391604ab445
                        • Instruction ID: 687e1fc8aebf39c8ceeb35984cbf40ef15549d0a215d619007909f4249904956
                        • Opcode Fuzzy Hash: d95892b2534c08530ba6159d8fff40b1979f2689433d47b9318ed391604ab445
                        • Instruction Fuzzy Hash: 5431E275D11218DFCB08DFAAD894AEDFBB6BF88310F44812AE415B3250DB355945CFA4
                        Function 033C7FF8 Relevance: .1, Instructions: 91COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 344893f98d4c4d02a32f2175831f4721ecdffed6bf60805adac144cfd5a4e63a
                        • Instruction ID: 6582a4bc20bb0cb18f1a0fad1a9194ff20717a4f94092c2973a4959a622425f3
                        • Opcode Fuzzy Hash: 344893f98d4c4d02a32f2175831f4721ecdffed6bf60805adac144cfd5a4e63a
                        • Instruction Fuzzy Hash: B931E275D11218DFCB08DFAAE8846EEBBF6BF88310F04802AE415B7250DB345A45CF60
                        Function 033C7630 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 98ce6c9f9c99f2293eaeb894268201d642c41092d31d2f2fa609057be0001ff9
                        • Instruction ID: b1a6ec92651c8081630cfb87f0d68903eb0a15c0dc708d11c24edd0c66bfbeb1
                        • Opcode Fuzzy Hash: 98ce6c9f9c99f2293eaeb894268201d642c41092d31d2f2fa609057be0001ff9
                        • Instruction Fuzzy Hash: 94310274D11288DFDB18DFA9C994AEDBBB6BF89300F24902AE809BB354DB345945CF44
                        Function 05A90006 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1467957762.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5a90000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3203962e7194e740d018bb22cd92278c3341321662cab2cbc3e40b8384989258
                        • Instruction ID: b19497d45e09341b804d93273f16ce4137b13afa835847b20dd50089b782941d
                        • Opcode Fuzzy Hash: 3203962e7194e740d018bb22cd92278c3341321662cab2cbc3e40b8384989258
                        • Instruction Fuzzy Hash: BF312874D082599FCF05CFA9E894BAEBFF1BF49300F1480AAD451A7291DB345945CF61
                        Function 033C9E58 Relevance: .1, Instructions: 87COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0e34eb422177a563081189cc969a3980b859d6c37741b7e02de5d23cde7f8f40
                        • Instruction ID: e3b6303d221e435de928dc2c05cd1a559e0da7bb943e18cfb527ab6595c22389
                        • Opcode Fuzzy Hash: 0e34eb422177a563081189cc969a3980b859d6c37741b7e02de5d23cde7f8f40
                        • Instruction Fuzzy Hash: A131C2B4E012189FCB04CFA8D884ADDBBB6BF88300F10816AE515BB360DB349941CFA0
                        Function 033CFE00 Relevance: .1, Instructions: 86COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e97debe000f4fe29cb0f4b54b86d8b74bcfc14e9e5cf1a4a90806e5c36b8edd5
                        • Instruction ID: 803cdfc173e2e8bbe76f6d3d7a70bf58048fa1e7772504148c6adef285ac32d5
                        • Opcode Fuzzy Hash: e97debe000f4fe29cb0f4b54b86d8b74bcfc14e9e5cf1a4a90806e5c36b8edd5
                        • Instruction Fuzzy Hash: A831F5B4E142499FDB04CFAAD8846EEFBB6BF88300F14D569D414B7265DB345A41CF90
                        Function 033CB600 Relevance: .1, Instructions: 82COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7d29d50c2028618013c80b4a9858d57f0373de7da9f4ac44f85eb6a46e37e067
                        • Instruction ID: 78bdcde2a21eed4c6eec2a64b5627859c868bd8e24a100c3da2936dbe07ca6df
                        • Opcode Fuzzy Hash: 7d29d50c2028618013c80b4a9858d57f0373de7da9f4ac44f85eb6a46e37e067
                        • Instruction Fuzzy Hash: F931EE74E11248DFCB14DFA8D89099DBBB6FF89300F60516AD815AB360EB35AC52CF90
                        Function 033C86A1 Relevance: .1, Instructions: 82COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2e2b7c27bfd1955926bd1c96db6013e50ce98deb8edada46b69e7e10499cf411
                        • Instruction ID: 67707d3a124ace2265ac096bc7713dfcbc5f9ad2a02bf6e3453bf47ee9fb7f46
                        • Opcode Fuzzy Hash: 2e2b7c27bfd1955926bd1c96db6013e50ce98deb8edada46b69e7e10499cf411
                        • Instruction Fuzzy Hash: 3431D174E11208DFCB14DBA8D490ADDBBB6FB89300F50522AC815AB350EB35AD42CF50
                        Function 033C8D80 Relevance: .1, Instructions: 82COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b6b51c2f7030b1dda4f2006da1033ac903e674d1dd60afb9e820baad6aae6ac3
                        • Instruction ID: 4b6e8c8e3c68943b73196f001319877444ea52d3fd43767b5ab8f36eafb06372
                        • Opcode Fuzzy Hash: b6b51c2f7030b1dda4f2006da1033ac903e674d1dd60afb9e820baad6aae6ac3
                        • Instruction Fuzzy Hash: B831FF75E11248DFCB54DBA8D490AADBBB6FF89300F60512AC805AB320DB30AC42CF90
                        Function 033C5E28 Relevance: .1, Instructions: 81COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0b819ed44d3738697ff8b4f7f3a1d0bf614354e90408f7321bfa41fc3651e7ef
                        • Instruction ID: 79b15dbfb5f431b67b62ebc2c00f99429185fa0ecf56803295496e8b911a0759
                        • Opcode Fuzzy Hash: 0b819ed44d3738697ff8b4f7f3a1d0bf614354e90408f7321bfa41fc3651e7ef
                        • Instruction Fuzzy Hash: 53212731800229DFEB14CF60DC49BDDBBB6BF45300F018599E509AB261CB716E89DF91
                        Function 033CB1F8 Relevance: .1, Instructions: 79COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 769618bce5006b8d9ed5635fddd42435b89f1ecae501a1b17208845188136c5b
                        • Instruction ID: 3cdf20d015cd152f7cca33bae92c60d90cf989fa0cb942ab7014e227bedc62ff
                        • Opcode Fuzzy Hash: 769618bce5006b8d9ed5635fddd42435b89f1ecae501a1b17208845188136c5b
                        • Instruction Fuzzy Hash: CD31B2B1D002188BEB14CFAAC9843DDFBF6BF88314F14C06AD458A7294DB75498ACF50
                        Function 033C86B0 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0c4b10bb2a413b19a806c717c3d0000df06cfaa2fbcd323e36f365e7db9eb538
                        • Instruction ID: e37712d9995283dfb6755e0aefd7efdf21211205f41bc14d9970e3e88a32ab4c
                        • Opcode Fuzzy Hash: 0c4b10bb2a413b19a806c717c3d0000df06cfaa2fbcd323e36f365e7db9eb538
                        • Instruction Fuzzy Hash: 2B31AE74E11218DFCB54DFA8D490A9DBBB6FF89300F50526AD815AB350DB35AC42CB50
                        Function 033C8D90 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 98840a2da7e83617c2d9707c0e35e0e8ce168bdac99960d4fd7cbe91bc043505
                        • Instruction ID: dbb1bbdac3a525b1a742bb7150b394af701b8d3dedbf9382b9d874910bde2a85
                        • Opcode Fuzzy Hash: 98840a2da7e83617c2d9707c0e35e0e8ce168bdac99960d4fd7cbe91bc043505
                        • Instruction Fuzzy Hash: D831AC75E11258DFCB54DFA8D4909ADBBB6FF89300F60526AC815AB360DB35AC42CF90
                        Function 033C7DD8 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e26d54c767efced5d73f3699b90f67d86383d4eb57b4d0d6f5dff2dd9f773cee
                        • Instruction ID: 099590fec8aba9584564b3c8225a2de07993a15cf274ab4232fb86b7c1a05760
                        • Opcode Fuzzy Hash: e26d54c767efced5d73f3699b90f67d86383d4eb57b4d0d6f5dff2dd9f773cee
                        • Instruction Fuzzy Hash: 9721C471E016588BDB18CFAAC8806DDFBF6BF89300F14856AC814BB654EB349946CF54
                        Function 033CD1CC Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: de27efef137d3b13c6532e3e17bbade0169f9506aa259e4fd2f9bb449df9534b
                        • Instruction ID: e0bda16bcb572cf8f73fb0b3a653cbf8ad8d2cf4430257863c1a98430b99747c
                        • Opcode Fuzzy Hash: de27efef137d3b13c6532e3e17bbade0169f9506aa259e4fd2f9bb449df9534b
                        • Instruction Fuzzy Hash: 6221D2B1E10608DBDB04CFAAD8846EDFBF6BB89310F18D12AE814B7214DB349946CF54
                        Function 033CD1C0 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9c7424747d3dd6543e0abbb1bd0f81fe4b34ee4dd0475de6ce7691b91622ca79
                        • Instruction ID: e14fb5e121ae9d1c538465d2629d48de7557082238fdf7b7c3f4da06cb6b223e
                        • Opcode Fuzzy Hash: 9c7424747d3dd6543e0abbb1bd0f81fe4b34ee4dd0475de6ce7691b91622ca79
                        • Instruction Fuzzy Hash: 39319CB5E11208DFCB04CFA9E584AEDFBF6BB89300F249129E815A3214DB34A942CF54
                        Function 05A90040 Relevance: .1, Instructions: 73COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1467957762.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5a90000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 45c1f6e5815b7fa653f5d9d73162c6f410b9b0993ef106ec41865f037cb1e060
                        • Instruction ID: 09a61c7b8576ea2478504458235e81bb6d85ccfa664e2acee0884fadc075e759
                        • Opcode Fuzzy Hash: 45c1f6e5815b7fa653f5d9d73162c6f410b9b0993ef106ec41865f037cb1e060
                        • Instruction Fuzzy Hash: A7318F74D042199FCF48CFA9E894AEEBBF5BF48300F20916AD415B7250EB759A51CFA0
                        Function 033C814A Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ef3984e944d81cea3025d416ebbb96149402818ab3c2d72eedd64bf7473f77a8
                        • Instruction ID: 5f381677db9efb72de47af60afa1612570bc8e7df6a5b6116542b3cb6891c839
                        • Opcode Fuzzy Hash: ef3984e944d81cea3025d416ebbb96149402818ab3c2d72eedd64bf7473f77a8
                        • Instruction Fuzzy Hash: EC21E930D10249DFCF04DFB5E8599AFBB72EB8B312B159029E426A72A0CF341D45DB19
                        Function 033C4620 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6a311d2e73949163c18fd6cbc49fa5959cc489dda900fb338ee42e3e7229234
                        • Instruction ID: 25a7db93821941027bad93002bd02ad6014c31e87ae69e368ba08a3ad318d6cc
                        • Opcode Fuzzy Hash: c6a311d2e73949163c18fd6cbc49fa5959cc489dda900fb338ee42e3e7229234
                        • Instruction Fuzzy Hash: 63212274E00208DFCB04DBA9C094AAEBBB6FB48301F1480A9D404A7394DB359D44CFA1
                        Function 033C6780 Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0960943f6ff6d842df279d00004f15ce246aa316f0ea7cb291bde0832136a9c8
                        • Instruction ID: 9c65f0fad89ba2176e4775b9d73a7f54e9cd35d510903b3e78350de520a1751e
                        • Opcode Fuzzy Hash: 0960943f6ff6d842df279d00004f15ce246aa316f0ea7cb291bde0832136a9c8
                        • Instruction Fuzzy Hash: 5021E230C10319EFCF05DFA0D859ADDBBB5BF45305F108929E406BB290DB706A09CB80
                        Function 033C5E18 Relevance: .1, Instructions: 65COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 872ad1c32a0a7e3f60f6596bba9866d8e20fb63170d3ec640cc404064172b43d
                        • Instruction ID: 8dfc57c950b7dd054f094a9091b8f127894db79acc3270d5621f116250ef46b5
                        • Opcode Fuzzy Hash: 872ad1c32a0a7e3f60f6596bba9866d8e20fb63170d3ec640cc404064172b43d
                        • Instruction Fuzzy Hash: 7311A970815398DFEB24CB20CC597AABBB6BB46300F14099DD006B7291CB307E49CB94
                        Function 033C4ACF Relevance: .1, Instructions: 63COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7b05831d39f7914542c34d4101bb80709ce2fe376047242597685cbad76ceffd
                        • Instruction ID: 08449759d5a670379eaf72d33bef53048488bab360e9c590b8df6543edb311af
                        • Opcode Fuzzy Hash: 7b05831d39f7914542c34d4101bb80709ce2fe376047242597685cbad76ceffd
                        • Instruction Fuzzy Hash: 5B21E4B5E002589FDF18DFA6D8547DDFBB6AF88310F04802AD455BB294DB74594ACF40
                        Function 033CF4CB Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 687692d4058edebefcee3830af68ec75c864db4c640fc9cbe948fd15d42265c8
                        • Instruction ID: 17ba83b729fb3ea29d5e95b440a34988e0cee658a6f8427c5eeae1abf6952fef
                        • Opcode Fuzzy Hash: 687692d4058edebefcee3830af68ec75c864db4c640fc9cbe948fd15d42265c8
                        • Instruction Fuzzy Hash: 3C21E471D102989BEB18DFAAD9547DDFBB2AF88300F14C02AD415AB294EB745A4ACF40
                        Function 033C7BB8 Relevance: .1, Instructions: 62COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a674d73a0d8e56d8713f74c41402e7418b530c4c7bab1711d5698e885fe4eb23
                        • Instruction ID: c0e44b50d0a696005c37cff21f57c55f404fb6f1f81e2212bb439edf69f90e1c
                        • Opcode Fuzzy Hash: a674d73a0d8e56d8713f74c41402e7418b530c4c7bab1711d5698e885fe4eb23
                        • Instruction Fuzzy Hash: 9521C2B5D00258DFEB18CFEAD9543DDBBF6AF88300F14852AD415AB254DB741A46CF40
                        Function 033C4700 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 762f393b9eb11d234b5eebc0ffe713f40240176b54500248b893fc688ef2043c
                        • Instruction ID: 3b6ff5b93a3ab9c45f5855c9eb8983d0e12663e85bbf71e5171ccb73727c3f16
                        • Opcode Fuzzy Hash: 762f393b9eb11d234b5eebc0ffe713f40240176b54500248b893fc688ef2043c
                        • Instruction Fuzzy Hash: 8F212475E00258CFDF14CFAAD9486DDBBF2BF88300F14842AD405AB244EB74594ACF50
                        Function 033C5128 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5003cace5b19d9218eafdf7d409013339fedb9e8b93615e5cdf8b73a7797c51d
                        • Instruction ID: ec97e0ac17404f35dd72a323c4cde1cffa9529a81af312762911bce53afb57f6
                        • Opcode Fuzzy Hash: 5003cace5b19d9218eafdf7d409013339fedb9e8b93615e5cdf8b73a7797c51d
                        • Instruction Fuzzy Hash: 3921E275D102589BEF18CFAAD8886DDBBB6BF89300F14812AD405A7350DB746906CB40
                        Function 033CFC58 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 589a877eb57d285dc3197f5722df2e081868b9b97c25e9e2558cb5a291bee05f
                        • Instruction ID: 95549cb54237d8bf3040368cb31b6155494e8ea838ec07ff7cc402acdc7ff466
                        • Opcode Fuzzy Hash: 589a877eb57d285dc3197f5722df2e081868b9b97c25e9e2558cb5a291bee05f
                        • Instruction Fuzzy Hash: 02211475E10258DBDF28DFAAD994ACDFBB6BF89300F14812AD414B7394DB745906CB40
                        Function 004F9A80 Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1462882603.0000000000434000.00000040.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                        • Associated: 00000000.00000002.1462798046.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462818217.00000000003E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.0000000000575000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1462882603.00000000006B4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_3e0000_Insidious_protected.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: db1a22d76bad84f61a9b78af36d4e67b7ded4919fc7c77f772345a05b2fc2bd8
                        • Instruction ID: 25fae9c8e89a04dfb870b78e6bc8a02137f343f215d01148426c4737d55a7cbb
                        • Opcode Fuzzy Hash: db1a22d76bad84f61a9b78af36d4e67b7ded4919fc7c77f772345a05b2fc2bd8
                        • Instruction Fuzzy Hash: 62117C707042448BD319DF6DE888B2677E7FB9A304F544266D5088B365CFB86C45EB49
                        Function 033CEA1B Relevance: .1, Instructions: 57COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a09b82b65cf574247976b7a292c8ee74ac0f134d9d3e136606b28b57aa0a4c92
                        • Instruction ID: 967f84d6ad2a75e03369cc8bb00025ae49209dc27e1c69c6d97af4a398e28e2b
                        • Opcode Fuzzy Hash: a09b82b65cf574247976b7a292c8ee74ac0f134d9d3e136606b28b57aa0a4c92
                        • Instruction Fuzzy Hash: B6210079E002688BDF18DFEAD9847DDBBB2BF89301F14802AC405BB294DB74194ACB51
                        Function 033C775A Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4b9157ad3913fbb388d1020f81202650abeef5e5965f26299470d894c808607a
                        • Instruction ID: e66aa6d139cba9ced68942e98ed7c9f20ece01a1db02882c9de6db84f6cfc643
                        • Opcode Fuzzy Hash: 4b9157ad3913fbb388d1020f81202650abeef5e5965f26299470d894c808607a
                        • Instruction Fuzzy Hash: 0121ACB4D0420CDFCB14DFA9D998AADBBB5BF48315F20902AE82AA7654DB345842CF04
                        Function 033C8438 Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 77d7486a57a31e5bed44a617f74413ec1a4834bef2fff22bc9ba0f4240feb293
                        • Instruction ID: 27b871796c69ba6eaef76275d2cf905fc0522979ad4129633b0410cd3d9dcb01
                        • Opcode Fuzzy Hash: 77d7486a57a31e5bed44a617f74413ec1a4834bef2fff22bc9ba0f4240feb293
                        • Instruction Fuzzy Hash: 25014C74E101449FCB04DFA8D884AECBBB1BB8D200F14442AD405F7361DB309D46CB26
                        Function 033C6EEF Relevance: .0, Instructions: 39COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 03909a7aefdb08b359ff4801f71c361582876d9a4f9ff427042294ddeffb10d4
                        • Instruction ID: dfe21b73baade8bdee7b21ffea16073a316a08ad9212f2e0135cdeb8fe67d9ff
                        • Opcode Fuzzy Hash: 03909a7aefdb08b359ff4801f71c361582876d9a4f9ff427042294ddeffb10d4
                        • Instruction Fuzzy Hash: 5601C874C14269CFCB24DF20C9997ADBBB9BB09305F14959AD40EB3241CB744D84CF40
                        Function 033C9709 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8e2b7712c128f7278af6546aba788dcb3608e1536763f63f769130a00b6a411e
                        • Instruction ID: e5881dea7c54c4acbc86581e251208c1b342bbe03944cf020134ff9892d5fa02
                        • Opcode Fuzzy Hash: 8e2b7712c128f7278af6546aba788dcb3608e1536763f63f769130a00b6a411e
                        • Instruction Fuzzy Hash: 82017C30840305DFDB01DF64E880B8A7BF9FB48304F009696D8018B355EB34AE1ADB82
                        Function 033C2B70 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 236eaff8483ff4f12186bec3496839d9f7dfdfa40e6efbf80285f03c7bea6fec
                        • Instruction ID: fa636ec1d0b8f175221964c1333ad7d434f7e4ece77e83bfc908cf5138f4188e
                        • Opcode Fuzzy Hash: 236eaff8483ff4f12186bec3496839d9f7dfdfa40e6efbf80285f03c7bea6fec
                        • Instruction Fuzzy Hash: C40116B0D01248AFCB50DFA8D5A8A9DBFF1AB0A300F1489A9D409E7251DA349E06CF41
                        Function 033C9718 Relevance: .0, Instructions: 32COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1814b28a3c88f480b5d1fddaba0ef8d219d02b84995a353f903f4b8328c8f931
                        • Instruction ID: d7dec3dadd3e34885ed0d9e4e8be04fe6bab38103ce2eb97ef646e32b3547b36
                        • Opcode Fuzzy Hash: 1814b28a3c88f480b5d1fddaba0ef8d219d02b84995a353f903f4b8328c8f931
                        • Instruction Fuzzy Hash: BE018130940309DFDB00DF68E844B4A7BBDFB48304F109656D8019B354EB74BE1ADB81
                        Function 033C2B80 Relevance: .0, Instructions: 31COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e298f0f268227b9d5163ab5de84927c6e8da3c1cb7b0465a13d773a84bb59846
                        • Instruction ID: 32e4b371ebd4258c25c600e8baada630e7729e00d0da2d371321049431050ab7
                        • Opcode Fuzzy Hash: e298f0f268227b9d5163ab5de84927c6e8da3c1cb7b0465a13d773a84bb59846
                        • Instruction Fuzzy Hash: 46F017B0E41208EFCB40DFA8E5A8A5EBBF5FB49300F1089A8D419A7350DB349E06CF51
                        Function 033C781D Relevance: .0, Instructions: 30COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d46a50c3e2d6e9bddf3c34ae422fe713b37c43fdb9b8e8eea02892f6aae5d539
                        • Instruction ID: 7069885b695144299eaed28a57ce5a1025feca3453783ccaaeb89d855aa43f75
                        • Opcode Fuzzy Hash: d46a50c3e2d6e9bddf3c34ae422fe713b37c43fdb9b8e8eea02892f6aae5d539
                        • Instruction Fuzzy Hash: D6F09274D1424DCFDB28DFA1D599BADBBB4BB08305F20402EE826B7655CB780841CF15
                        Function 033C78BF Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a9cfa04da0436905ab2a54cf2a80cd8f384ff4c542234298661ca68a4daefa5a
                        • Instruction ID: 5cced28c87aec7626c92d690922c55417a834608f961b7c084bf4a2281e98175
                        • Opcode Fuzzy Hash: a9cfa04da0436905ab2a54cf2a80cd8f384ff4c542234298661ca68a4daefa5a
                        • Instruction Fuzzy Hash: 34F01CB4D20154AFCB41DF78D8E569DBFB5EB05201F2045B9D405D7281DB318E4ADB41
                        Function 033C83F0 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 819639b79abde940bc69d73cf8dc5f67681c7e06a723419abd04f92f8148c28c
                        • Instruction ID: 53c5db01ae08bbf9aa1961ab7eda2ccc5f5bf626d88d8ccb53b976d5df5c3bbf
                        • Opcode Fuzzy Hash: 819639b79abde940bc69d73cf8dc5f67681c7e06a723419abd04f92f8148c28c
                        • Instruction Fuzzy Hash: 1EE09A70826280DFCB109B60A0BE7AE7F28EB07322F411C99E00986081CB618492CB80
                        Function 033C8BB8 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c331f6a48cfa779fa0526b934a0822aa306e4d53e89a06b9bf02ac44b9e4e521
                        • Instruction ID: d2b5633acc703a7ba25c9f5459f9d0cfa0890cb470824d04bb17436c34fdf327
                        • Opcode Fuzzy Hash: c331f6a48cfa779fa0526b934a0822aa306e4d53e89a06b9bf02ac44b9e4e521
                        • Instruction Fuzzy Hash: 26E0DFB1835381AFCB028B74A4AEA7FBF78EB0B307F006C45E00992040DF210441DB12
                        Function 033C69A0 Relevance: .0, Instructions: 25COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 179f15ade153dc498de1029cb1714859f324b5e87b91ff401e68991c1d9b865e
                        • Instruction ID: e8f093523509117207233a91c9e0bc2fe03292860c68b11fbe85b29133ca09c8
                        • Opcode Fuzzy Hash: 179f15ade153dc498de1029cb1714859f324b5e87b91ff401e68991c1d9b865e
                        • Instruction Fuzzy Hash: 15E0927285A3D09FD313CB78A83A7A5BF789B03205F0881DADC85D3152D6264916E711
                        Function 033CD0C8 Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 082123acb549b4ab5213f9aa8fe335d5105bad461ab2ac06a3e0b59466f4fcba
                        • Instruction ID: db44ba19e64b46f1cbc3ad43c4bc77f3e5a120e56ea7a2805ea97a54a0f836a6
                        • Opcode Fuzzy Hash: 082123acb549b4ab5213f9aa8fe335d5105bad461ab2ac06a3e0b59466f4fcba
                        • Instruction Fuzzy Hash: 57E0DFB1C34246AFCB108F34A0AD6BDBF69EB0B313F005D85E04981180DF214446CB01
                        Function 033C707B Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e17e60ef7ae30c35ef405a88af84a07783618a82653314eea4d920c40df6f0a0
                        • Instruction ID: f4894538ecbc4da87f7e5d2c236f59e896ee42a7ef15c4243cbaa4832abe4c0c
                        • Opcode Fuzzy Hash: e17e60ef7ae30c35ef405a88af84a07783618a82653314eea4d920c40df6f0a0
                        • Instruction Fuzzy Hash: E4E0ED70C5436DCFDB24DF20D8997AEFBB5BB05305F005499C40A67541CBB88984CF41
                        Function 033C7711 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 909e87e3b16b891b6344db72a87e5a7dbd32057662d241dcdc781e2095ed998a
                        • Instruction ID: 5f0c1b874c4781256352234a41c5a8d13a61218e16ddaeea59f1dcbcabfc4ce4
                        • Opcode Fuzzy Hash: 909e87e3b16b891b6344db72a87e5a7dbd32057662d241dcdc781e2095ed998a
                        • Instruction Fuzzy Hash: 4BE0C97085524DCFDB24DFA0D6997BDBB74AB05315F24641DD402B6544CB780948CF55
                        Function 033C77C5 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a0fb4a35d899fa0ccc554ea3e6e3e7b17e38c7167858869793a7338383a4e0d2
                        • Instruction ID: 2cd26c0644304e903eb6f276fb61ec131195c544d8b11ba1309d40433ea9a36f
                        • Opcode Fuzzy Hash: a0fb4a35d899fa0ccc554ea3e6e3e7b17e38c7167858869793a7338383a4e0d2
                        • Instruction Fuzzy Hash: 5BE06D70C1424DCFDB24DF90DA997BDBBB0AB01305F105419D422B6550CB740841CF15
                        Function 033C0AF2 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 912f1c1b11d0de0576399ddc56b51a42ef906dbc8eb8612e786a61f0d91d84c1
                        • Instruction ID: 664f4e50c67c68e85bfdcac77718df2f945807ddb580031e7da51b34e9301ba3
                        • Opcode Fuzzy Hash: 912f1c1b11d0de0576399ddc56b51a42ef906dbc8eb8612e786a61f0d91d84c1
                        • Instruction Fuzzy Hash: 0DE06DB0D51248EFDF11EB74D5956ACBB79EB52304F500AA9C405D7190DB32AE06DB02
                        Function 033C6E93 Relevance: .0, Instructions: 23COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6b9c604c782320b20300fe8939bc91fabce4603290ae8e007ab1fc84ffac963c
                        • Instruction ID: 1d23dccb73a9d31a32f4ba515af5f8fb77e8d65516709fdfd53fc0b61f91f961
                        • Opcode Fuzzy Hash: 6b9c604c782320b20300fe8939bc91fabce4603290ae8e007ab1fc84ffac963c
                        • Instruction Fuzzy Hash: 06E0C270C6825ACFDB34DF61CAAA7AEBB74BB45305F08949AC106B6250CB784D84CF55
                        Function 033C78D0 Relevance: .0, Instructions: 21COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f52c5a401647d3c63930e6370bab030d2d4c581bdfdba9854f1a6b1c8380c939
                        • Instruction ID: bda6e46491a699327af684cb10be0924392c99daa86a7879314857dd45270ac5
                        • Opcode Fuzzy Hash: f52c5a401647d3c63930e6370bab030d2d4c581bdfdba9854f1a6b1c8380c939
                        • Instruction Fuzzy Hash: D4E04F70D20208EFCB40DFA8E995A5DBFF9FB45301F5081A8D808A7350DB309E55DB92
                        Function 033CD0D8 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 41a3aaab8a801d90ea2bdf3a4fbfa6cce03093b2a4937e332772669de6a3aa0d
                        • Instruction ID: 3c5b5eac63d43326dc4b35a5d0a24754d3a7255e121c8f8e8f19b44b5fb3d82c
                        • Opcode Fuzzy Hash: 41a3aaab8a801d90ea2bdf3a4fbfa6cce03093b2a4937e332772669de6a3aa0d
                        • Instruction Fuzzy Hash: 5FD01770864306EBCB00AB64E45DA6ABBA8EB0B313F00AD94B40D96600DF314855DB54
                        Function 033C8400 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e47b06e575d09e748b5d07b6c09fb268646a75d849cf19195ada02d7548c13b3
                        • Instruction ID: 143bff43b86ef16808350be05595272ddc9e2c9f994dc54ba41c69ecbe0b73f7
                        • Opcode Fuzzy Hash: e47b06e575d09e748b5d07b6c09fb268646a75d849cf19195ada02d7548c13b3
                        • Instruction Fuzzy Hash: 56D01730860205EFCB00AF64B46D66BBB7CFB0B323F802C58E419961418F728862DB84
                        Function 033C0B00 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ebb405b319c4c61ca777d40fb14fca6f7addbc9292197e2f92ae2eee05e050e2
                        • Instruction ID: 9398724d46eaf9458e7b45a800894cd2ef9fcf2be4225887878e0a58a4ec60c3
                        • Opcode Fuzzy Hash: ebb405b319c4c61ca777d40fb14fca6f7addbc9292197e2f92ae2eee05e050e2
                        • Instruction Fuzzy Hash: EFE04F70D41208EFDF04EBB4D50565DB7B9EB45704F5049A8940597250DF71AE05DB41
                        Function 033C8BC8 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 986f96866afc804f53c4ac2d48f5c456654d0a631c9fc76dcf8e75424bcb3e23
                        • Instruction ID: bb99a01a2e093042c4773d7ac9cf2cd08805b39b98874e8c6a7dd2be41b5e061
                        • Opcode Fuzzy Hash: 986f96866afc804f53c4ac2d48f5c456654d0a631c9fc76dcf8e75424bcb3e23
                        • Instruction Fuzzy Hash: C6D0177043030AABCA00EBA4A45E62BBF79EB0B30BF00AD44B519921009F314850EB54
                        Function 033C2870 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5d5d8fb429eb8d4fb5ea34c2c37e2f8ea04d0c66d172e52fb973322b378ef3c8
                        • Instruction ID: 2229e0ea2068813bf900b201d54c1e0d09cc687329d5553f66b75424a1b8ba13
                        • Opcode Fuzzy Hash: 5d5d8fb429eb8d4fb5ea34c2c37e2f8ea04d0c66d172e52fb973322b378ef3c8
                        • Instruction Fuzzy Hash: 85D02B70C44290EFC711D67458563BCBB3CD703306F18099DC844D6182D622C853C791
                        Function 033C8110 Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 54e1c0bfac502c3f3540e1ca361581bb34827a8512945ba319e0b50b32a5253f
                        • Instruction ID: 22574fc1ea549a6f4dcb3ad5e237da48ee9b82063d90315a616664c9dc24bd43
                        • Opcode Fuzzy Hash: 54e1c0bfac502c3f3540e1ca361581bb34827a8512945ba319e0b50b32a5253f
                        • Instruction Fuzzy Hash: 54D02E348082C49FCB12CFB838953FCBF38CB03200F0800CDC888A2082CA614827DB62
                        Function 033C8120 Relevance: .0, Instructions: 13COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1b63bdd49569a9ef1c424b7a54e9a81387929668cf50cb6ae44ae9cb077ff5ce
                        • Instruction ID: 5e20397fcebdddc44729b27e7c2bc41c1c936fffde25bd366e13f0030009ebe8
                        • Opcode Fuzzy Hash: 1b63bdd49569a9ef1c424b7a54e9a81387929668cf50cb6ae44ae9cb077ff5ce
                        • Instruction Fuzzy Hash: 4CC08070850348EBCB00DF94A405779F77CD707711F40015CD91867140DF715950D7A5
                        Function 033C69C8 Relevance: .0, Instructions: 13COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 46d12a036e34dcec5215980de39128cefd78817950c39ddaa96fb7d2ca6e3e28
                        • Instruction ID: 00a94b5292c3d6e4acb20d277f36f525255b1bf425d868ff8383943fb1904f49
                        • Opcode Fuzzy Hash: 46d12a036e34dcec5215980de39128cefd78817950c39ddaa96fb7d2ca6e3e28
                        • Instruction Fuzzy Hash: 8EC08070851348EFC700DF94A805715F77CD707305F444159D50863141DF714951D795
                        Function 033C2880 Relevance: .0, Instructions: 13COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 29745f1b77575051f699652c4494bb5f41d152cd58703cf84cc70fd5ae1e7250
                        • Instruction ID: ddf0bd30f4bfa9c7b9999b52879cd43d5d926bf7fac0ee576f57b96ecc33f209
                        • Opcode Fuzzy Hash: 29745f1b77575051f699652c4494bb5f41d152cd58703cf84cc70fd5ae1e7250
                        • Instruction Fuzzy Hash: 2BC01270840348EBDB10DAA5A808719B76CE706316F4005589508571409B718852C7A5

                        Non-executed Functions

                        Function 033CBC08 Relevance: .9, Instructions: 927COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 68742861114037e571b04b84ed23a2ccc0c47a89e8cd27155cc651f441215a20
                        • Instruction ID: 06bbd5d77b33f5a0632574223fef13a962c0aca29296ad9305f982aa832bbac0
                        • Opcode Fuzzy Hash: 68742861114037e571b04b84ed23a2ccc0c47a89e8cd27155cc651f441215a20
                        • Instruction Fuzzy Hash: B292A274E102688FDB64CF68C984BDDFBB6BB48300F1482A9D509AB355DB31AE85CF50
                        Function 033C92E7 Relevance: .3, Instructions: 277COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ee286794db7aa0d8b9f42a5e5c8970969f8b7455105b7f92088cddbfc12b68bb
                        • Instruction ID: 858000adfafc28987dc762e61d8bc6b83633a7c4bce998aa3bc6b6359e9157d6
                        • Opcode Fuzzy Hash: ee286794db7aa0d8b9f42a5e5c8970969f8b7455105b7f92088cddbfc12b68bb
                        • Instruction Fuzzy Hash: A7C1A274E00218CFDB54DFA9C884B9DBBB6BF89300F1591AAD809AB355DB34AD81CF50
                        Function 033C5370 Relevance: .3, Instructions: 275COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 548b732b8c23b3770cdc9383fa0c9937b0ded5bf150d60458313a7e5035db0e3
                        • Instruction ID: 063e8a834dc17bab49876e0cb378ecba13f682e952ce642ab3a8f18e28da0e56
                        • Opcode Fuzzy Hash: 548b732b8c23b3770cdc9383fa0c9937b0ded5bf150d60458313a7e5035db0e3
                        • Instruction Fuzzy Hash: 5BD1B074D11218CFEB64DFAAD884B9DFBB2BF89300F1481AAD409A7255DB34AD85CF50
                        Function 05A90278 Relevance: .3, Instructions: 274COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1467957762.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5a90000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 000bbd9d71952a48a3178caccba7c95bc9849aa262e9a891e29950a3ac7ce3b2
                        • Instruction ID: 9fd72791146d245dcb6164db95f777cafb9fa54dff26af788e4ef934fdcbd538
                        • Opcode Fuzzy Hash: 000bbd9d71952a48a3178caccba7c95bc9849aa262e9a891e29950a3ac7ce3b2
                        • Instruction Fuzzy Hash: 38D1C174D05228CFDB68DFAAC888B9DBBF2FF89300F1481A9D409A7255DB749985CF50
                        Function 033C8E90 Relevance: .2, Instructions: 183COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 78a955a7929296e81a52b143101e6b9e1c9bdb6d4e437a8da03e7b2415d721f6
                        • Instruction ID: dce58094b460375d8cab5e791cfd4c0600c166a0d044258ce7cb2ba3b5a4f97a
                        • Opcode Fuzzy Hash: 78a955a7929296e81a52b143101e6b9e1c9bdb6d4e437a8da03e7b2415d721f6
                        • Instruction Fuzzy Hash: 57819074E00218CFDB54DFAAD990A9DFBF2BF88300F24916AD419AB255DB34AD42CF50
                        Function 033CBBF8 Relevance: .1, Instructions: 138COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 43bceee22cd6ae71c7da0a2e0ddff251e5df60262881f2bf5912039aad808407
                        • Instruction ID: 576b38a8140970d0da82a99e8f75c5f7db12caf04b33189c668fb44265f666c3
                        • Opcode Fuzzy Hash: 43bceee22cd6ae71c7da0a2e0ddff251e5df60262881f2bf5912039aad808407
                        • Instruction Fuzzy Hash: 7E51F475E002588FDB18CF6AC984BDDFBF6AF89304F14C1AAD408AB255DB759985CF40
                        Function 033C532A Relevance: .1, Instructions: 89COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 66892bcf3667ee13572719fb502ed9737bc54e142b55932a74e6911a0f17d5a2
                        • Instruction ID: b7ff8fb0afbdf140c295aab8faeb091e185ce3182ab42b338929ad9cae1232ff
                        • Opcode Fuzzy Hash: 66892bcf3667ee13572719fb502ed9737bc54e142b55932a74e6911a0f17d5a2
                        • Instruction Fuzzy Hash: 683117B1D006188BEB28CFAAD8447DDBBB6FF89304F54C1AAD408AB251DB742946CF54
                        Function 033CD2F8 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9a4b41e7a9763384f2eb319966ee2f3a8af0d259eface3a8bb74a10db4b461e2
                        • Instruction ID: 3935fc89163e6df6e574606f5e9e56e731e4eccf12af7f10a1fce22b84ec8bda
                        • Opcode Fuzzy Hash: 9a4b41e7a9763384f2eb319966ee2f3a8af0d259eface3a8bb74a10db4b461e2
                        • Instruction Fuzzy Hash: 3B3195B5E006488BDB18CFABD94069EFBF7AFC9300F14D56AC418AB214DB345946CF45
                        Function 05A90269 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1467957762.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5a90000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6efa946659bf882a8e866843d4b2050fd7b3509bd746019ac16d583be8afe3d0
                        • Instruction ID: 283b5667829bd22c00234abddefd1abfc00194bbb0ed4cde9c8759ef53a6e03a
                        • Opcode Fuzzy Hash: 6efa946659bf882a8e866843d4b2050fd7b3509bd746019ac16d583be8afe3d0
                        • Instruction Fuzzy Hash: A931C4B1D002288BEF28CFAAD9447CDBBF2BF88304F14C16AC518AB255DB741946CF54
                        Function 033C5366 Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1465185252.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_33c0000_Insidious_protected.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 97000cad1e2c61b70e4da30873a2f6e3721857fa1193708a60766954481ee9be
                        • Instruction ID: 7803be2fbcf2372aaeb06635862410190a9963e928ed50d9493698d4341c7d7c
                        • Opcode Fuzzy Hash: 97000cad1e2c61b70e4da30873a2f6e3721857fa1193708a60766954481ee9be
                        • Instruction Fuzzy Hash: E031B4B1E002288BEB28CFABD9447DDBBF2BF88304F54C16AD418A7255DB741946CF54