Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KRcLFIz5PCQunB7.exe

Overview

General Information

Sample name:KRcLFIz5PCQunB7.exe
Analysis ID:1559461
MD5:a08b35662044abf9528c24c3f663eaed
SHA1:aee7831f263e6b83198a790d8a8948a841a600e2
SHA256:3f233256d32f8c33884510be0e50b614a35642f6ed7cb76b1f480373b548b295
Tags:exeuser-lowmal3
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KRcLFIz5PCQunB7.exe (PID: 280 cmdline: "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe" MD5: A08B35662044ABF9528C24C3F663EAED)
    • KRcLFIz5PCQunB7.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe" MD5: A08B35662044ABF9528C24C3F663EAED)
    • KRcLFIz5PCQunB7.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe" MD5: A08B35662044ABF9528C24C3F663EAED)
      • schtasks.exe (PID: 5276 cmdline: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • outlooks.exe (PID: 3816 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: A08B35662044ABF9528C24C3F663EAED)
        • outlooks.exe (PID: 4832 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: A08B35662044ABF9528C24C3F663EAED)
          • schtasks.exe (PID: 4856 cmdline: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • outlooks.exe (PID: 4016 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe MD5: A08B35662044ABF9528C24C3F663EAED)
    • outlooks.exe (PID: 1088 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" MD5: A08B35662044ABF9528C24C3F663EAED)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "qtd.ydns.eu:5829;", "SubDirectory": "WindowsUpdates", "InstallName": "outlooks.exe", "MutexName": "ac3de377-7a66-4586-b523-567adbbba988", "StartupKey": "Outlooks", "LogDirectoryName": "Logs", "ServerSignature": "cMAo43KgwCRkLXKVNIKcbYF07RAwbtRiV0xjmkvAofyHyMq4KQaMcDP+RYvo1XiqFvef4x+X0rbd142vWz4pHg5viwUqxUX1M6robk46oLiAINhWpLys7jGBDZM901rJZjqqDBIINPcsgv4AWIy0U/a7tZxg6OolVtO+sjchc/DrQikiod3q1OY2KJoHDKtwiRU3hwmo3XAK1rnJCm9//ZKLqEpP/DdCH5oGKU3eUq2ag0KGgcHjyAZuOSMbuDGNqGib2CVkxbyWxYq3QO2kfmB7BUHIxUZFdcv96UXAstsNW/O2INHr1fZcEWb60EDooIPifUNDgK6y5owwE57m7fVryCJMvBkg8rjUjOQHIs47qpUd3llalYmrd7NBKuHpT7j6yGGxUqvIdb8jBDV1hE4ZN5Uj9Niv/8holMJceh3+Tlw/ZolpP63q1J6vD2/Y3trWWfM4EE+p77psVZVDhW/Lmz8My1WsvjUlXbYVOYopNIE9T278LpJYHT2hbdd508tIF3+OsysQr88ALAVUfSK9M34qgF9C8y3e6sziotc7goPVuhSFNiqnwNZna0lcFMRiQJHXYLbEdblvCS8sw7gxi71tBqSWnN4n2BB+XxnjG3aKD3c24kr8f2S6x2bL9LU48qkJ1oSE238B1Uo7cG5tMJjXh2hQrFsMnuArxuQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAI7O15gZ6Bvo1v7Z6Z+o8zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyNzIyNDYwNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqbPveNu2fk+RQb1R3gm4Prdzthf81O6C4rvp3RcGpa8WzDlFIkUJlXlZq7CutP//HEzLJNmi8Uh5bhjgkulxUchu6qMN9+9Jp+6XLvYKP1aFl7wqJg7DKAHl7YxaaRGO1SA+eCffgbFQflu2IDKGQdq6euhYB3Hf5fyPi/J8qQyT3vkT7EOU4yTSLSOB5Chey+0Vnd9UHDVDaFvNspUfomDPE20kDevZjfeIIRpuNPwQQwaRl56UImZwfQus48RiJj8ec1t6djIpmwW+AzlB1bPCQrC8O/MO2FwHpQ1dcEGQv0kF04UP3CElKcm2YETUylyrkpRAOZPKCsItn3IfL0d61z3wZGB5y6w0bGHFlB4Wka0CAO1Ut4GR5yOeTyoK7tU/qeqrUH5UI/vtaNOCVy40h7OLblm6BKMezr+jLiXtr8g3IZ0tvSdDdM8mpLxYhUF9sWN4czZjw2/TWYQV7NmP8zWbcNtvzN+1M/TSxr2T+TIQCP9/53dElp8soycnY93mu4yGp4EkIP7/yHIhZJUAYYGhbGargWK+84YWH+CdW5494T04AeYBctFxIWG1uW/dHCcIdA4cN75ix8R58h7typtKInugH3CpGYBOzyJXW9NqBkrpxnT8sW9Js90VQRADLwoXBWu03CZ5aVb9be6P42FdFl+noKLQ/R5XkmkCAwEAAaMyMDAwHQYDVR0OBBYEFL+5mluRt/P41ETYJZpAZazC28C/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEJE3+krpRiCkX9UWAzNqNBa9oqQOSoqju90CrhZs1+BKZQpkh2fFHn6NVH9joVzu+lXegf/O1Ub/I0ZxHn1zbGzJXw2PqrZ2X8ewj+23EbWweedx76Uh+AZAby9TvZIAO2/HFFGqGy5T4WJ2swTZgwrZ9mFRqDgQWF1QWFrnOluaOa7T+jvMW0rxAX+kgEVDl/9e3PRa5xFrQCg/vy0pnzvnmTD5W/B0yViwtruDt5xyoxRlCnhTK9IIBNgGhY74mc+xa4lObXfcbz6zz4xgz0KvSrKZfu69cP2Y5LSH8TUD5bzsSgl15M9mVSHsqADSL40SjK3eoxcj33cMgMS5dvNB6o25l8QGJtuhz+IGqtCQaU13ev1YxTwOZKYjwwpSIycpV+LDmoR2dWgyDhjbhkuJ92reL16ND9DcZRTwrx6Idyy3oKrUyWlS6kHIXujTQHvvU+qLgfgQJYOryT0iRcn6DWkhLzRq0yzhrgD3ZPPreZ3xJ/RSnyvRjOEivReVBDlm0eWbg0J2bpOa1cDdlfsRg9nuZWkXeghkFtzvgOB0rkgRYD+m0S5N/qlhPXETBO5sGqHsSHTPjyAnVyP61Zr4cn/H0otTzReF6/FjIKsqH+v6Q27D0j6fJRbvTtShZdOzT6RtyoCh1HIeByJX5Ae18uHkU+wvUXXaIijYOR5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2161447262.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000008.00000002.2266067773.0000000002D69000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000008.00000002.2290879602.00000000046ED000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000000.00000002.2140519322.00000000029D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000007.00000002.2202542805.0000000002DF6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.KRcLFIz5PCQunB7.exe.2a01eac.0.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              7.2.outlooks.exe.44609f0.2.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                7.2.outlooks.exe.44609f0.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  7.2.outlooks.exe.44609f0.2.raw.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                  • 0x28eed7:$x1: Quasar.Common.Messages
                  • 0x29f200:$x1: Quasar.Common.Messages
                  • 0x2ab85a:$x4: Uninstalling... good bye :-(
                  • 0x2ad04f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                  7.2.outlooks.exe.44609f0.2.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                  • 0x2aae0c:$f1: FileZilla\recentservers.xml
                  • 0x2aae4c:$f2: FileZilla\sitemanager.xml
                  • 0x2aae8e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                  • 0x2ab0da:$b1: Chrome\User Data\
                  • 0x2ab130:$b1: Chrome\User Data\
                  • 0x2ab408:$b2: Mozilla\Firefox\Profiles
                  • 0x2ab504:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2fd460:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2ab65c:$b4: Opera Software\Opera Stable\Login Data
                  • 0x2ab716:$b5: YandexBrowser\User Data\
                  • 0x2ab784:$b5: YandexBrowser\User Data\
                  • 0x2ab458:$s4: logins.json
                  • 0x2ab18e:$a1: username_value
                  • 0x2ab1ac:$a2: password_value
                  • 0x2ab498:$a3: encryptedUsername
                  • 0x2fd3a4:$a3: encryptedUsername
                  • 0x2ab4bc:$a4: encryptedPassword
                  • 0x2fd3c2:$a4: encryptedPassword
                  • 0x2fd340:$a5: httpRealm
                  Click to see the 33 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe", ParentImage: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe, ParentProcessId: 4832, ParentProcessName: outlooks.exe, ProcessCommandLine: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f, ProcessId: 4856, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe", ParentImage: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe, ParentProcessId: 5960, ParentProcessName: KRcLFIz5PCQunB7.exe, ProcessCommandLine: "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f, ProcessId: 5276, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T15:11:10.319718+010020355951Domain Observed Used for C2 Detected193.34.212.175829192.168.2.649715TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-20T15:11:10.319718+010020276191Domain Observed Used for C2 Detected193.34.212.175829192.168.2.649715TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: KRcLFIz5PCQunB7.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeAvira: detection malicious, Label: HEUR/AGEN.1305393
                  Found malware configuration
                  Source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "qtd.ydns.eu:5829;", "SubDirectory": "WindowsUpdates", "InstallName": "outlooks.exe", "MutexName": "ac3de377-7a66-4586-b523-567adbbba988", "StartupKey": "Outlooks", "LogDirectoryName": "Logs", "ServerSignature": "cMAo43KgwCRkLXKVNIKcbYF07RAwbtRiV0xjmkvAofyHyMq4KQaMcDP+RYvo1XiqFvef4x+X0rbd142vWz4pHg5viwUqxUX1M6robk46oLiAINhWpLys7jGBDZM901rJZjqqDBIINPcsgv4AWIy0U/a7tZxg6OolVtO+sjchc/DrQikiod3q1OY2KJoHDKtwiRU3hwmo3XAK1rnJCm9//ZKLqEpP/DdCH5oGKU3eUq2ag0KGgcHjyAZuOSMbuDGNqGib2CVkxbyWxYq3QO2kfmB7BUHIxUZFdcv96UXAstsNW/O2INHr1fZcEWb60EDooIPifUNDgK6y5owwE57m7fVryCJMvBkg8rjUjOQHIs47qpUd3llalYmrd7NBKuHpT7j6yGGxUqvIdb8jBDV1hE4ZN5Uj9Niv/8holMJceh3+Tlw/ZolpP63q1J6vD2/Y3trWWfM4EE+p77psVZVDhW/Lmz8My1WsvjUlXbYVOYopNIE9T278LpJYHT2hbdd508tIF3+OsysQr88ALAVUfSK9M34qgF9C8y3e6sziotc7goPVuhSFNiqnwNZna0lcFMRiQJHXYLbEdblvCS8sw7gxi71tBqSWnN4n2BB+XxnjG3aKD3c24kr8f2S6x2bL9LU48qkJ1oSE238B1Uo7cG5tMJjXh2hQrFsMnuArxuQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAI7O15gZ6Bvo1v7Z6Z+o8zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyNzIyNDYwNloYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqbPveNu2fk+RQb1R3gm4Prdzthf81O6C4rvp3RcGpa8WzDlFIkUJlXlZq7CutP//HEzLJNmi8Uh5bhjgkulxUchu6qMN9+9Jp+6XLvYKP1aFl7wqJg7DKAHl7YxaaRGO1SA+eCffgbFQflu2IDKGQdq6euhYB3Hf5fyPi/J8qQyT3vkT7EOU4yTSLSOB5Chey+0Vnd9UHDVDaFvNspUfomDPE20kDevZjfeIIRpuNPwQQwaRl56UImZwfQus48RiJj8ec1t6djIpmwW+AzlB1bPCQrC8O/MO2FwHpQ1dcEGQv0kF04UP3CElKcm2YETUylyrkpRAOZPKCsItn3IfL0d61z3wZGB5y6w0bGHFlB4Wka0CAO1Ut4GR5yOeTyoK7tU/qeqrUH5UI/vtaNOCVy40h7OLblm6BKMezr+jLiXtr8g3IZ0tvSdDdM8mpLxYhUF9sWN4czZjw2/TWYQV7NmP8zWbcNtvzN+1M/TSxr2T+TIQCP9/53dElp8soycnY93mu4yGp4EkIP7/yHIhZJUAYYGhbGargWK+84YWH+CdW5494T04AeYBctFxIWG1uW/dHCcIdA4cN75ix8R58h7typtKInugH3CpGYBOzyJXW9NqBkrpxnT8sW9Js90VQRADLwoXBWu03CZ5aVb9be6P42FdFl+noKLQ/R5XkmkCAwEAAaMyMDAwHQYDVR0OBBYEFL+5mluRt/P41ETYJZpAZazC28C/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEJE3+krpRiCkX9UWAzNqNBa9oqQOSoqju90CrhZs1+BKZQpkh2fFHn6NVH9joVzu+lXegf/O1Ub/I0ZxHn1zbGzJXw2PqrZ2X8ewj+23EbWweedx76Uh+AZAby9TvZIAO2/HFFGqGy5T4WJ2swTZgwrZ9mFRqDgQWF1QWFrnOluaOa7T+jvMW0rxAX+kgEVDl/9e3PRa5xFrQCg/vy0pnzvnmTD5W/B0yViwtruDt5xyoxRlCnhTK9IIBNgGhY74mc+xa4lObXfcbz6zz4xgz0KvSrKZfu69cP2Y5LSH8TUD5bzsSgl15M9mVSHsqADSL40SjK3eoxcj33cMgMS5dvNB6o25l8QGJtuhz+IGqtCQaU13ev1YxTwOZKYjwwpSIycpV+LDmoR2dWgyDhjbhkuJ92reL16ND9DcZRTwrx6Idyy3oKrUyWlS6kHIXujTQHvvU+qLgfgQJYOryT0iRcn6DWkhLzRq0yzhrgD3ZPPreZ3xJ/RSnyvRjOEivReVBDlm0eWbg0J2bpOa1cDdlfsRg9nuZWkXeghkFtzvgOB0rkgRYD+m0S5N/qlhPXETBO5sGqHsSHTPjyAnVyP61Zr4cn/H0otTzReF6/FjIKsqH+v6Q27D0j6fJRbvTtShZdOzT6RtyoCh1HIeByJX5Ae18uHkU+wvUXXaIijYOR5"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeReversingLabs: Detection: 23%
                  Multi AV Scanner detection for submitted file
                  Source: KRcLFIz5PCQunB7.exeReversingLabs: Detection: 23%
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.2a01eac.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.2161447262.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2266067773.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2290879602.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2140519322.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2202542805.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 280, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 5960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3816, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4832, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: KRcLFIz5PCQunB7.exeJoe Sandbox ML: detected
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 103.126.138.87:443 -> 192.168.2.6:49727 version: TLS 1.2
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: WOiC.pdb source: KRcLFIz5PCQunB7.exe, outlooks.exe.4.dr
                  Source: Binary string: WOiC.pdbSHA256IC source: KRcLFIz5PCQunB7.exe, outlooks.exe.4.dr

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 193.34.212.17:5829 -> 192.168.2.6:49715
                  Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 193.34.212.17:5829 -> 192.168.2.6:49715
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: qtd.ydns.eu
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.6:49715 -> 193.34.212.17:5829
                  Source: Joe Sandbox ViewASN Name: PL-SKYTECH-ASPL PL-SKYTECH-ASPL
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: ipwho.is
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: qtd.ydns.eu
                  Source: global trafficDNS traffic detected: DNS query: ipwho.is
                  Source: outlooks.exe, 00000009.00000002.3357533499.00000000015BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: outlooks.exe, 00000009.00000002.3359322828.0000000001613000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.9.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: outlooks.exe, 00000009.00000002.3362737100.0000000003435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                  Source: outlooks.exe, 00000009.00000002.3362737100.0000000003435000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                  Source: outlooks.exe, 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                  Source: outlooks.exe, 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                  Source: KRcLFIz5PCQunB7.exe, 00000004.00000002.2175797849.0000000003031000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000009.00000002.3362737100.000000000327B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: outlooks.exe, 00000009.00000002.3362737100.0000000003423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000009.00000002.3362737100.0000000003423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                  Source: outlooks.exe, 00000009.00000002.3362737100.0000000003423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.isp
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000009.00000002.3362737100.0000000003282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownHTTPS traffic detected: 103.126.138.87:443 -> 192.168.2.6:49727 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeJump to behavior

                  E-Banking Fraud

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.2a01eac.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.2161447262.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2266067773.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2290879602.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2140519322.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2202542805.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 280, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 5960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3816, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4832, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0106DF640_2_0106DF64
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_07266D800_2_07266D80
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0726DB390_2_0726DB39
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0726FB500_2_0726FB50
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_072616E80_2_072616E8
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_072616F80_2_072616F8
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0726A5C80_2_0726A5C8
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0726A5D80_2_0726A5D8
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0726C1500_2_0726C150
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0726A1A00_2_0726A1A0
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_07266D700_2_07266D70
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_07269D4A0_2_07269D4A
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0726B8680_2_0726B868
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0726B8780_2_0726B878
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_074D12980_2_074D1298
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 4_2_02D8F03C4_2_02D8F03C
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_010ADF647_2_010ADF64
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D96D807_2_05D96D80
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D9DB397_2_05D9DB39
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D9FA607_2_05D9FA60
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D9A5D87_2_05D9A5D8
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D9A5C87_2_05D9A5C8
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D916F87_2_05D916F8
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D916E87_2_05D916E8
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D9A1A07_2_05D9A1A0
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D9C1507_2_05D9C150
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D99D4B7_2_05D99D4B
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D96D737_2_05D96D73
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D9B8787_2_05D9B878
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_05D9B8687_2_05D9B868
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_074512987_2_07451298
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_0133DF648_2_0133DF64
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_052B7C088_2_052B7C08
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_052B001A8_2_052B001A
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_052B00408_2_052B0040
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_052BA0B18_2_052BA0B1
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075E6D808_2_075E6D80
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075EDB398_2_075EDB39
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075EFA608_2_075EFA60
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075E16F88_2_075E16F8
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075E16E88_2_075E16E8
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075EA5D88_2_075EA5D8
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075EA5C88_2_075EA5C8
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075EC1508_2_075EC150
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075EA1A08_2_075EA1A0
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075E9D4A8_2_075E9D4A
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075E6D708_2_075E6D70
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075EB8788_2_075EB878
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_075EB8688_2_075EB868
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_079312988_2_07931298
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 9_2_0151F03C9_2_0151F03C
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 9_2_0817B6E09_2_0817B6E0
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 9_2_08177E489_2_08177E48
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 12_2_0159F03C12_2_0159F03C
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2139439303.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs KRcLFIz5PCQunB7.exe
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2140519322.00000000029D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs KRcLFIz5PCQunB7.exe
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2140519322.00000000029D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs KRcLFIz5PCQunB7.exe
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2159504733.0000000005260000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs KRcLFIz5PCQunB7.exe
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs KRcLFIz5PCQunB7.exe
                  Source: KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs KRcLFIz5PCQunB7.exe
                  Source: KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs KRcLFIz5PCQunB7.exe
                  Source: KRcLFIz5PCQunB7.exeBinary or memory string: OriginalFilenameWOiC.exeB vs KRcLFIz5PCQunB7.exe
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/5@2/2
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KRcLFIz5PCQunB7.exe.logJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ac3de377-7a66-4586-b523-567adbbba988
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_03
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: KRcLFIz5PCQunB7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: KRcLFIz5PCQunB7.exeReversingLabs: Detection: 23%
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeFile read: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: KRcLFIz5PCQunB7.exeStatic file information: File size 3711488 > 1048576
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x389600
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: WOiC.pdb source: KRcLFIz5PCQunB7.exe, outlooks.exe.4.dr
                  Source: Binary string: WOiC.pdbSHA256IC source: KRcLFIz5PCQunB7.exe, outlooks.exe.4.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: KRcLFIz5PCQunB7.exe, MainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                  Source: KRcLFIz5PCQunB7.exeStatic PE information: 0xBE24CCAF [Mon Feb 2 06:05:35 2071 UTC]
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeCode function: 0_2_0106E768 push esp; retf 0_2_0106E769
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 7_2_010AE768 push esp; retf 7_2_010AE769
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_0133E768 push esp; retf 8_2_0133E769
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_013347B0 push ebp; retf 8_2_01334815
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeCode function: 8_2_052BF5E1 push ebp; retf 8_2_052BF620
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeFile opened: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeFile opened: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeFile opened: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 280, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3816, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 29D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 49D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 8980000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 72B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 9DF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: ADF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: B1E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 3030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: 5030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 1030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 8630000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 9630000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 9C80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: AC80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: B030000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 4CF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 8890000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 7630000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 9C00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: AC00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: AFD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 3250000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory allocated: 4FC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWindow / User API: threadDelayed 4933Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWindow / User API: threadDelayed 4858Jump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe TID: 884Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe TID: 2924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 6120Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 4544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 4196Thread sleep time: -37815825351104557s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 1924Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe TID: 5352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: outlooks.exe, 00000009.00000002.3381974855.0000000005C01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: outlooks.exe, 00000009.00000002.3381974855.0000000005B5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                  Source: outlooks.exe, 00000009.00000002.3381974855.0000000005C01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW)
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeMemory written: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory written: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeMemory written: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe "C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\KRcLFIz5PCQunB7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.2a01eac.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.2161447262.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2266067773.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2290879602.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2140519322.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2202542805.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 280, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 5960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3816, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4832, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.2a01eac.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.44609f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.KRcLFIz5PCQunB7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.406c3f0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.outlooks.exe.40fedd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.KRcLFIz5PCQunB7.exe.3d4edd0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.2161447262.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2266067773.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.2290879602.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2140519322.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2202542805.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 280, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: KRcLFIz5PCQunB7.exe PID: 5960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 3816, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4016, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: outlooks.exe PID: 4832, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Masquerading                  		11
                  Input Capture                  		1
                  Query Registry                  		Remote Services11
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		1
                  Scheduled Task/Job                  		1
                  Disable or Modify Tools                  		LSASS Memory111
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		41
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS41
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Hidden Files and Directories                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeylogging113
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSync23
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559461 Sample: KRcLFIz5PCQunB7.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 44 qtd.ydns.eu 2->44 46 ipwho.is 2->46 48 bg.microsoft.map.fastly.net 2->48 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 9 other signatures 2->62 11 KRcLFIz5PCQunB7.exe 3 2->11         started        15 outlooks.exe 2 2->15         started        signatures3 process4 file5 42 C:\Users\user\...\KRcLFIz5PCQunB7.exe.log, ASCII 11->42 dropped 72 Uses schtasks.exe or at.exe to add and modify task schedules 11->72 74 Injects a PE file into a foreign processes 11->74 17 KRcLFIz5PCQunB7.exe 4 11->17         started        21 KRcLFIz5PCQunB7.exe 11->21         started        23 outlooks.exe 2 15->23         started        signatures6 process7 file8 40 C:\Users\user\AppData\...\outlooks.exe, PE32 17->40 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->54 25 outlooks.exe 3 17->25         started        28 schtasks.exe 1 17->28         started        signatures9 process10 signatures11 64 Antivirus detection for dropped file 25->64 66 Multi AV Scanner detection for dropped file 25->66 68 Machine Learning detection for dropped file 25->68 70 Injects a PE file into a foreign processes 25->70 30 outlooks.exe 15 2 25->30         started        34 conhost.exe 28->34         started        process12 dnsIp13 50 qtd.ydns.eu 193.34.212.17, 49715, 5829 PL-SKYTECH-ASPL Poland 30->50 52 ipwho.is 103.126.138.87, 443, 49727 AS40676US United States 30->52 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->76 78 Installs a global keyboard hook 30->78 36 schtasks.exe 1 30->36         started        signatures14 process15 process16 38 conhost.exe 36->38         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  KRcLFIz5PCQunB7.exe24%ReversingLabs
                  KRcLFIz5PCQunB7.exe100%AviraHEUR/AGEN.1305393
                  KRcLFIz5PCQunB7.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe100%AviraHEUR/AGEN.1305393
                  C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe24%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://ipwho.isp0%Avira URL Cloudsafe
                  qtd.ydns.eu0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.214.172
                  		truefalse
                    		high
                    ipwho.is
                    		103.126.138.87
                    		truefalse
                      		high
                      qtd.ydns.eu
                      		193.34.212.17
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        qtd.ydns.eutrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://ipwho.is/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.datacontract.org/2004/07/doutlooks.exe, 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://stackoverflow.com/q/14436606/23354KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000009.00000002.3362737100.0000000003282000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://ipwho.ispoutlooks.exe, 00000009.00000002.3362737100.0000000003423000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.org/2004/07/outlooks.exe, 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://stackoverflow.com/q/11564914/23354;KRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://ipwho.isdoutlooks.exe, 00000009.00000002.3362737100.0000000003435000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://ipwho.isoutlooks.exe, 00000009.00000002.3362737100.0000000003423000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://stackoverflow.com/q/2152978/23354sCannotKRcLFIz5PCQunB7.exe, 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, KRcLFIz5PCQunB7.exe, 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameKRcLFIz5PCQunB7.exe, 00000004.00000002.2175797849.0000000003031000.00000004.00000800.00020000.00000000.sdmp, outlooks.exe, 00000009.00000002.3362737100.000000000327B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ipwho.isoutlooks.exe, 00000009.00000002.3362737100.0000000003435000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              193.34.212.17
                                              		qtd.ydns.euPoland
                                              		201814PL-SKYTECH-ASPLtrue
                                              103.126.138.87
                                              		ipwho.isUnited States
                                              		40676AS40676USfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1559461
                                              Start date and time:2024-11-20 15:10:07 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 25s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:17
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:KRcLFIz5PCQunB7.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@18/5@2/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 185
                                              • Number of non-executed functions: 11
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 199.232.214.172
                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • VT rate limit hit for: KRcLFIz5PCQunB7.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              09:10:56API Interceptor2x Sleep call for process: KRcLFIz5PCQunB7.exe modified
                                              09:11:02API Interceptor2630431x Sleep call for process: outlooks.exe modified
                                              15:11:01Task SchedulerRun new task: Outlooks path: C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ipwho.is________.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              Zam#U00f3wienie 89118 _ Metal-Constructions.pdf.com.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              Order88983273293729387293828PDF.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              1Eo0gOdDsV.exeGet hashmaliciousQuasarBrowse
                                              • 195.201.57.90
                                              https://2storageaccounterm67.z13.web.core.windows.net/Win08Ay0Er08d8d77/index.html#Get hashmaliciousTechSupportScamBrowse
                                              • 195.201.57.90
                                              https://tronblkma8sus7.z13.web.core.windows.net/?click_id=2isqs9oomm3gdtdt2&tid=903&subid=googlesapis.com&ref=googlesapis.com&922%5DGet hashmaliciousTechSupportScamBrowse
                                              • 195.201.57.90
                                              Exploit Detector LIST (2).batGet hashmaliciousUnknownBrowse
                                              • 15.204.213.5
                                              1.cmdGet hashmaliciousUnknownBrowse
                                              • 195.201.57.90
                                              Exploit Detector.batGet hashmaliciousUnknownBrowse
                                              • 195.201.57.90
                                              Exploit Detector LIST (2).batGet hashmaliciousUnknownBrowse
                                              • 195.201.57.90
                                              bg.microsoft.map.fastly.netfile.exeGet hashmaliciousJasonRATBrowse
                                              • 199.232.214.172
                                              AI_ChainedPackageFile.VistaSoftware.exeGet hashmaliciousPureCrypterBrowse
                                              • 199.232.214.172
                                              740d3a.msiGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              AaronGiles(1).exeGet hashmaliciousPureCrypterBrowse
                                              • 199.232.210.172
                                              740d3a.msiGet hashmaliciousPureCrypterBrowse
                                              • 199.232.214.172
                                              goodtoseeuthatgreatthingswithentirethingsgreatfor.htaGet hashmaliciousCobalt Strike, LokibotBrowse
                                              • 199.232.210.172
                                              MyInstaller_PDFGear.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              PO-000041492.xlsGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                              • 199.232.214.172
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              PL-SKYTECH-ASPLfile.exeGet hashmaliciousWhiteSnake StealerBrowse
                                              • 91.223.3.164
                                              Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                              • 95.214.53.96
                                              4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                                              • 193.34.212.14
                                              4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                                              • 193.34.212.14
                                              SH20240622902.scr.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 193.34.212.15
                                              arm7.elfGet hashmaliciousUnknownBrowse
                                              • 95.214.52.167
                                              mpslbot.elfGet hashmaliciousUnknownBrowse
                                              • 95.214.52.167
                                              mipsbot.elfGet hashmaliciousUnknownBrowse
                                              • 95.214.52.167
                                              file.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                              • 193.34.212.15
                                              SecuriteInfo.com.Linux.Siggen.9999.17528.22528.elfGet hashmaliciousMiraiBrowse
                                              • 149.86.239.18
                                              AS40676USmipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 76.74.72.61
                                              08e2VwqyI0.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.254
                                              PqZ6GU98Eh.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.252
                                              jYAKmjIPgI.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.254
                                              81mieek02V.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.254
                                              Vb1S2HJcnN.dllGet hashmaliciousUnknownBrowse
                                              • 107.160.131.254
                                              Malwarebytes Premium v4.6.8.311.exeGet hashmaliciousUnknownBrowse
                                              • 41.216.183.30
                                              Fdoze89ykv.jsGet hashmaliciousMint StealerBrowse
                                              • 45.61.137.33
                                              QKS3UTHFX9.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33
                                              5z3Wzl6uag.jsGet hashmaliciousUnknownBrowse
                                              • 45.61.137.33

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0ehttps://cipdegiphar-pharm.click/BD0C84/D0C-N0V20.htmlGet hashmaliciousUnknownBrowse
                                              • 103.126.138.87
                                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                              • 103.126.138.87
                                              Documents.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                              • 103.126.138.87
                                              https://etiv-tcaer.vercel.app/Get hashmaliciousUnknownBrowse
                                              • 103.126.138.87
                                              sus.ps1Get hashmaliciousLummaCBrowse
                                              • 103.126.138.87
                                              KEFttAEb.vbsGet hashmaliciousHTMLPhisherBrowse
                                              • 103.126.138.87
                                              DEVIS_VALIDE.jsGet hashmaliciousXWormBrowse
                                              • 103.126.138.87
                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                              • 103.126.138.87
                                              IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                              • 103.126.138.87
                                              ________.exeGet hashmaliciousQuasarBrowse
                                              • 103.126.138.87

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                              Category:dropped
                                              Size (bytes):71954
                                              Entropy (8bit):7.996617769952133
                                              Encrypted:true
                                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):328
                                              Entropy (8bit):3.239498819991208
                                              Encrypted:false
                                              SSDEEP:6:kKwb3D9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:YbqDImsLNkPlE99SNxAhUe/3
                                              MD5:551D40B4EA7B698E8F6ADE1214B18505
                                              SHA1:E85A6830E3D4955E0B6974F5CB26EFFDC74FB958
                                              SHA-256:AED8421D9478BF108DBEB5044CEF15543AA05B8758A6B3B535B8B3F8ECC3449A
                                              SHA-512:746F6E072D1D31F019F90AE6748A9E0DA33F83904794A27BDB20ACE1CF23C398A104C83A025E04708A214875BAAFED5373AA01DD2D0DAF950F6AF9DD285693CC
                                              Malicious:false
                                              Reputation:low
                                              Preview:p...... ........;.;.V;..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KRcLFIz5PCQunB7.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\outlooks.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):3711488
                                              Entropy (8bit):7.996482640726004
                                              Encrypted:true
                                              SSDEEP:49152:Uf+eHq329+bhPCNJZxh2H4s0E04nfxhFZ9kIODfdWutT825SkDh83TQ237w4fGi:U+MrJZqYsTfnFZ9ktfgtSSTQ23s4p
                                              MD5:A08B35662044ABF9528C24C3F663EAED
                                              SHA1:AEE7831F263E6B83198A790D8A8948A841A600E2
                                              SHA-256:3F233256D32F8C33884510BE0E50B614A35642F6ED7CB76B1F480373B548B295
                                              SHA-512:0866868CBF52999B233546348CDE08C3CFCF2DEEF86830A319D8430E6D815A02B8438F46C944FBD9F2010D7E9FCB6F4F77DB490280894B899DE0AFC71278B5DD
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 24%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$...............0...8...........8.. ....8...@.. ........................9...........@...................................8.O.....8.4.....................8.....p.8.p............................................ ............... ..H............text.....8.. ....8................. ..`.rsrc...4.....8.......8.............@..@.reloc........8.......8.............@..B.................8.....H.......p>...E..........x.....8..........................................0..N........s....}.....s....}.....s....}.....r...p}.....r...p}......}.....(.......(.....*...0..6..............,..{....r!..po.....+.......,..{....rY..po.....*...0............{....r{..po......{.....o.....r...ps...........(....(.....+3..o........4...%..,.o.....s..........{......o.......o ..........-.....,..o!........+...*.........*.X.........*..0..n........s"......o#....+B..($........do%......F.........,...

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.996482640726004
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:KRcLFIz5PCQunB7.exe
                                              File size:3'711'488 bytes
                                              MD5:a08b35662044abf9528c24c3f663eaed
                                              SHA1:aee7831f263e6b83198a790d8a8948a841a600e2
                                              SHA256:3f233256d32f8c33884510be0e50b614a35642f6ed7cb76b1f480373b548b295
                                              SHA512:0866868cbf52999b233546348cde08c3cfcf2deef86830a319d8430e6d815a02b8438f46c944fbd9f2010d7e9fcb6f4f77db490280894b899de0afc71278b5dd
                                              SSDEEP:49152:Uf+eHq329+bhPCNJZxh2H4s0E04nfxhFZ9kIODfdWutT825SkDh83TQ237w4fGi:U+MrJZqYsTfnFZ9ktfgtSSTQ23s4p
                                              TLSH:640633755450091DE2725DB2BE7789F836B087873C0CEB04B2CB902AF75E7246E9179B
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$...............0...8...........8.. ....8...@.. ........................9...........@................................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x78b502
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xBE24CCAF [Mon Feb 2 06:05:35 2071 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x38b4af0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x38c0000x634.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x38e0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x389c700x70.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x3895080x3896003dd32f60cd277517a60a2ca60592b320unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x38c0000x6340x800448fcc84b879dc48fd010ed6a47a51f9False0.34033203125data3.4836410748182622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x38e0000xc0x200ac3190d536ee8375790aedb1f1281ac0False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0x38c0900x3a4data0.41952789699570814
                                              RT_MANIFEST0x38c4440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-11-20T15:11:10.319718+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1193.34.212.175829192.168.2.649715TCP
                                              2024-11-20T15:11:10.319718+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1193.34.212.175829192.168.2.649715TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 20, 2024 15:11:08.673883915 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:08.797138929 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:08.797257900 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:08.805211067 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:08.924793005 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:10.190751076 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:10.190805912 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:10.190902948 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:10.199045897 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:10.319717884 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:10.633450031 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:10.792578936 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:13.022320986 CET49727443192.168.2.6103.126.138.87
                                              Nov 20, 2024 15:11:13.022382021 CET44349727103.126.138.87192.168.2.6
                                              Nov 20, 2024 15:11:13.022449017 CET49727443192.168.2.6103.126.138.87
                                              Nov 20, 2024 15:11:13.023746014 CET49727443192.168.2.6103.126.138.87
                                              Nov 20, 2024 15:11:13.023760080 CET44349727103.126.138.87192.168.2.6
                                              Nov 20, 2024 15:11:15.359843969 CET44349727103.126.138.87192.168.2.6
                                              Nov 20, 2024 15:11:15.360017061 CET49727443192.168.2.6103.126.138.87
                                              Nov 20, 2024 15:11:15.362287998 CET49727443192.168.2.6103.126.138.87
                                              Nov 20, 2024 15:11:15.362304926 CET44349727103.126.138.87192.168.2.6
                                              Nov 20, 2024 15:11:15.362657070 CET44349727103.126.138.87192.168.2.6
                                              Nov 20, 2024 15:11:15.417408943 CET49727443192.168.2.6103.126.138.87
                                              Nov 20, 2024 15:11:15.463330030 CET44349727103.126.138.87192.168.2.6
                                              Nov 20, 2024 15:11:15.984436035 CET44349727103.126.138.87192.168.2.6
                                              Nov 20, 2024 15:11:15.984529972 CET44349727103.126.138.87192.168.2.6
                                              Nov 20, 2024 15:11:15.984577894 CET49727443192.168.2.6103.126.138.87
                                              Nov 20, 2024 15:11:16.059587955 CET49727443192.168.2.6103.126.138.87
                                              Nov 20, 2024 15:11:16.232742071 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:16.353215933 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:16.353276014 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:16.472922087 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:16.829756975 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:16.901931047 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:17.040597916 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:11:17.082736969 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:42.042612076 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:11:42.162574053 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:12:07.167608976 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:12:07.287412882 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:12:32.292556047 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:12:32.412230968 CET582949715193.34.212.17192.168.2.6
                                              Nov 20, 2024 15:12:57.417536974 CET497155829192.168.2.6193.34.212.17
                                              Nov 20, 2024 15:12:57.537194014 CET582949715193.34.212.17192.168.2.6

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 20, 2024 15:11:08.139380932 CET5643853192.168.2.61.1.1.1
                                              Nov 20, 2024 15:11:08.667972088 CET53564381.1.1.1192.168.2.6
                                              Nov 20, 2024 15:11:12.878026009 CET5185053192.168.2.61.1.1.1
                                              Nov 20, 2024 15:11:13.018049002 CET53518501.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Nov 20, 2024 15:11:08.139380932 CET192.168.2.61.1.1.10x113dStandard query (0)qtd.ydns.euA (IP address)IN (0x0001)false
                                              Nov 20, 2024 15:11:12.878026009 CET192.168.2.61.1.1.10x577eStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Nov 20, 2024 15:11:08.667972088 CET1.1.1.1192.168.2.60x113dNo error (0)qtd.ydns.eu193.34.212.17A (IP address)IN (0x0001)false
                                              Nov 20, 2024 15:11:10.859025955 CET1.1.1.1192.168.2.60xbc5dNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                              Nov 20, 2024 15:11:10.859025955 CET1.1.1.1192.168.2.60xbc5dNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                              Nov 20, 2024 15:11:13.018049002 CET1.1.1.1192.168.2.60x577eNo error (0)ipwho.is103.126.138.87A (IP address)IN (0x0001)false
                                              Nov 20, 2024 15:12:17.350940943 CET1.1.1.1192.168.2.60xaf22No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                              Nov 20, 2024 15:12:17.350940943 CET1.1.1.1192.168.2.60xaf22No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • ipwho.is

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.649727103.126.138.874434832C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              TimestampBytes transferredDirectionData
                                              2024-11-20 14:11:15 UTC150OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                              Host: ipwho.is
                                              Connection: Keep-Alive
                                              2024-11-20 14:11:15 UTC223INHTTP/1.1 200 OK
                                              Date: Wed, 20 Nov 2024 14:11:15 GMT
                                              Content-Type: application/json; charset=utf-8
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Server: ipwhois
                                              Access-Control-Allow-Headers: *
                                              X-Robots-Tag: noindex
                                              2024-11-20 14:11:15 UTC1020INData Raw: 33 66 30 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72
                                              Data Ascii: 3f0{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.75", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:09:10:56
                                              Start date:20/11/2024
                                              Path:C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"
                                              Imagebase:0x390000
                                              File size:3'711'488 bytes
                                              MD5 hash:A08B35662044ABF9528C24C3F663EAED
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2140519322.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2166424167.0000000008981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2143122458.00000000039D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:09:10:59
                                              Start date:20/11/2024
                                              Path:C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"
                                              Imagebase:0x420000
                                              File size:3'711'488 bytes
                                              MD5 hash:A08B35662044ABF9528C24C3F663EAED
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:09:10:59
                                              Start date:20/11/2024
                                              Path:C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\KRcLFIz5PCQunB7.exe"
                                              Imagebase:0xa00000
                                              File size:3'711'488 bytes
                                              MD5 hash:A08B35662044ABF9528C24C3F663EAED
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.2161447262.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.2161447262.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:09:11:01
                                              Start date:20/11/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                                              Imagebase:0xe60000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:09:11:01
                                              Start date:20/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:09:11:01
                                              Start date:20/11/2024
                                              Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                              Imagebase:0x680000
                                              File size:3'711'488 bytes
                                              MD5 hash:A08B35662044ABF9528C24C3F663EAED
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2202542805.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2235392800.0000000009192000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2235392800.0000000008631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2217747622.00000000040FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 24%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:09:11:01
                                              Start date:20/11/2024
                                              Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              Imagebase:0x680000
                                              File size:3'711'488 bytes
                                              MD5 hash:A08B35662044ABF9528C24C3F663EAED
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.2266067773.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.2290879602.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:09:11:03
                                              Start date:20/11/2024
                                              Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                              Imagebase:0xbb0000
                                              File size:3'711'488 bytes
                                              MD5 hash:A08B35662044ABF9528C24C3F663EAED
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.3362737100.0000000003481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:10
                                              Start time:09:11:06
                                              Start date:20/11/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"schtasks" /create /tn "Outlooks" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe" /rl HIGHEST /f
                                              Imagebase:0xe60000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:09:11:06
                                              Start date:20/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:09:11:10
                                              Start date:20/11/2024
                                              Path:C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdates\outlooks.exe"
                                              Imagebase:0x9e0000
                                              File size:3'711'488 bytes
                                              MD5 hash:A08B35662044ABF9528C24C3F663EAED
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:8.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:4.1%
                                                Total number of Nodes:222
                                                Total number of Limit Nodes:20
                                                execution_graph 28900 726d065 28902 726cdc1 28900->28902 28901 726d0b0 28902->28901 28905 726d813 28902->28905 28926 726d820 28902->28926 28906 726d83a 28905->28906 28918 726d85e 28906->28918 28947 726dde7 28906->28947 28951 726df39 28906->28951 28957 726db39 28906->28957 28963 726e019 28906->28963 28972 726dfdb 28906->28972 28978 726e41c 28906->28978 28983 726e33e 28906->28983 28992 726df11 28906->28992 29001 726e4d3 28906->29001 29006 726de33 28906->29006 29012 726e3d2 28906->29012 29018 726ddd4 28906->29018 29023 726e0b6 28906->29023 29032 726e689 28906->29032 29044 726df8f 28906->29044 29049 726dc61 28906->29049 29055 726de20 28906->29055 29060 726e284 28906->29060 28918->28902 28927 726d83a 28926->28927 28928 726d85e 28927->28928 28929 726dde7 2 API calls 28927->28929 28930 726e284 5 API calls 28927->28930 28931 726de20 2 API calls 28927->28931 28932 726dc61 2 API calls 28927->28932 28933 726df8f 2 API calls 28927->28933 28934 726e689 7 API calls 28927->28934 28935 726e0b6 7 API calls 28927->28935 28936 726ddd4 2 API calls 28927->28936 28937 726e3d2 4 API calls 28927->28937 28938 726de33 5 API calls 28927->28938 28939 726e4d3 5 API calls 28927->28939 28940 726df11 7 API calls 28927->28940 28941 726e33e 7 API calls 28927->28941 28942 726e41c 5 API calls 28927->28942 28943 726dfdb 4 API calls 28927->28943 28944 726e019 7 API calls 28927->28944 28945 726db39 2 API calls 28927->28945 28946 726df39 4 API calls 28927->28946 28928->28902 28929->28928 28930->28928 28931->28928 28932->28928 28933->28928 28934->28928 28935->28928 28936->28928 28937->28928 28938->28928 28939->28928 28940->28928 28941->28928 28942->28928 28943->28928 28944->28928 28945->28928 28946->28928 29067 726c580 28947->29067 29072 726c588 28947->29072 28948 726de01 28953 726df4b 28951->28953 28952 726e742 28953->28952 29076 726c660 28953->29076 29080 726c718 28953->29080 29086 726c65e 28953->29086 28959 726db7b 28957->28959 28958 726dc17 28958->28918 28959->28958 29090 726c99c 28959->29090 29095 726c9a8 28959->29095 28965 726e01f 28963->28965 28964 726dff2 28966 726e08a 28964->28966 28969 726c660 VirtualAllocEx 28964->28969 28970 726c65e VirtualAllocEx 28964->28970 28971 726c718 2 API calls 28964->28971 28965->28964 29099 726c810 28965->29099 29103 726c80b 28965->29103 28966->28918 28969->28964 28970->28964 28971->28964 28973 726dfe1 28972->28973 28974 726e742 28973->28974 28975 726c660 VirtualAllocEx 28973->28975 28976 726c65e VirtualAllocEx 28973->28976 28977 726c718 2 API calls 28973->28977 28975->28973 28976->28973 28977->28973 28981 726c80b 2 API calls 28978->28981 28982 726c718 2 API calls 28978->28982 29109 726c720 28978->29109 28979 726e44a 28981->28979 28982->28979 28984 726e030 28983->28984 28985 726dff2 28984->28985 28987 726c810 ReadProcessMemory 28984->28987 28988 726c80b 2 API calls 28984->28988 28986 726e08a 28985->28986 28989 726c660 VirtualAllocEx 28985->28989 28990 726c65e VirtualAllocEx 28985->28990 28991 726c718 2 API calls 28985->28991 28986->28918 28987->28984 28988->28984 28989->28985 28990->28985 28991->28985 28993 726df32 28992->28993 28994 726dff2 28993->28994 28996 726c810 ReadProcessMemory 28993->28996 28997 726c80b 2 API calls 28993->28997 28995 726e08a 28994->28995 28998 726c660 VirtualAllocEx 28994->28998 28999 726c65e VirtualAllocEx 28994->28999 29000 726c718 2 API calls 28994->29000 28995->28918 28996->28993 28997->28993 28998->28994 28999->28994 29000->28994 29003 726c720 WriteProcessMemory 29001->29003 29004 726c80b 2 API calls 29001->29004 29005 726c718 2 API calls 29001->29005 29002 726e4f7 29003->29002 29004->29002 29005->29002 29007 726de39 29006->29007 29009 726c720 WriteProcessMemory 29007->29009 29010 726c80b 2 API calls 29007->29010 29011 726c718 2 API calls 29007->29011 29008 726dd99 29009->29008 29010->29008 29011->29008 29013 726dff2 29012->29013 29014 726e742 29013->29014 29015 726c660 VirtualAllocEx 29013->29015 29016 726c65e VirtualAllocEx 29013->29016 29017 726c718 2 API calls 29013->29017 29015->29013 29016->29013 29017->29013 29019 726e6fb 29018->29019 29021 726c580 Wow64SetThreadContext 29019->29021 29022 726c588 Wow64SetThreadContext 29019->29022 29020 726e716 29021->29020 29022->29020 29025 726df32 29023->29025 29024 726dff2 29026 726e08a 29024->29026 29029 726c660 VirtualAllocEx 29024->29029 29030 726c65e VirtualAllocEx 29024->29030 29031 726c718 2 API calls 29024->29031 29025->29024 29027 726c810 ReadProcessMemory 29025->29027 29028 726c80b 2 API calls 29025->29028 29026->28918 29027->29025 29028->29025 29029->29024 29030->29024 29031->29024 29033 726e68f 29032->29033 29034 726e5ec 29033->29034 29037 726c810 ReadProcessMemory 29033->29037 29038 726c80b 2 API calls 29033->29038 29035 726dff2 29034->29035 29042 726c810 ReadProcessMemory 29034->29042 29043 726c80b 2 API calls 29034->29043 29036 726e08a 29035->29036 29039 726c660 VirtualAllocEx 29035->29039 29040 726c65e VirtualAllocEx 29035->29040 29041 726c718 2 API calls 29035->29041 29036->28918 29037->29034 29038->29034 29039->29035 29040->29035 29041->29035 29042->29034 29043->29034 29045 726dfa7 29044->29045 29113 726c0a0 29045->29113 29117 726c099 29045->29117 29046 726dfbc 29046->28918 29051 726dc43 29049->29051 29050 726dc17 29050->28918 29051->29050 29053 726c99c CreateProcessA 29051->29053 29054 726c9a8 CreateProcessA 29051->29054 29052 726dd7a 29052->28918 29053->29052 29054->29052 29056 726de2d 29055->29056 29058 726c0a0 ResumeThread 29056->29058 29059 726c099 ResumeThread 29056->29059 29057 726dfbc 29057->28918 29058->29057 29059->29057 29061 726de4a 29060->29061 29062 726e2d8 29061->29062 29064 726c720 WriteProcessMemory 29061->29064 29065 726c80b 2 API calls 29061->29065 29066 726c718 2 API calls 29061->29066 29062->28918 29063 726dd99 29064->29063 29065->29063 29066->29063 29068 726c587 Wow64SetThreadContext 29067->29068 29069 726c528 29067->29069 29071 726c615 29068->29071 29069->28948 29071->28948 29073 726c5cd Wow64SetThreadContext 29072->29073 29075 726c615 29073->29075 29075->28948 29077 726c6a0 VirtualAllocEx 29076->29077 29079 726c6dd 29077->29079 29079->28953 29081 726c6c0 VirtualAllocEx 29080->29081 29083 726c71f WriteProcessMemory 29080->29083 29082 726c6dd 29081->29082 29082->28953 29085 726c7bf 29083->29085 29085->28953 29087 726c6a0 VirtualAllocEx 29086->29087 29089 726c6dd 29087->29089 29089->28953 29091 726c948 29090->29091 29092 726c9a7 CreateProcessA 29090->29092 29091->28918 29094 726cbf3 29092->29094 29094->29094 29096 726ca31 CreateProcessA 29095->29096 29098 726cbf3 29096->29098 29098->29098 29100 726c85b ReadProcessMemory 29099->29100 29102 726c89f 29100->29102 29102->28965 29104 726c7b0 WriteProcessMemory 29103->29104 29105 726c80f ReadProcessMemory 29103->29105 29108 726c7bf 29104->29108 29107 726c89f 29105->29107 29107->28965 29108->28965 29110 726c768 WriteProcessMemory 29109->29110 29112 726c7bf 29110->29112 29112->28979 29114 726c0e0 ResumeThread 29113->29114 29116 726c111 29114->29116 29116->29046 29118 726c0e0 ResumeThread 29117->29118 29120 726c111 29118->29120 29120->29046 29161 74d0af8 CloseHandle 29162 74d0b5f 29161->29162 29121 106d3c0 29122 106d406 GetCurrentProcess 29121->29122 29124 106d458 GetCurrentThread 29122->29124 29127 106d451 29122->29127 29125 106d495 GetCurrentProcess 29124->29125 29126 106d48e 29124->29126 29128 106d4cb 29125->29128 29126->29125 29127->29124 29129 106d4f3 GetCurrentThreadId 29128->29129 29130 106d524 29129->29130 29131 726ec28 29133 726ec4e 29131->29133 29134 726edb3 29131->29134 29133->29134 29135 7269384 29133->29135 29136 726eea8 PostMessageW 29135->29136 29137 726ef14 29136->29137 29137->29133 29138 106d608 DuplicateHandle 29139 106d69e 29138->29139 29140 1064668 29141 106467a 29140->29141 29142 1064686 29141->29142 29144 1064778 29141->29144 29145 1064781 29144->29145 29149 1064888 29145->29149 29153 1064879 29145->29153 29150 10648af 29149->29150 29151 106498c 29150->29151 29157 10644c4 29150->29157 29155 1064881 29153->29155 29154 106498c 29154->29154 29155->29154 29156 10644c4 CreateActCtxA 29155->29156 29156->29154 29158 1065918 CreateActCtxA 29157->29158 29160 10659db 29158->29160 29163 106b038 29164 106b047 29163->29164 29167 106b120 29163->29167 29172 106b130 29163->29172 29169 106b129 29167->29169 29168 106b164 29168->29164 29169->29168 29170 106b368 GetModuleHandleW 29169->29170 29171 106b395 29170->29171 29171->29164 29173 106b141 29172->29173 29174 106b164 29172->29174 29173->29174 29175 106b368 GetModuleHandleW 29173->29175 29174->29164 29176 106b395 29175->29176 29176->29164

                                                Executed Functions

                                                Function 0726C718 Relevance: 3.1, APIs: 2, Instructions: 97memoryinjectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 45 726c718-726c71d 46 726c6c0-726c6db VirtualAllocEx 45->46 47 726c71f-726c76e 45->47 49 726c6e4-726c709 46->49 50 726c6dd-726c6e3 46->50 51 726c770-726c77c 47->51 52 726c77e-726c7bd WriteProcessMemory 47->52 50->49 51->52 58 726c7c6-726c7f6 52->58 59 726c7bf-726c7c5 52->59 59->58
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0726C6CE
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0726C7B0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: AllocMemoryProcessVirtualWrite
                                                • String ID:
                                                • API String ID: 645232735-0
                                                • Opcode ID: e250f2c32a8ce25d23fe0d821919f574e37635aae32b73f2eaeba4e0664c4898
                                                • Instruction ID: 69beecdae47a00cd362d7d29fc01e8367e1eac5332dfc36ad48b211ce7ca62a7
                                                • Opcode Fuzzy Hash: e250f2c32a8ce25d23fe0d821919f574e37635aae32b73f2eaeba4e0664c4898
                                                • Instruction Fuzzy Hash: 643159B290034ADFDB10DFA9C8857DEBBF0BF88314F10842AE559A7240C778A590CBA1
                                                Function 0726FB50 Relevance: .4, Instructions: 411COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4627a704d2b7b681d74c60235038113c884ec1a17943ac83e56d7fbf8ef4847
                                                • Instruction ID: e898fb0216868fbb24cb418fa9b890cd0d265d3427461676b6c3b91bc6801043
                                                • Opcode Fuzzy Hash: f4627a704d2b7b681d74c60235038113c884ec1a17943ac83e56d7fbf8ef4847
                                                • Instruction Fuzzy Hash: E8C1ECB17016028FEB25EB75D6147AEB7FAAF89300F10846ED186DB290DF35E942CB51
                                                Function 0726DB39 Relevance: .2, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ba39e376fde6b77ddab55f3f76f64afbb54a1982094de68fe32620520d7549b
                                                • Instruction ID: 29e63d6d24d55f0ce0016b6b5e422e52886645c6505955cdcee41762c65b7060
                                                • Opcode Fuzzy Hash: 0ba39e376fde6b77ddab55f3f76f64afbb54a1982094de68fe32620520d7549b
                                                • Instruction Fuzzy Hash: BB711AB5E2526DCFEB24CF66C8447E9B7B6BF89300F1491AAD40DA6250DBB05AC5CF40
                                                Function 07266D70 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34af4574e2857308fb03f9b1ff6167eefaf69380f7c0f57d361434b709069100
                                                • Instruction ID: ccb76a7a6d1de673ef0d44812cd4e5e138b3f08116cfdabd3eb1c4c04ce1b40d
                                                • Opcode Fuzzy Hash: 34af4574e2857308fb03f9b1ff6167eefaf69380f7c0f57d361434b709069100
                                                • Instruction Fuzzy Hash: 4F21FAB1D14658CBEB18CF96D9493DEBFF6AF89304F14C06AD408B6264DB750986CF50
                                                Function 07266D80 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1252fccecda558133416bfa4c8eaa89256baaa21ccc24688474f7788b281f601
                                                • Instruction ID: 2769db79b9b4d137e6d20dced4a68585ab936bf59b8c7be5e49257f4c63b529b
                                                • Opcode Fuzzy Hash: 1252fccecda558133416bfa4c8eaa89256baaa21ccc24688474f7788b281f601
                                                • Instruction Fuzzy Hash: E921F7B1D106198BEB18CF9BD8483DEFAF6AFC9304F14C02AD40866264DBB40986CF90
                                                Function 0106D3B0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0106D43E
                                                • GetCurrentThread.KERNEL32 ref: 0106D47B
                                                • GetCurrentProcess.KERNEL32 ref: 0106D4B8
                                                • GetCurrentThreadId.KERNEL32 ref: 0106D511
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: f2b1b308fa3bbf848f3ba8891dd65a47073c6694e3f7f9d3cfabf7b894c1c85e
                                                • Instruction ID: 949ce109a61230ddc45d42a725eb94a3c27dd7a86fe33a0b4fc4c35a1eccee6b
                                                • Opcode Fuzzy Hash: f2b1b308fa3bbf848f3ba8891dd65a47073c6694e3f7f9d3cfabf7b894c1c85e
                                                • Instruction Fuzzy Hash: 0D5168B0A003498FEB54DFA9D648BEEBBF5FF88314F208459D158A7350DB746944CB61
                                                Function 0106D3C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0106D43E
                                                • GetCurrentThread.KERNEL32 ref: 0106D47B
                                                • GetCurrentProcess.KERNEL32 ref: 0106D4B8
                                                • GetCurrentThreadId.KERNEL32 ref: 0106D511
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: ee8f0d54c464edf050cbe015d5c3bc2f5457c88eb36ef997f1de7b372f7876ac
                                                • Instruction ID: a45b03de426f021165291190ce4d316c796c473b541c9362b2c3da6cfc4066fc
                                                • Opcode Fuzzy Hash: ee8f0d54c464edf050cbe015d5c3bc2f5457c88eb36ef997f1de7b372f7876ac
                                                • Instruction Fuzzy Hash: 055166B0A003498FEB44DFAAD648BEEBBF5FF88314F208459E148A7250DB746944CF65
                                                Function 0726C80B Relevance: 3.1, APIs: 2, Instructions: 89injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 63 726c80b-726c80d 64 726c7b0-726c7bd WriteProcessMemory 63->64 65 726c80f-726c89d ReadProcessMemory 63->65 66 726c7c6-726c7f6 64->66 67 726c7bf-726c7c5 64->67 72 726c8a6-726c8d6 65->72 73 726c89f-726c8a5 65->73 67->66 73->72
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0726C7B0
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0726C890
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: MemoryProcess$ReadWrite
                                                • String ID:
                                                • API String ID: 3589323503-0
                                                • Opcode ID: 6e94721eefe54d7ce75e48c43c707a3c9fb7f96cfdbfdc214b19ddf34f4aeaca
                                                • Instruction ID: a9c41217953c42533d66a1b424ed7021ba0493d63aa9dfcebcf495463fbd1cfe
                                                • Opcode Fuzzy Hash: 6e94721eefe54d7ce75e48c43c707a3c9fb7f96cfdbfdc214b19ddf34f4aeaca
                                                • Instruction Fuzzy Hash: D8315AB2C0030A9FDB10DFAAD8857EEBBF1FF88320F10842AE559A7240D7789551DB60
                                                Function 0726C99C Relevance: 1.8, APIs: 1, Instructions: 272processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 78 726c99c-726c9a5 79 726c9a7-726ca3d 78->79 80 726c948-726c962 78->80 83 726ca76-726ca96 79->83 84 726ca3f-726ca49 79->84 90 726c964-726c96a 80->90 91 726c96b-726c990 80->91 94 726cacf-726cafe 83->94 95 726ca98-726caa2 83->95 84->83 85 726ca4b-726ca4d 84->85 87 726ca70-726ca73 85->87 88 726ca4f-726ca59 85->88 87->83 92 726ca5d-726ca6c 88->92 93 726ca5b 88->93 90->91 92->92 96 726ca6e 92->96 93->92 103 726cb37-726cbf1 CreateProcessA 94->103 104 726cb00-726cb0a 94->104 95->94 97 726caa4-726caa6 95->97 96->87 101 726caa8-726cab2 97->101 102 726cac9-726cacc 97->102 105 726cab6-726cac5 101->105 106 726cab4 101->106 102->94 118 726cbf3-726cbf9 103->118 119 726cbfa-726cc80 103->119 104->103 108 726cb0c-726cb0e 104->108 105->105 107 726cac7 105->107 106->105 107->102 110 726cb10-726cb1a 108->110 111 726cb31-726cb34 108->111 113 726cb1e-726cb2d 110->113 114 726cb1c 110->114 111->103 113->113 116 726cb2f 113->116 114->113 116->111 118->119 129 726cc82-726cc86 119->129 130 726cc90-726cc94 119->130 129->130 131 726cc88 129->131 132 726cc96-726cc9a 130->132 133 726cca4-726cca8 130->133 131->130 132->133 136 726cc9c 132->136 134 726ccaa-726ccae 133->134 135 726ccb8-726ccbc 133->135 134->135 137 726ccb0 134->137 138 726ccce-726ccd5 135->138 139 726ccbe-726ccc4 135->139 136->133 137->135 140 726ccd7-726cce6 138->140 141 726ccec 138->141 139->138 140->141 143 726cced 141->143 143->143
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0726CBDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 8f86c9a1f601b49c4e050f244af756e580c0d94da0e0f83d8b17cbd2ed768a8e
                                                • Instruction ID: 2205b1463564436960f84cbca6170e7e58cff078da1576b0dac45908e7118960
                                                • Opcode Fuzzy Hash: 8f86c9a1f601b49c4e050f244af756e580c0d94da0e0f83d8b17cbd2ed768a8e
                                                • Instruction Fuzzy Hash: 8CA16CB1D1025ACFEB24DFA8C8447DDBBB2BF48310F14856AD859A7240DB74A9C5CFA1
                                                Function 0726C9A8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 144 726c9a8-726ca3d 146 726ca76-726ca96 144->146 147 726ca3f-726ca49 144->147 154 726cacf-726cafe 146->154 155 726ca98-726caa2 146->155 147->146 148 726ca4b-726ca4d 147->148 149 726ca70-726ca73 148->149 150 726ca4f-726ca59 148->150 149->146 152 726ca5d-726ca6c 150->152 153 726ca5b 150->153 152->152 156 726ca6e 152->156 153->152 161 726cb37-726cbf1 CreateProcessA 154->161 162 726cb00-726cb0a 154->162 155->154 157 726caa4-726caa6 155->157 156->149 159 726caa8-726cab2 157->159 160 726cac9-726cacc 157->160 163 726cab6-726cac5 159->163 164 726cab4 159->164 160->154 175 726cbf3-726cbf9 161->175 176 726cbfa-726cc80 161->176 162->161 166 726cb0c-726cb0e 162->166 163->163 165 726cac7 163->165 164->163 165->160 167 726cb10-726cb1a 166->167 168 726cb31-726cb34 166->168 170 726cb1e-726cb2d 167->170 171 726cb1c 167->171 168->161 170->170 173 726cb2f 170->173 171->170 173->168 175->176 186 726cc82-726cc86 176->186 187 726cc90-726cc94 176->187 186->187 188 726cc88 186->188 189 726cc96-726cc9a 187->189 190 726cca4-726cca8 187->190 188->187 189->190 193 726cc9c 189->193 191 726ccaa-726ccae 190->191 192 726ccb8-726ccbc 190->192 191->192 194 726ccb0 191->194 195 726ccce-726ccd5 192->195 196 726ccbe-726ccc4 192->196 193->190 194->192 197 726ccd7-726cce6 195->197 198 726ccec 195->198 196->195 197->198 200 726cced 198->200 200->200
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0726CBDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 26d0666b5cbca19288b9293a929923af2ff23e275adb6be3941e4381c7a73f32
                                                • Instruction ID: 002a46b8412c06f83baf9b0482ec8ee09506357b13e00ee2cacdd9c5ed66953b
                                                • Opcode Fuzzy Hash: 26d0666b5cbca19288b9293a929923af2ff23e275adb6be3941e4381c7a73f32
                                                • Instruction Fuzzy Hash: 75914AB1D1025ADFEF24DF68C84579DBAB2BF48310F14856AE848A7240DB74A9C5CFA1
                                                Function 0106B130 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 201 106b130-106b13f 202 106b141-106b14e call 106aaf4 201->202 203 106b16b-106b16f 201->203 210 106b164 202->210 211 106b150 202->211 204 106b183-106b1c4 203->204 205 106b171-106b17b 203->205 212 106b1c6-106b1ce 204->212 213 106b1d1-106b1df 204->213 205->204 210->203 256 106b156 call 106b3ba 211->256 257 106b156 call 106b3c8 211->257 212->213 215 106b203-106b205 213->215 216 106b1e1-106b1e6 213->216 214 106b15c-106b15e 214->210 217 106b2a0-106b360 214->217 218 106b208-106b20f 215->218 219 106b1f1 216->219 220 106b1e8-106b1ef call 106ab00 216->220 251 106b362-106b365 217->251 252 106b368-106b393 GetModuleHandleW 217->252 222 106b211-106b219 218->222 223 106b21c-106b223 218->223 221 106b1f3-106b201 219->221 220->221 221->218 222->223 225 106b225-106b22d 223->225 226 106b230-106b239 call 106ab10 223->226 225->226 232 106b246-106b24b 226->232 233 106b23b-106b243 226->233 234 106b24d-106b254 232->234 235 106b269-106b276 232->235 233->232 234->235 237 106b256-106b266 call 106ab20 call 106ab30 234->237 241 106b278-106b296 235->241 242 106b299-106b29f 235->242 237->235 241->242 251->252 253 106b395-106b39b 252->253 254 106b39c-106b3b0 252->254 253->254 256->214 257->214
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0106B386
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: b765ee670d149e0fd2de8d8f1e23bb25f4eb29579da1201f0e52edec30a96ebb
                                                • Instruction ID: f132c2f38e24c8533bcd94298aeaa1ded12155028da01b65ee2ded4f7a7e3035
                                                • Opcode Fuzzy Hash: b765ee670d149e0fd2de8d8f1e23bb25f4eb29579da1201f0e52edec30a96ebb
                                                • Instruction Fuzzy Hash: 197146B0A00B068FE764DF6AD44476ABBF5FF88300F00892DD58ADBA51DB74E945CB91
                                                Function 0106590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 258 106590d 259 1065915-10659d9 CreateActCtxA 258->259 261 10659e2-1065a3c 259->261 262 10659db-10659e1 259->262 269 1065a3e-1065a41 261->269 270 1065a4b-1065a4f 261->270 262->261 269->270 271 1065a60 270->271 272 1065a51-1065a5d 270->272 274 1065a61 271->274 272->271 274->274
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 010659C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 3ce826f6fbe9293c0090e228a3c33f2af54aa8e051cb8aedfcea45b540b306c6
                                                • Instruction ID: 727022cafa23fb003cd094c3647628b2ce804293fd35c2779abcb4b457423afc
                                                • Opcode Fuzzy Hash: 3ce826f6fbe9293c0090e228a3c33f2af54aa8e051cb8aedfcea45b540b306c6
                                                • Instruction Fuzzy Hash: 6E41E070C00719CBEB25CFAAC985BDEBBF5BF88704F20816AD408AB251DB756946CF50
                                                Function 010644C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 275 10644c4-10659d9 CreateActCtxA 278 10659e2-1065a3c 275->278 279 10659db-10659e1 275->279 286 1065a3e-1065a41 278->286 287 1065a4b-1065a4f 278->287 279->278 286->287 288 1065a60 287->288 289 1065a51-1065a5d 287->289 291 1065a61 288->291 289->288 291->291
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 010659C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 6349895acb8f81dd5ad9dd8ea01ea771a2c77d131db6d19df0dcafe4da202fa0
                                                • Instruction ID: 2f913578ced9c75c6c635620949e53141653d8c1e02573157a2be1d0b1a19795
                                                • Opcode Fuzzy Hash: 6349895acb8f81dd5ad9dd8ea01ea771a2c77d131db6d19df0dcafe4da202fa0
                                                • Instruction Fuzzy Hash: 8241C170C0071DCBEB25CFAAC98479EBBF9BF89704F20816AD508AB251DB756945CF90
                                                Function 0726C580 Relevance: 1.6, APIs: 1, Instructions: 92threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 292 726c580-726c585 293 726c587-726c5d3 292->293 294 726c528-726c550 292->294 297 726c5d5-726c5e1 293->297 298 726c5e3-726c613 Wow64SetThreadContext 293->298 299 726c552-726c558 294->299 300 726c55a 294->300 297->298 303 726c615-726c61b 298->303 304 726c61c-726c64c 298->304 301 726c55d-726c572 299->301 300->301 303->304
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0726C606
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 74546d1e8acdafdbbf96468a5f2c04656b64acb1597f183e5f986fe0c0022a90
                                                • Instruction ID: ca648bb97d05b119a943d35134bce1125307047cc7ad7ec69dd067df05b7b3b0
                                                • Opcode Fuzzy Hash: 74546d1e8acdafdbbf96468a5f2c04656b64acb1597f183e5f986fe0c0022a90
                                                • Instruction Fuzzy Hash: 673119B1D102499FDB10DFA9C485BEEBBF0EF88314F14802AD559AB354C774A985CFA1
                                                Function 0726C720 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 310 726c720-726c76e 312 726c770-726c77c 310->312 313 726c77e-726c7bd WriteProcessMemory 310->313 312->313 316 726c7c6-726c7f6 313->316 317 726c7bf-726c7c5 313->317 317->316
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0726C7B0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 1d4427f17a6ca98124cebdbe0758eb8c383140acb111f5c36c86f5f13f862e51
                                                • Instruction ID: b0714578913b450b56cc7b75d97b6991065c0d0ba9ac3895703d9936409455d6
                                                • Opcode Fuzzy Hash: 1d4427f17a6ca98124cebdbe0758eb8c383140acb111f5c36c86f5f13f862e51
                                                • Instruction Fuzzy Hash: B92128B590034A9FDF10DFA9C885BDEBBF5FF48310F10842AE558A7240C778A550CBA4
                                                Function 0106D600 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 321 106d600-106d69c DuplicateHandle 322 106d6a5-106d6c2 321->322 323 106d69e-106d6a4 321->323 323->322
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106D68F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: fc1a440139c7c91b2a4d5d2fc96e409c2bd032718934a8d915d2c2ef20e3a359
                                                • Instruction ID: c91710a859b5ec8ae88abbfcea33d79948718f4c27fc074e806285415dbacf3b
                                                • Opcode Fuzzy Hash: fc1a440139c7c91b2a4d5d2fc96e409c2bd032718934a8d915d2c2ef20e3a359
                                                • Instruction Fuzzy Hash: EA21E6B59003099FDB10CFAAD984ADEBFF4FB48320F14841AE958A7350D378A950CF61
                                                Function 0726C588 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 326 726c588-726c5d3 328 726c5d5-726c5e1 326->328 329 726c5e3-726c613 Wow64SetThreadContext 326->329 328->329 331 726c615-726c61b 329->331 332 726c61c-726c64c 329->332 331->332
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0726C606
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 4a74ebd435fd15bf81c38f3abdd67b6266f16f8bfaf77705d24a349035317420
                                                • Instruction ID: 10fc84f0bf3bcd5512b727ecaa4cf1ed776fc34188e3ef2dab0ed11e3ca7e672
                                                • Opcode Fuzzy Hash: 4a74ebd435fd15bf81c38f3abdd67b6266f16f8bfaf77705d24a349035317420
                                                • Instruction Fuzzy Hash: CE213AB1D003099FDB10DFAAC4857AEBBF4AF88324F14842AD559A7240CB78A584CFA5
                                                Function 0726C810 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 336 726c810-726c89d ReadProcessMemory 339 726c8a6-726c8d6 336->339 340 726c89f-726c8a5 336->340 340->339
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0726C890
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: e37c73741fc32244aa789d4a70e4e24872e5353db1e2809b8977a894fe1b25f8
                                                • Instruction ID: b3f583d2bf64e0c6d080f68495c0a5c601fffe56ba42ba13eadcb04a5725d342
                                                • Opcode Fuzzy Hash: e37c73741fc32244aa789d4a70e4e24872e5353db1e2809b8977a894fe1b25f8
                                                • Instruction Fuzzy Hash: 352116B18003499FDB10DFAAC885BDEBBF5FF48310F10842AE558A7240D778A550CBA5
                                                Function 0106D608 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 344 106d608-106d69c DuplicateHandle 345 106d6a5-106d6c2 344->345 346 106d69e-106d6a4 344->346 346->345
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106D68F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 7e9d5c02ebbc51daca64b6c039046e0c647ccd9836b07a7c4944caef3d33501b
                                                • Instruction ID: 424b4737add96f926c4c5b6970bc8958f8a104dd6e732bd4d1fa8373ce221894
                                                • Opcode Fuzzy Hash: 7e9d5c02ebbc51daca64b6c039046e0c647ccd9836b07a7c4944caef3d33501b
                                                • Instruction Fuzzy Hash: 7D21E4B59002099FDB10CF9AD984ADEBFF8FB48320F14841AE958A3350D378A950CF64
                                                Function 0726C660 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0726C6CE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: f2d260f37ff004c2c03af7f2484869f501df473ce423b94bd5d88106b1e92837
                                                • Instruction ID: 40c08305dcf1045879c19e902ca33dbe73c319e5908b9b64184aa791cd5aab0c
                                                • Opcode Fuzzy Hash: f2d260f37ff004c2c03af7f2484869f501df473ce423b94bd5d88106b1e92837
                                                • Instruction Fuzzy Hash: FF1156B28003499FDF10DFAAC844BDFBBF5AF88320F10841AE519A7250CB75A550CFA4
                                                Function 0726C65E Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0726C6CE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 124c7ac3939d452eb283db758ba64ed440ea2ade6c9157fc16725db6d29383c1
                                                • Instruction ID: 83596ed9edf2d5368fab92374f7eeb09c0a5528dcf8eab3fc9cb7bf6b2f47a9d
                                                • Opcode Fuzzy Hash: 124c7ac3939d452eb283db758ba64ed440ea2ade6c9157fc16725db6d29383c1
                                                • Instruction Fuzzy Hash: C11156B2900249DFDF10DFAAC844BDEBBF1AF88324F14841AE619A7250C775A550CFA4
                                                Function 0726C099 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 7c43cdf116bbfca5f872afcbc083068badc2a3627192875065800c768d85b804
                                                • Instruction ID: aa19800ba96aa18e91519999799e17f03aae9656edbf77090aa84912db490814
                                                • Opcode Fuzzy Hash: 7c43cdf116bbfca5f872afcbc083068badc2a3627192875065800c768d85b804
                                                • Instruction Fuzzy Hash: 911158B1900349CFDB14DFAAC4497DEFBF4EF88724F24885AD519A7240CB79A540CBA5
                                                Function 0726C0A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: d4f0750ae2caeaf1484b1d3f64a7bf04b4871df52c4843d2d68ff03ecc2e78ee
                                                • Instruction ID: dff30d0bb777f83667f147afb11b5a4de971bae4cdd8a8c1327a748666486148
                                                • Opcode Fuzzy Hash: d4f0750ae2caeaf1484b1d3f64a7bf04b4871df52c4843d2d68ff03ecc2e78ee
                                                • Instruction Fuzzy Hash: 0E1136B19003498FDB24DFAAC84579FFBF5AF88724F24841AD519A7240CB79A940CFA5
                                                Function 0106B320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0106B386
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 4fffa20666612c71e63755caa53bd14b4fd41f9253f1b08633d3e86c0e63eba6
                                                • Instruction ID: 9acf5b389ddb144c5a2537b3ccf4cd219c5b06f7c3b67d765412cdfc586bc969
                                                • Opcode Fuzzy Hash: 4fffa20666612c71e63755caa53bd14b4fd41f9253f1b08633d3e86c0e63eba6
                                                • Instruction Fuzzy Hash: CD110FB6D003498FDB14CF9AC444A9EFBF8AB88224F10845AD958B7210D3B9A545CFA1
                                                Function 07269384 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0726EF05
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 64b0d0c55ffc40f2aefbf5d78312ca489b797f8e5bfa08841b407d31f947fa89
                                                • Instruction ID: 1dfe5ddf5eed53f821523c934eec8898311b8a7c2c0e74710b66a1cdd14195c9
                                                • Opcode Fuzzy Hash: 64b0d0c55ffc40f2aefbf5d78312ca489b797f8e5bfa08841b407d31f947fa89
                                                • Instruction Fuzzy Hash: 6F11F5B5800349DFDB10DF9AC548BDEBBF8FB48324F10845AE514A7240C3B5A954CFA1
                                                Function 0726EEA0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0726EF05
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: a9b1cfd53c606b1120d44c86d790751f6e65016c7d360607afb83bd4a1bfdcbe
                                                • Instruction ID: 66c5c496c61d335d5634f8ab211fd6a6e85d8e8e1efa0b253bca907a3ba17673
                                                • Opcode Fuzzy Hash: a9b1cfd53c606b1120d44c86d790751f6e65016c7d360607afb83bd4a1bfdcbe
                                                • Instruction Fuzzy Hash: E611DFB5800349DFDB10CF9AD489BDEBBF4EB48324F10845AE518A7240D3B5A584CFA1
                                                Function 074D0AF0 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?), ref: 074D0B50
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2166250359.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74d0000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 94d1e02644b18ba0454380bf9ac3edc4b590655f6b049f6e515164f5e6a8f362
                                                • Instruction ID: ebd2fed94d6320f0425b5fbc17a5f3b1025e23ced9150b877568768721c15aa6
                                                • Opcode Fuzzy Hash: 94d1e02644b18ba0454380bf9ac3edc4b590655f6b049f6e515164f5e6a8f362
                                                • Instruction Fuzzy Hash: DD1125B1800349CFCB10DF9AD585BEEBBF4EB48324F14845AD558A7341D778A944CFA5
                                                Function 074D0AF8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?), ref: 074D0B50
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2166250359.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74d0000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 0fc6babe6810ae5a9cf64c97e9c47cfb4eea02dee9e21c0d5139074ca3d9cc2e
                                                • Instruction ID: dfc3231e6f7f7d57931aaf89a6841f49a66108dc04570b23318613435c177a17
                                                • Opcode Fuzzy Hash: 0fc6babe6810ae5a9cf64c97e9c47cfb4eea02dee9e21c0d5139074ca3d9cc2e
                                                • Instruction Fuzzy Hash: 061103B6800349DFDB10DF9AC585BEEBBF4EB48324F20845AD558A7340D778A944CFA5
                                                Function 00FFD3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2139973623.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ffd000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b4d66341ee5b30406513bfcee13fb4bd80e6fb72b65fda85046a33a200558a0
                                                • Instruction ID: c44306e43fff139dfc1a53471f8444dd44da22e4fbcf33d16b91a2f6dcd2e171
                                                • Opcode Fuzzy Hash: 0b4d66341ee5b30406513bfcee13fb4bd80e6fb72b65fda85046a33a200558a0
                                                • Instruction Fuzzy Hash: BD212876504208DFDB04DF14D9C0B36BF66FF94324F20C16DDA090B266C376E856EAA2
                                                Function 00FFD4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2139973623.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ffd000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd687ef629923eaff3def94d7516d3447274f27dac28166bd9d791971ccea472
                                                • Instruction ID: 60379f639ebcd706cd23b915553a7a8548155a2cb8d5af9198870bdd0bc8fe33
                                                • Opcode Fuzzy Hash: dd687ef629923eaff3def94d7516d3447274f27dac28166bd9d791971ccea472
                                                • Instruction Fuzzy Hash: B5212872504248DFDB05DF14D9C0B36BF66FF84328F28C569DA090B266C336D856EAA2
                                                Function 0100D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140030084.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_100d000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f65cd94274afad7739ccebfa8011a00f85d3064ba559798ff62a0b7bfe40618
                                                • Instruction ID: 94553e994c1bfcda747c192aa15fb40c7544ad12952870c162ec0933d219ef2a
                                                • Opcode Fuzzy Hash: 9f65cd94274afad7739ccebfa8011a00f85d3064ba559798ff62a0b7bfe40618
                                                • Instruction Fuzzy Hash: 5F212271504300EFEB06DF98D9C0B2ABBA1FB84324F20C5ADE9894B292C776D406CB71
                                                Function 0100D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140030084.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_100d000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5da457806b284282c57417da6c2c3029e022b7f6ce38b23aceef67e8c91bb12
                                                • Instruction ID: 463751fbaa83888ad7ef750ae716778e431b4c679cb8b135f0eee841536fc827
                                                • Opcode Fuzzy Hash: a5da457806b284282c57417da6c2c3029e022b7f6ce38b23aceef67e8c91bb12
                                                • Instruction Fuzzy Hash: CE210375604200EFEB16DF94D980B26BBA5EB84314F20C5ADE98E4B292C376D406CB71
                                                Function 00FFD4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2139973623.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ffd000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: 14cd069dfe84bda052f4f2031d3fb27a80e7f98ce4bdd16be8b309e3340b1597
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: 8411D676904284CFCB15CF10D5C4B26BF72FF94328F28C5A9D9450B666C336D456DB91
                                                Function 00FFD3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2139973623.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ffd000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: fd349cfe6d587e9ad3a215ca55790ffc6a1aeb29837b104f37fbe880c82b8957
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: 7F11E976904244DFCB15CF10D5C4B26BF72FF94324F24C6A9D9090B666C33AD456DBA1
                                                Function 0100D017 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140030084.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_100d000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: de7b76f9570a1c8aad5abd85489301ec842738dce5ba8e53ef6b54a6c98057b9
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: CB11BB75504280CFDB12CF94D5C4B15BBA2FB84314F24C6AAE8494B696C33AD40ACBA2
                                                Function 0100D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140030084.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_100d000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: 72e3548e97da88f9daa43bc90671feb6c52322d1ee1c7f6bb2cce3a049c525c1
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: 3611BB75504280DFDB02CF98C5C0B15BBA1FB84224F24C6A9D8894B6A6C33AD40ACB62
                                                Function 00FFD759 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2139973623.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ffd000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 296f0854004a59278be48da9676f5ca1ab91ccdb303d9471e5744dc79adbe232
                                                • Instruction ID: 6112e93390b9101acc8e83ba2ea8da8fc00dee7382d495fd2a7f4860c99ae367
                                                • Opcode Fuzzy Hash: 296f0854004a59278be48da9676f5ca1ab91ccdb303d9471e5744dc79adbe232
                                                • Instruction Fuzzy Hash: C301F7734053489AE7146A25CD80B36FF99DF41334F18C41AEF084E2A6C7799840D671
                                                Function 00FFD758 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2139973623.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ffd000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0185a0c88c2119e80334ec57fdf5489d064e786fa28e431145e3e3caf1030e8d
                                                • Instruction ID: 0ce2a8a3695de73b0534e8e749aec9e5ee0568861ae47d2775dae5d28399e38b
                                                • Opcode Fuzzy Hash: 0185a0c88c2119e80334ec57fdf5489d064e786fa28e431145e3e3caf1030e8d
                                                • Instruction Fuzzy Hash: 54F068724053449EE7149A16DDC4762FFA8EF91734F14C45AEE085E296C3795844CB71

                                                Non-executed Functions

                                                Function 07269D4A Relevance: .3, Instructions: 324COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3548f9da7d0e3a56344e8c1cbd45b873988c31325c5536b09301bd6a7316d0e
                                                • Instruction ID: 69db975b5a55d6688244385914b7b6b0833a28edafb826e34762eb5f14fc8694
                                                • Opcode Fuzzy Hash: a3548f9da7d0e3a56344e8c1cbd45b873988c31325c5536b09301bd6a7316d0e
                                                • Instruction Fuzzy Hash: C2E13EB4E142598FCB14DFA8C584AAEFBF2FF49300F24815AD444AB355DB30A982CF61
                                                Function 0726A5D8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 364080ccc75a2f4cfe76b17d6ef653d262c579383b571151497634d020de8c35
                                                • Instruction ID: 0e4ed0b6000c4fe39601745cb94f5fecb5bbeadafec50888094fc2d712ef488d
                                                • Opcode Fuzzy Hash: 364080ccc75a2f4cfe76b17d6ef653d262c579383b571151497634d020de8c35
                                                • Instruction Fuzzy Hash: 2EE11BB4E112598FDB14DFA9C584AAEFBB2BF49304F24825AD405BB355D7309982CF60
                                                Function 0726C150 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7e250861f10136851477c9a38bb2980d528ced6b6de6dcaa05d688ca124267d
                                                • Instruction ID: 5a94e86a56cd3ec2240109d1c9d76bd526733d3179cffb27106c9eeec65f2b3d
                                                • Opcode Fuzzy Hash: e7e250861f10136851477c9a38bb2980d528ced6b6de6dcaa05d688ca124267d
                                                • Instruction Fuzzy Hash: 36E14DB4E102598FCB14DFA9C584AAEFBF2FF49300F64816AD455AB355D730A982CF60
                                                Function 0726A1A0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb43b4724607d73405cce8b39c8b56bed352d884f8d72ed37048f971f32add97
                                                • Instruction ID: 38730d8727ae34cf85098c8da652dd155211fdd5bd50e98651223fab8cbf195a
                                                • Opcode Fuzzy Hash: cb43b4724607d73405cce8b39c8b56bed352d884f8d72ed37048f971f32add97
                                                • Instruction Fuzzy Hash: 3CE11BB4E102598FDB14DFA9C584AAEFBB2BF49301F24C159D415BB355DB30A982CF60
                                                Function 0726B878 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e01486d6cd5e3d9c867d679e7a0d5dd0cea5f54e4648b5a6f3b1d9eb4a065cd2
                                                • Instruction ID: 4130595b061484d39a15a1e2f2cca40abe002d22d7eb2a9b4152f58f0bf61366
                                                • Opcode Fuzzy Hash: e01486d6cd5e3d9c867d679e7a0d5dd0cea5f54e4648b5a6f3b1d9eb4a065cd2
                                                • Instruction Fuzzy Hash: E7E11CB4E102598FDB14DFA8C584AAEFBB2FF89305F24815AD415AB355DB309D82CF60
                                                Function 074D1298 Relevance: .3, Instructions: 298COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2166250359.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_74d0000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 002a82b77fa0b7398587fa3d919236e82f707ec8bd706efda2b202ab4625ee2f
                                                • Instruction ID: 4070378eb6a07f2483e6ed3af0a7675c04fb068d35e8518cd45256df7b9ed21a
                                                • Opcode Fuzzy Hash: 002a82b77fa0b7398587fa3d919236e82f707ec8bd706efda2b202ab4625ee2f
                                                • Instruction Fuzzy Hash: 6AD1C7B4A00109CFDB14DF69C598AE9B7F1BF4C311F2680A9E946AB361DB35AD41CF60
                                                Function 072616E8 Relevance: .3, Instructions: 267COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aaeb97470d9c430f20baac4e76ad08c1fa898b053cbc023f67faf87f6a0c3514
                                                • Instruction ID: d046b857ebf723f567475a85d3bb07a980d73ddfafb997b83232ec087fd009ba
                                                • Opcode Fuzzy Hash: aaeb97470d9c430f20baac4e76ad08c1fa898b053cbc023f67faf87f6a0c3514
                                                • Instruction Fuzzy Hash: 78D1153192075ACADB11EFA4D991AADB771FF95300F50C79AE5093B224EF706AC4CB81
                                                Function 0106DF64 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2140240736.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1060000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac28f4ace3b7803be3e745e6ff59e3a3a7145040c45f2261a982c3162425eaa3
                                                • Instruction ID: b89e423e841abd27f2f24da88752d8cdaecd1da08ff414ec3854168eb779e3f9
                                                • Opcode Fuzzy Hash: ac28f4ace3b7803be3e745e6ff59e3a3a7145040c45f2261a982c3162425eaa3
                                                • Instruction Fuzzy Hash: 64A18D36A0020ACFCF15DFB5D8445DEBBF6FF84300B1581AAE941AB265DB71E956CB80
                                                Function 072616F8 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 323f148797bae6ac840f8c26a347ea162f7bd16b43214e996f7dce79984213f7
                                                • Instruction ID: a4e3823a7db25b457d397a44e08132c4e911faa27fbeec028104ffa57f5db8d7
                                                • Opcode Fuzzy Hash: 323f148797bae6ac840f8c26a347ea162f7bd16b43214e996f7dce79984213f7
                                                • Instruction Fuzzy Hash: 09D1263192075ACADB11EFA4D991AADB771FF95300F50C79AE5093B224EF706AC4CB81
                                                Function 0726A5C8 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 230973a127b6f798c8daad277a13cd5285cfc65f00cc43a1162617777ff38a29
                                                • Instruction ID: 9f77e872f85709d821b9a59ba0c7048eb2e30ed2ee7442cbfcbe81244b8471e9
                                                • Opcode Fuzzy Hash: 230973a127b6f798c8daad277a13cd5285cfc65f00cc43a1162617777ff38a29
                                                • Instruction Fuzzy Hash: CE5109B5E102598FDB14CFA9C5855AEBBF2BF89304F24C16AD408BB355D7309982CFA1
                                                Function 0726B868 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165282977.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7260000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df2f901ccf377671ffe9190f9877c094669628dd3524c480c4c64119b4a69e00
                                                • Instruction ID: 3e0c56283677440198516dd14b4d0f044013098d7e8e5f46b22b284f30129999
                                                • Opcode Fuzzy Hash: df2f901ccf377671ffe9190f9877c094669628dd3524c480c4c64119b4a69e00
                                                • Instruction Fuzzy Hash: 3A513DB0E112598FDB14CFA9C5845AEFBF2FF89304F24816AD418AB355D7309982CF61

                                                Execution Graph

                                                Execution Coverage:7.6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:114
                                                Total number of Limit Nodes:11
                                                execution_graph 15231 2d84668 15232 2d84676 15231->15232 15237 2d86de0 15232->15237 15235 2d84704 15238 2d86e05 15237->15238 15246 2d86edf 15238->15246 15250 2d86ef0 15238->15250 15239 2d846e9 15242 2d8421c 15239->15242 15243 2d84227 15242->15243 15258 2d88560 15243->15258 15245 2d88806 15245->15235 15248 2d86f17 15246->15248 15247 2d86ff4 15247->15247 15248->15247 15254 2d86414 15248->15254 15252 2d86f17 15250->15252 15251 2d86ff4 15251->15251 15252->15251 15253 2d86414 CreateActCtxA 15252->15253 15253->15251 15255 2d87370 CreateActCtxA 15254->15255 15257 2d87433 15255->15257 15259 2d8856b 15258->15259 15262 2d88580 15259->15262 15261 2d888dd 15261->15245 15263 2d8858b 15262->15263 15266 2d885b0 15263->15266 15265 2d889ba 15265->15261 15267 2d885bb 15266->15267 15270 2d885e0 15267->15270 15269 2d88aad 15269->15265 15271 2d885eb 15270->15271 15273 2d89e93 15271->15273 15277 2d8bed1 15271->15277 15272 2d89ed1 15272->15269 15273->15272 15283 2d8df60 15273->15283 15288 2d8df70 15273->15288 15278 2d8beda 15277->15278 15280 2d8be91 15277->15280 15293 2d8bef8 15278->15293 15297 2d8bf08 15278->15297 15279 2d8bee6 15279->15273 15280->15273 15285 2d8df70 15283->15285 15284 2d8dfb5 15284->15272 15285->15284 15332 2d8e110 15285->15332 15336 2d8e120 15285->15336 15289 2d8df91 15288->15289 15290 2d8dfb5 15289->15290 15291 2d8e110 4 API calls 15289->15291 15292 2d8e120 4 API calls 15289->15292 15290->15272 15291->15290 15292->15290 15301 2d8bff0 15293->15301 15311 2d8c000 15293->15311 15294 2d8bf17 15294->15279 15298 2d8bf17 15297->15298 15299 2d8c000 2 API calls 15297->15299 15300 2d8bff0 2 API calls 15297->15300 15298->15279 15299->15298 15300->15298 15302 2d8c011 15301->15302 15305 2d8c034 15301->15305 15321 2d8af60 15302->15321 15305->15294 15306 2d8c02c 15306->15305 15307 2d8c238 GetModuleHandleW 15306->15307 15308 2d8c265 15307->15308 15308->15294 15312 2d8c011 15311->15312 15315 2d8c034 15311->15315 15313 2d8af60 GetModuleHandleW 15312->15313 15314 2d8c01c 15313->15314 15314->15315 15319 2d8c698 GetModuleHandleW 15314->15319 15320 2d8c689 GetModuleHandleW 15314->15320 15315->15294 15316 2d8c02c 15316->15315 15317 2d8c238 GetModuleHandleW 15316->15317 15318 2d8c265 15317->15318 15318->15294 15319->15316 15320->15316 15323 2d8c1f0 GetModuleHandleW 15321->15323 15324 2d8c01c 15323->15324 15324->15305 15325 2d8c689 15324->15325 15329 2d8c698 15324->15329 15326 2d8c698 15325->15326 15327 2d8af60 GetModuleHandleW 15326->15327 15328 2d8c6ac 15327->15328 15328->15306 15330 2d8af60 GetModuleHandleW 15329->15330 15331 2d8c6ac 15330->15331 15331->15306 15333 2d8e120 15332->15333 15335 2d8e166 15333->15335 15340 2d8c464 15333->15340 15335->15284 15338 2d8e12d 15336->15338 15337 2d8c464 4 API calls 15339 2d8e166 15337->15339 15338->15337 15338->15339 15339->15284 15341 2d8c46f 15340->15341 15343 2d8e1d8 15341->15343 15344 2d8c498 15341->15344 15343->15343 15345 2d8c4a3 15344->15345 15346 2d885e0 4 API calls 15345->15346 15347 2d8e247 15346->15347 15350 2d8e2c0 15347->15350 15348 2d8e256 15348->15343 15351 2d8e2ee 15350->15351 15352 2d8e3ba KiUserCallbackDispatcher 15351->15352 15353 2d8e3bf 15351->15353 15352->15353 15354 2d8477c 15355 2d846df 15354->15355 15355->15354 15356 2d84796 15355->15356 15360 2d86de0 CreateActCtxA 15355->15360 15357 2d846e9 15358 2d8421c 4 API calls 15357->15358 15359 2d84704 15358->15359 15360->15357 15361 2d86540 15362 2d86586 15361->15362 15366 2d8670f 15362->15366 15370 2d86720 15362->15370 15363 2d86673 15367 2d86713 15366->15367 15369 2d8674e 15366->15369 15373 2d8611c 15367->15373 15369->15363 15371 2d8611c DuplicateHandle 15370->15371 15372 2d8674e 15371->15372 15372->15363 15374 2d86788 DuplicateHandle 15373->15374 15376 2d8681e 15374->15376 15376->15369

                                                Executed Functions

                                                Function 02D8C000 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2174286099.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2d80000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: ddd1d52f87c570d84e0fd8fa68d1bbfb74f65a4f19ff728fc4ba4aba98b44e01
                                                • Instruction ID: 0197e822ac4c9ecd786710062a23ef3353bde954fd3abdd3aad21379e4cc5bd5
                                                • Opcode Fuzzy Hash: ddd1d52f87c570d84e0fd8fa68d1bbfb74f65a4f19ff728fc4ba4aba98b44e01
                                                • Instruction Fuzzy Hash: ED7103B0A10B05CFD728EF69D48075ABBF1FB88644F10892ED48A97B50DB75E845CBA1
                                                Function 02D86414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 57 2d86414-2d87431 CreateActCtxA 60 2d8743a-2d87494 57->60 61 2d87433-2d87439 57->61 68 2d874a3-2d874a7 60->68 69 2d87496-2d87499 60->69 61->60 70 2d874b8 68->70 71 2d874a9-2d874b5 68->71 69->68 73 2d874b9 70->73 71->70 73->73
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 02D87421
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2174286099.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2d80000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 578bb4b81947329a2aeacf64bc26c929bfc82562e7076d93f59fce21c3726ef8
                                                • Instruction ID: 12fa7926fa2e8266412e52c3cda61910f096103a0ef8ec1470d19ba8180886fb
                                                • Opcode Fuzzy Hash: 578bb4b81947329a2aeacf64bc26c929bfc82562e7076d93f59fce21c3726ef8
                                                • Instruction Fuzzy Hash: 1D41EDB0C0071DCBEB24DFA9C984B9EFBB5BF48304F20806AD508AB251DBB56945CF90
                                                Function 02D87364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 74 2d87364-2d87431 CreateActCtxA 76 2d8743a-2d87494 74->76 77 2d87433-2d87439 74->77 84 2d874a3-2d874a7 76->84 85 2d87496-2d87499 76->85 77->76 86 2d874b8 84->86 87 2d874a9-2d874b5 84->87 85->84 89 2d874b9 86->89 87->86 89->89
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 02D87421
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2174286099.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2d80000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: c4cc83763cc59074623903ad4e7e05f3c40945667e9698b83d3b09709ae8efbf
                                                • Instruction ID: ebb482c1135a0b741b7b25686faf9def9f0574a35a8df0a740353623929ce315
                                                • Opcode Fuzzy Hash: c4cc83763cc59074623903ad4e7e05f3c40945667e9698b83d3b09709ae8efbf
                                                • Instruction Fuzzy Hash: 8141EDB5C00719CBEB24DFA9C984BCEFBB5BF48304F20806AD408AB251DB756949CF90
                                                Function 02D86780 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 90 2d86780-2d867dc 93 2d867df-2d8681c DuplicateHandle 90->93 94 2d8681e-2d86824 93->94 95 2d86825-2d86842 93->95 94->95
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D8674E,?,?,?,?,?), ref: 02D8680F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2174286099.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2d80000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: c792a72ac0e217a334c742630f2287dfcb346c544452dd85244ee90f575b2653
                                                • Instruction ID: a051801e2fc409217ddc3326d7cb4cc5c0d4e3f5e446aa311f278a98bf3ea49d
                                                • Opcode Fuzzy Hash: c792a72ac0e217a334c742630f2287dfcb346c544452dd85244ee90f575b2653
                                                • Instruction Fuzzy Hash: D82139B5900208DFDB10DFA9D884ADEBFF8FB08320F148519E854A3350D778A944CFA0
                                                Function 02D8611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 2d8611c-2d8681c DuplicateHandle 101 2d8681e-2d86824 98->101 102 2d86825-2d86842 98->102 101->102
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D8674E,?,?,?,?,?), ref: 02D8680F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2174286099.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2d80000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 7cf3308c6d97db2d96b789a6276c8c84a16abd7154232f4b293ba1b2e8dad0f0
                                                • Instruction ID: 9889e9853fcf20ca4d573aff63d87c15b5396c950e5c83147236c30e89dcdfef
                                                • Opcode Fuzzy Hash: 7cf3308c6d97db2d96b789a6276c8c84a16abd7154232f4b293ba1b2e8dad0f0
                                                • Instruction Fuzzy Hash: 4D21E4B5900209DFDB10DFAAD984ADEBFF8FB48320F14841AE958A7350D374A950CFA5
                                                Function 02D8AF60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 105 2d8af60-2d8c230 107 2d8c238-2d8c263 GetModuleHandleW 105->107 108 2d8c232-2d8c235 105->108 109 2d8c26c-2d8c280 107->109 110 2d8c265-2d8c26b 107->110 108->107 110->109
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02D8C01C), ref: 02D8C256
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2174286099.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_2d80000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: fb52cbac16485426aaf7ad5187291c51e01115ac99648334456570335ff177a7
                                                • Instruction ID: 665a2d32c6e40cf6391730341a4e7afeaeee449d02f750c64fb95e5da693fe27
                                                • Opcode Fuzzy Hash: fb52cbac16485426aaf7ad5187291c51e01115ac99648334456570335ff177a7
                                                • Instruction Fuzzy Hash: E11120B5800249CBCB14DF9AC444BDEFBF4EB88624F10801AD529B7300D3B5A905CFA1
                                                Function 0144D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2171465264.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_144d000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dab1124f643ca8a83189286843a028e16d4e5d2d914c34ccf4f1641dcf58d3fa
                                                • Instruction ID: cf268073b49684bca4fe874f678fd348c32e3ca40114849a7ebd737b21cb0f67
                                                • Opcode Fuzzy Hash: dab1124f643ca8a83189286843a028e16d4e5d2d914c34ccf4f1641dcf58d3fa
                                                • Instruction Fuzzy Hash: 992122B5A04200EFEB15DF94D9C0B26BBA1FB94318F20C56ED90A0B366C77AD407CA61
                                                Function 0144D006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2171465264.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_144d000_KRcLFIz5PCQunB7.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: edd030f03cb9574458171c40b6371e15ef78bf4303d64105e745b17dbd4fe7b9
                                                • Instruction ID: 43862a054679c77e0b96f1b6b3265e7365243a0e4fffd1022957f7375a6f7a62
                                                • Opcode Fuzzy Hash: edd030f03cb9574458171c40b6371e15ef78bf4303d64105e745b17dbd4fe7b9
                                                • Instruction Fuzzy Hash: EC2180755093808FDB16CF64D594716BF71EB46218F28C5DBD8498B2A7C33AD80ACB62

                                                Execution Graph

                                                Execution Coverage:9.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:225
                                                Total number of Limit Nodes:24
                                                execution_graph 29415 5d9eb28 29416 5d9ecb3 29415->29416 29418 5d9eb4e 29415->29418 29418->29416 29419 5d992f4 29418->29419 29420 5d9eda8 PostMessageW 29419->29420 29421 5d9ee14 29420->29421 29421->29418 29394 10a4668 29395 10a467a 29394->29395 29396 10a4686 29395->29396 29398 10a4778 29395->29398 29399 10a479d 29398->29399 29403 10a4888 29399->29403 29407 10a4879 29399->29407 29405 10a48af 29403->29405 29404 10a498c 29404->29404 29405->29404 29411 10a44c4 29405->29411 29409 10a4888 29407->29409 29408 10a498c 29408->29408 29409->29408 29410 10a44c4 CreateActCtxA 29409->29410 29410->29408 29412 10a5918 CreateActCtxA 29411->29412 29414 10a59db 29412->29414 29422 10ab038 29423 10ab047 29422->29423 29426 10ab120 29422->29426 29431 10ab130 29422->29431 29427 10ab164 29426->29427 29428 10ab141 29426->29428 29427->29423 29428->29427 29429 10ab368 GetModuleHandleW 29428->29429 29430 10ab395 29429->29430 29430->29423 29432 10ab164 29431->29432 29433 10ab141 29431->29433 29432->29423 29433->29432 29434 10ab368 GetModuleHandleW 29433->29434 29435 10ab395 29434->29435 29435->29423 29360 10ad3c0 29361 10ad406 29360->29361 29365 10ad590 29361->29365 29368 10ad5a0 29361->29368 29362 10ad4f3 29371 10aced8 29365->29371 29369 10ad5ce 29368->29369 29370 10aced8 DuplicateHandle 29368->29370 29369->29362 29370->29369 29372 10ad608 DuplicateHandle 29371->29372 29373 10ad5ce 29372->29373 29373->29362 29436 5d9d065 29437 5d9cdc1 29436->29437 29438 5d9cf48 29437->29438 29441 5d9d812 29437->29441 29462 5d9d820 29437->29462 29442 5d9d83a 29441->29442 29443 5d9d85e 29442->29443 29483 5d9df39 29442->29483 29488 5d9dde7 29442->29488 29492 5d9e284 29442->29492 29498 5d9de20 29442->29498 29503 5d9dc61 29442->29503 29509 5d9df8f 29442->29509 29514 5d9e689 29442->29514 29525 5d9e0b6 29442->29525 29533 5d9ddd4 29442->29533 29538 5d9e3d2 29442->29538 29543 5d9e4d3 29442->29543 29547 5d9de33 29442->29547 29552 5d9df11 29442->29552 29561 5d9e33e 29442->29561 29569 5d9e41c 29442->29569 29573 5d9dfdb 29442->29573 29578 5d9db39 29442->29578 29584 5d9e019 29442->29584 29443->29437 29463 5d9d83a 29462->29463 29464 5d9d85e 29463->29464 29465 5d9df39 2 API calls 29463->29465 29466 5d9e019 4 API calls 29463->29466 29467 5d9db39 2 API calls 29463->29467 29468 5d9dfdb 2 API calls 29463->29468 29469 5d9e41c 2 API calls 29463->29469 29470 5d9e33e 4 API calls 29463->29470 29471 5d9df11 4 API calls 29463->29471 29472 5d9de33 2 API calls 29463->29472 29473 5d9e4d3 2 API calls 29463->29473 29474 5d9e3d2 2 API calls 29463->29474 29475 5d9ddd4 2 API calls 29463->29475 29476 5d9e0b6 4 API calls 29463->29476 29477 5d9e689 4 API calls 29463->29477 29478 5d9df8f 2 API calls 29463->29478 29479 5d9dc61 2 API calls 29463->29479 29480 5d9de20 2 API calls 29463->29480 29481 5d9e284 2 API calls 29463->29481 29482 5d9dde7 2 API calls 29463->29482 29464->29437 29465->29464 29466->29464 29467->29464 29468->29464 29469->29464 29470->29464 29471->29464 29472->29464 29473->29464 29474->29464 29475->29464 29476->29464 29477->29464 29478->29464 29479->29464 29480->29464 29481->29464 29482->29464 29485 5d9df4b 29483->29485 29484 5d9e742 29485->29484 29592 5d9c658 29485->29592 29597 5d9c660 29485->29597 29601 5d9c588 29488->29601 29605 5d9c580 29488->29605 29489 5d9de01 29493 5d9de4a 29492->29493 29494 5d9e2d8 29493->29494 29610 5d9c718 29493->29610 29615 5d9c720 29493->29615 29494->29443 29495 5d9dd99 29499 5d9de2d 29498->29499 29619 5d9c099 29499->29619 29623 5d9c0a0 29499->29623 29500 5d9dfbc 29500->29443 29504 5d9dc43 29503->29504 29505 5d9dc17 29504->29505 29627 5d9c9a8 29504->29627 29631 5d9c99c 29504->29631 29505->29443 29510 5d9dfa7 29509->29510 29512 5d9c099 ResumeThread 29510->29512 29513 5d9c0a0 ResumeThread 29510->29513 29511 5d9dfbc 29511->29443 29512->29511 29513->29511 29515 5d9e68f 29514->29515 29516 5d9e5ec 29515->29516 29519 5d9c80a ReadProcessMemory 29515->29519 29520 5d9c810 ReadProcessMemory 29515->29520 29517 5d9dff2 29516->29517 29636 5d9c810 29516->29636 29640 5d9c80a 29516->29640 29518 5d9e08a 29517->29518 29521 5d9c658 VirtualAllocEx 29517->29521 29522 5d9c660 VirtualAllocEx 29517->29522 29518->29443 29519->29516 29520->29516 29521->29517 29522->29517 29527 5d9df32 29525->29527 29526 5d9dff2 29528 5d9e08a 29526->29528 29529 5d9c658 VirtualAllocEx 29526->29529 29530 5d9c660 VirtualAllocEx 29526->29530 29527->29526 29531 5d9c80a ReadProcessMemory 29527->29531 29532 5d9c810 ReadProcessMemory 29527->29532 29528->29443 29529->29526 29530->29526 29531->29527 29532->29527 29534 5d9e6fb 29533->29534 29536 5d9c588 Wow64SetThreadContext 29534->29536 29537 5d9c580 Wow64SetThreadContext 29534->29537 29535 5d9e716 29536->29535 29537->29535 29540 5d9dff2 29538->29540 29539 5d9e742 29540->29539 29541 5d9c658 VirtualAllocEx 29540->29541 29542 5d9c660 VirtualAllocEx 29540->29542 29541->29540 29542->29540 29545 5d9c718 WriteProcessMemory 29543->29545 29546 5d9c720 WriteProcessMemory 29543->29546 29544 5d9e4f7 29545->29544 29546->29544 29548 5d9de39 29547->29548 29550 5d9c718 WriteProcessMemory 29548->29550 29551 5d9c720 WriteProcessMemory 29548->29551 29549 5d9dd99 29550->29549 29551->29549 29553 5d9df32 29552->29553 29554 5d9dff2 29553->29554 29557 5d9c80a ReadProcessMemory 29553->29557 29558 5d9c810 ReadProcessMemory 29553->29558 29555 5d9e08a 29554->29555 29556 5d9e742 29554->29556 29559 5d9c658 VirtualAllocEx 29554->29559 29560 5d9c660 VirtualAllocEx 29554->29560 29555->29443 29557->29553 29558->29553 29559->29554 29560->29554 29562 5d9e030 29561->29562 29563 5d9dff2 29562->29563 29565 5d9c80a ReadProcessMemory 29562->29565 29566 5d9c810 ReadProcessMemory 29562->29566 29564 5d9e08a 29563->29564 29567 5d9c658 VirtualAllocEx 29563->29567 29568 5d9c660 VirtualAllocEx 29563->29568 29564->29443 29565->29562 29566->29562 29567->29563 29568->29563 29571 5d9c718 WriteProcessMemory 29569->29571 29572 5d9c720 WriteProcessMemory 29569->29572 29570 5d9e44a 29571->29570 29572->29570 29574 5d9dfe1 29573->29574 29575 5d9e742 29574->29575 29576 5d9c658 VirtualAllocEx 29574->29576 29577 5d9c660 VirtualAllocEx 29574->29577 29576->29574 29577->29574 29580 5d9db7b 29578->29580 29579 5d9dc17 29579->29443 29580->29579 29582 5d9c9a8 CreateProcessA 29580->29582 29583 5d9c99c CreateProcessA 29580->29583 29581 5d9dd7a 29581->29443 29582->29581 29583->29581 29586 5d9e01f 29584->29586 29585 5d9dff2 29587 5d9e08a 29585->29587 29590 5d9c658 VirtualAllocEx 29585->29590 29591 5d9c660 VirtualAllocEx 29585->29591 29586->29585 29588 5d9c80a ReadProcessMemory 29586->29588 29589 5d9c810 ReadProcessMemory 29586->29589 29587->29443 29588->29586 29589->29586 29590->29585 29591->29585 29593 5d9c65c 29592->29593 29594 5d9c6aa VirtualAllocEx 29593->29594 29595 5d9c61c 29593->29595 29596 5d9c6dd 29594->29596 29595->29485 29596->29485 29598 5d9c661 VirtualAllocEx 29597->29598 29600 5d9c6dd 29598->29600 29600->29485 29602 5d9c589 Wow64SetThreadContext 29601->29602 29604 5d9c615 29602->29604 29604->29489 29606 5d9c584 29605->29606 29607 5d9c544 29606->29607 29608 5d9c5ed Wow64SetThreadContext 29606->29608 29607->29489 29609 5d9c615 29608->29609 29609->29489 29611 5d9c71c 29610->29611 29612 5d9c78e WriteProcessMemory 29611->29612 29613 5d9c6dc 29611->29613 29614 5d9c7bf 29612->29614 29613->29495 29614->29495 29616 5d9c721 WriteProcessMemory 29615->29616 29618 5d9c7bf 29616->29618 29618->29495 29620 5d9c09c ResumeThread 29619->29620 29622 5d9c111 29620->29622 29622->29500 29624 5d9c0a1 ResumeThread 29623->29624 29626 5d9c111 29624->29626 29626->29500 29628 5d9ca31 CreateProcessA 29627->29628 29630 5d9cbf3 29628->29630 29632 5d9c964 29631->29632 29633 5d9c9a7 CreateProcessA 29631->29633 29632->29443 29635 5d9cbf3 29633->29635 29637 5d9c85b ReadProcessMemory 29636->29637 29639 5d9c89f 29637->29639 29639->29516 29641 5d9c85b ReadProcessMemory 29640->29641 29643 5d9c89f 29641->29643 29643->29516 29374 7450518 29375 7450540 29374->29375 29376 7450536 29374->29376 29379 7450580 29376->29379 29385 745056b 29376->29385 29380 745058e 29379->29380 29382 74505ad 29379->29382 29390 74506f1 CloseHandle 29380->29390 29392 74506f8 CloseHandle 29380->29392 29381 74505a9 29381->29375 29382->29375 29386 745058b 29385->29386 29388 74506f1 CloseHandle 29386->29388 29389 74506f8 CloseHandle 29386->29389 29387 74505a9 29387->29375 29388->29387 29389->29387 29391 745075f 29390->29391 29391->29381 29393 745075f 29392->29393 29393->29381

                                                Executed Functions

                                                Function 05D9C99C Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 5d9c99c-5d9c9a5 1 5d9c964-5d9c990 0->1 2 5d9c9a7-5d9ca3d 0->2 6 5d9ca3f-5d9ca49 2->6 7 5d9ca76-5d9ca96 2->7 6->7 8 5d9ca4b-5d9ca4d 6->8 13 5d9ca98-5d9caa2 7->13 14 5d9cacf-5d9cafe 7->14 11 5d9ca4f-5d9ca59 8->11 12 5d9ca70-5d9ca73 8->12 15 5d9ca5b 11->15 16 5d9ca5d-5d9ca6c 11->16 12->7 13->14 18 5d9caa4-5d9caa6 13->18 25 5d9cb00-5d9cb0a 14->25 26 5d9cb37-5d9cbf1 CreateProcessA 14->26 15->16 16->16 19 5d9ca6e 16->19 20 5d9cac9-5d9cacc 18->20 21 5d9caa8-5d9cab2 18->21 19->12 20->14 23 5d9cab4 21->23 24 5d9cab6-5d9cac5 21->24 23->24 24->24 27 5d9cac7 24->27 25->26 28 5d9cb0c-5d9cb0e 25->28 37 5d9cbfa-5d9cc80 26->37 38 5d9cbf3-5d9cbf9 26->38 27->20 30 5d9cb31-5d9cb34 28->30 31 5d9cb10-5d9cb1a 28->31 30->26 32 5d9cb1c 31->32 33 5d9cb1e-5d9cb2d 31->33 32->33 33->33 34 5d9cb2f 33->34 34->30 48 5d9cc90-5d9cc94 37->48 49 5d9cc82-5d9cc86 37->49 38->37 50 5d9cca4-5d9cca8 48->50 51 5d9cc96-5d9cc9a 48->51 49->48 52 5d9cc88 49->52 54 5d9ccb8-5d9ccbc 50->54 55 5d9ccaa-5d9ccae 50->55 51->50 53 5d9cc9c 51->53 52->48 53->50 57 5d9ccce-5d9ccd5 54->57 58 5d9ccbe-5d9ccc4 54->58 55->54 56 5d9ccb0 55->56 56->54 59 5d9ccec 57->59 60 5d9ccd7-5d9cce6 57->60 58->57 61 5d9cced 59->61 60->59 61->61
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05D9CBDE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: f93372e075979be2bdea0129e89c091d69f88cada140f2d5d8b27615001d9ca4
                                                • Instruction ID: 7940743fd984ebe963c0e918bacd395bc3d93191b83f4a43b3ef174659b286a8
                                                • Opcode Fuzzy Hash: f93372e075979be2bdea0129e89c091d69f88cada140f2d5d8b27615001d9ca4
                                                • Instruction Fuzzy Hash: 22A16B71D10259DFEF24CFA8C841BEEBBB2BF48310F14856AE819A7250DB749985CF91
                                                Function 05D9C9A8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 63 5d9c9a8-5d9ca3d 65 5d9ca3f-5d9ca49 63->65 66 5d9ca76-5d9ca96 63->66 65->66 67 5d9ca4b-5d9ca4d 65->67 71 5d9ca98-5d9caa2 66->71 72 5d9cacf-5d9cafe 66->72 69 5d9ca4f-5d9ca59 67->69 70 5d9ca70-5d9ca73 67->70 73 5d9ca5b 69->73 74 5d9ca5d-5d9ca6c 69->74 70->66 71->72 75 5d9caa4-5d9caa6 71->75 82 5d9cb00-5d9cb0a 72->82 83 5d9cb37-5d9cbf1 CreateProcessA 72->83 73->74 74->74 76 5d9ca6e 74->76 77 5d9cac9-5d9cacc 75->77 78 5d9caa8-5d9cab2 75->78 76->70 77->72 80 5d9cab4 78->80 81 5d9cab6-5d9cac5 78->81 80->81 81->81 84 5d9cac7 81->84 82->83 85 5d9cb0c-5d9cb0e 82->85 94 5d9cbfa-5d9cc80 83->94 95 5d9cbf3-5d9cbf9 83->95 84->77 87 5d9cb31-5d9cb34 85->87 88 5d9cb10-5d9cb1a 85->88 87->83 89 5d9cb1c 88->89 90 5d9cb1e-5d9cb2d 88->90 89->90 90->90 91 5d9cb2f 90->91 91->87 105 5d9cc90-5d9cc94 94->105 106 5d9cc82-5d9cc86 94->106 95->94 107 5d9cca4-5d9cca8 105->107 108 5d9cc96-5d9cc9a 105->108 106->105 109 5d9cc88 106->109 111 5d9ccb8-5d9ccbc 107->111 112 5d9ccaa-5d9ccae 107->112 108->107 110 5d9cc9c 108->110 109->105 110->107 114 5d9ccce-5d9ccd5 111->114 115 5d9ccbe-5d9ccc4 111->115 112->111 113 5d9ccb0 112->113 113->111 116 5d9ccec 114->116 117 5d9ccd7-5d9cce6 114->117 115->114 118 5d9cced 116->118 117->116 118->118
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05D9CBDE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: f1b88c99df1eb981c3824ce8ff28e344bddf642fe52b18f912eeb605ddd8cdc7
                                                • Instruction ID: 583d92da3b8110e7b33010e15f9ad7cc60c40735e246cc6bb20104247f7de5c3
                                                • Opcode Fuzzy Hash: f1b88c99df1eb981c3824ce8ff28e344bddf642fe52b18f912eeb605ddd8cdc7
                                                • Instruction Fuzzy Hash: 06916B71D10259DFEF14CFA8C840BEDBBB2BF48314F0485AAE819A7250DB749985CF92
                                                Function 010AB130 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 120 10ab130-10ab13f 121 10ab16b-10ab16f 120->121 122 10ab141-10ab14e call 10aaaf4 120->122 124 10ab183-10ab1c4 121->124 125 10ab171-10ab17b 121->125 127 10ab150 122->127 128 10ab164 122->128 131 10ab1d1-10ab1df 124->131 132 10ab1c6-10ab1ce 124->132 125->124 176 10ab156 call 10ab3bb 127->176 177 10ab156 call 10ab3c8 127->177 128->121 133 10ab203-10ab205 131->133 134 10ab1e1-10ab1e6 131->134 132->131 139 10ab208-10ab20f 133->139 136 10ab1e8-10ab1ef call 10aab00 134->136 137 10ab1f1 134->137 135 10ab15c-10ab15e 135->128 138 10ab2a0-10ab360 135->138 141 10ab1f3-10ab201 136->141 137->141 171 10ab368-10ab393 GetModuleHandleW 138->171 172 10ab362-10ab365 138->172 142 10ab21c-10ab223 139->142 143 10ab211-10ab219 139->143 141->139 145 10ab230-10ab239 call 10aab10 142->145 146 10ab225-10ab22d 142->146 143->142 151 10ab23b-10ab243 145->151 152 10ab246-10ab24b 145->152 146->145 151->152 154 10ab269-10ab276 152->154 155 10ab24d-10ab254 152->155 161 10ab278-10ab296 154->161 162 10ab299-10ab29f 154->162 155->154 156 10ab256-10ab266 call 10aab20 call 10aab30 155->156 156->154 161->162 173 10ab39c-10ab3b0 171->173 174 10ab395-10ab39b 171->174 172->171 174->173 176->135 177->135
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 010AB386
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2197436907.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_10a0000_outlooks.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 80e66ac798b423d429a594a8ed709da01aab92e917cece3ebe3e82f6d72b47f9
                                                • Instruction ID: 3277e449aef25219ce2a249d75645eb1c5923b3390fdbe547f6f4719ba6522b0
                                                • Opcode Fuzzy Hash: 80e66ac798b423d429a594a8ed709da01aab92e917cece3ebe3e82f6d72b47f9
                                                • Instruction Fuzzy Hash: 78714470A00B058FE764DFAAD45479ABBF1FF88700F40892ED48ADBA50DB74E845CB91
                                                Function 010A590D Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 178 10a590d-10a5914 179 10a58b1-10a58d9 178->179 180 10a5916-10a59d9 CreateActCtxA 178->180 183 10a58db-10a58e1 179->183 184 10a58e2-10a5903 179->184 185 10a59db-10a59e1 180->185 186 10a59e2-10a5a3c 180->186 183->184 185->186 194 10a5a4b-10a5a4f 186->194 195 10a5a3e-10a5a41 186->195 196 10a5a60 194->196 197 10a5a51-10a5a5d 194->197 195->194 199 10a5a61 196->199 197->196 199->199
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 010A59C9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2197436907.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_10a0000_outlooks.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 08b6bbfc04e942c7f1c319020fc3f8e64f02d4d918d3705c5037baf3b4f6a105
                                                • Instruction ID: 032eb78a60c3424358f1d8674d33bb9156d674527955826ca9e4ad58d34f2ff8
                                                • Opcode Fuzzy Hash: 08b6bbfc04e942c7f1c319020fc3f8e64f02d4d918d3705c5037baf3b4f6a105
                                                • Instruction Fuzzy Hash: 76510EB1C00719CFEB24CFA9C98479EBBF5BF48314F60806AD548AB251DB756945CF90
                                                Function 010A44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 200 10a44c4-10a59d9 CreateActCtxA 203 10a59db-10a59e1 200->203 204 10a59e2-10a5a3c 200->204 203->204 211 10a5a4b-10a5a4f 204->211 212 10a5a3e-10a5a41 204->212 213 10a5a60 211->213 214 10a5a51-10a5a5d 211->214 212->211 216 10a5a61 213->216 214->213 216->216
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 010A59C9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2197436907.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_10a0000_outlooks.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 01f344d648a930fe54cb051fb507b36a5f03fd791133a4f6306317a410bd3bc2
                                                • Instruction ID: 958a6dc4ae9e489df27277d0465e46a916d0a0288411ed7a6bf8d0f2596f3647
                                                • Opcode Fuzzy Hash: 01f344d648a930fe54cb051fb507b36a5f03fd791133a4f6306317a410bd3bc2
                                                • Instruction Fuzzy Hash: B141E071C0072DCBEB24CFA9C984B9EBBF5BF48304F60806AD408AB251DBB56945CF90
                                                Function 05D9C718 Relevance: 1.6, APIs: 1, Instructions: 92injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 217 5d9c718-5d9c71a 218 5d9c71c-5d9c71d 217->218 219 5d9c721-5d9c76e 217->219 220 5d9c6dc-5d9c709 218->220 221 5d9c71f 218->221 223 5d9c77e-5d9c7bd WriteProcessMemory 219->223 224 5d9c770-5d9c77c 219->224 221->219 228 5d9c7bf-5d9c7c5 223->228 229 5d9c7c6-5d9c7f6 223->229 224->223 228->229
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05D9C7B0
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 18646a03fcc3a105b5baa3178c17dec83169068bee08f77494bcfb39ac180668
                                                • Instruction ID: 37626d331d2cc8711d636d6f7be51d7277b27aa7b03ccd855b3ed95000cebc8c
                                                • Opcode Fuzzy Hash: 18646a03fcc3a105b5baa3178c17dec83169068bee08f77494bcfb39ac180668
                                                • Instruction Fuzzy Hash: 8B315776D00249DFDF10CFA9D881BEEBBF1BF88320F10842AE519A7250C7749954DBA1
                                                Function 05D9C580 Relevance: 1.6, APIs: 1, Instructions: 85threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 235 5d9c580-5d9c582 236 5d9c589-5d9c5d3 235->236 237 5d9c584-5d9c585 235->237 243 5d9c5e3-5d9c613 Wow64SetThreadContext 236->243 244 5d9c5d5-5d9c5e1 236->244 238 5d9c544-5d9c550 237->238 239 5d9c587 237->239 241 5d9c55a 238->241 242 5d9c552-5d9c558 238->242 239->236 245 5d9c55d-5d9c572 241->245 242->245 249 5d9c61c-5d9c64c 243->249 250 5d9c615-5d9c61b 243->250 244->243 250->249
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05D9C606
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 9a2482a22f6aabd690aff2b54f32eed961c1c88f79e8ed3faea59c9ae0e91643
                                                • Instruction ID: 3dd68d6c8d7c9a977911ebd062420cf6645f2b7e99f97d0515b023db23b1ef04
                                                • Opcode Fuzzy Hash: 9a2482a22f6aabd690aff2b54f32eed961c1c88f79e8ed3faea59c9ae0e91643
                                                • Instruction Fuzzy Hash: 3C311271D142498FDF54CFA9C4857EEBBF0FF88324F10802AD519A7251C778A945CBA1
                                                Function 05D9C658 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 254 5d9c658-5d9c65a 255 5d9c65c-5d9c65d 254->255 256 5d9c661-5d9c6db VirtualAllocEx 254->256 257 5d9c61c-5d9c64c 255->257 258 5d9c65f 255->258 263 5d9c6dd-5d9c6e3 256->263 264 5d9c6e4-5d9c709 256->264 258->256 263->264
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D9C6CE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: a4229eedd9c1142a0aba8097a67c5388f237dbe3f8fb0b5a9bf85b2e4bb4a087
                                                • Instruction ID: 6477910e39c7cc6c6749021e05c6906c984d86acc77db3e0dca2c97525a4f696
                                                • Opcode Fuzzy Hash: a4229eedd9c1142a0aba8097a67c5388f237dbe3f8fb0b5a9bf85b2e4bb4a087
                                                • Instruction Fuzzy Hash: 9E217C729002498FDF10DFA9C845BEEBBF1EF88320F14841AD515A7250D7759915CF91
                                                Function 05D9C720 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 268 5d9c720-5d9c76e 271 5d9c77e-5d9c7bd WriteProcessMemory 268->271 272 5d9c770-5d9c77c 268->272 274 5d9c7bf-5d9c7c5 271->274 275 5d9c7c6-5d9c7f6 271->275 272->271 274->275
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05D9C7B0
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 84dbd3df9c41e47c2de89b83775f14d8c05fb9fabd474148e6b8882f41f887a2
                                                • Instruction ID: 79d1d273f0641090beb5a7520ad8b5301f46c5950ec91e2ca88a8bec446ffff3
                                                • Opcode Fuzzy Hash: 84dbd3df9c41e47c2de89b83775f14d8c05fb9fabd474148e6b8882f41f887a2
                                                • Instruction Fuzzy Hash: 49211575900349DFDF10CFA9C885BDEBBF5BF48310F10842AE919A7250C7789950CBA5
                                                Function 010ACED8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 279 10aced8-10ad69c DuplicateHandle 281 10ad69e-10ad6a4 279->281 282 10ad6a5-10ad6c2 279->282 281->282
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010AD5CE,?,?,?,?,?), ref: 010AD68F
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2197436907.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_10a0000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 8865ea1a20acac1d81fd1b83f41e6352b938e389e2c930c8522ebab257d9e905
                                                • Instruction ID: 9175068026ab1f9275df44768b6e3e2a82fc743740fc45f572d7116bb58f9336
                                                • Opcode Fuzzy Hash: 8865ea1a20acac1d81fd1b83f41e6352b938e389e2c930c8522ebab257d9e905
                                                • Instruction Fuzzy Hash: 6821E5B5900209DFDB10CFAAD584ADEBBF4FB48310F54845AE958A3310D378A950CFA5
                                                Function 010AD600 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 285 10ad600-10ad606 286 10ad608-10ad69c DuplicateHandle 285->286 287 10ad69e-10ad6a4 286->287 288 10ad6a5-10ad6c2 286->288 287->288
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,010AD5CE,?,?,?,?,?), ref: 010AD68F
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2197436907.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_10a0000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: ad14e66b22d90575fd30e9666041027c1cd64597cbfbf9656e70478e0ea0692a
                                                • Instruction ID: 31d2a906c0cc6d711ecd6da9b8c4f8d573fbc150720af64860c5e295006ce833
                                                • Opcode Fuzzy Hash: ad14e66b22d90575fd30e9666041027c1cd64597cbfbf9656e70478e0ea0692a
                                                • Instruction Fuzzy Hash: 2321E3B59002099FDB10CFAAD984ADEBBF8FB48320F14841AE958A7310D378A950CF65
                                                Function 05D9C80A Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 291 5d9c80a-5d9c89d ReadProcessMemory 294 5d9c89f-5d9c8a5 291->294 295 5d9c8a6-5d9c8d6 291->295 294->295
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D9C890
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 6ae42dcfd6d83d13941aaa5c5a5c23cbf1471c6681caf0a9e25255ba7449c0ce
                                                • Instruction ID: f8a5c911c12b010ca50364c9a7c9038dc5c06f76233ef17de37c2bedfd9a711a
                                                • Opcode Fuzzy Hash: 6ae42dcfd6d83d13941aaa5c5a5c23cbf1471c6681caf0a9e25255ba7449c0ce
                                                • Instruction Fuzzy Hash: E42127B1C002499FDF10CFA9C881BEEBBF1BF48320F10842AE519A7240D7789900CB65
                                                Function 05D9C588 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 299 5d9c588-5d9c5d3 302 5d9c5e3-5d9c613 Wow64SetThreadContext 299->302 303 5d9c5d5-5d9c5e1 299->303 305 5d9c61c-5d9c64c 302->305 306 5d9c615-5d9c61b 302->306 303->302 306->305
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05D9C606
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: dcc48d3875897671df18c8473d7dc881fc243c24914efd536c6f31348b0e5e8b
                                                • Instruction ID: be760e4a3256f81cf985bf0200264268dd4b9e32c788457c37ce3eea766c8326
                                                • Opcode Fuzzy Hash: dcc48d3875897671df18c8473d7dc881fc243c24914efd536c6f31348b0e5e8b
                                                • Instruction Fuzzy Hash: 79213871D003099FDB14DFAAC4857AEBBF4BF88320F54842AD519A7240CB78A944CFA5
                                                Function 05D9C810 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 310 5d9c810-5d9c89d ReadProcessMemory 313 5d9c89f-5d9c8a5 310->313 314 5d9c8a6-5d9c8d6 310->314 313->314
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D9C890
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 09fa5ae8e982f858f86b8bce28615e79069a8a946c37a0773a9ff23be79ad83e
                                                • Instruction ID: 28ecacdf3711920217e9382364027c52b5b10131ad97f2c28e37c34618cafb09
                                                • Opcode Fuzzy Hash: 09fa5ae8e982f858f86b8bce28615e79069a8a946c37a0773a9ff23be79ad83e
                                                • Instruction Fuzzy Hash: 712105B18003499FDB10CFAAC881BDEBBF5BF48310F50842AE519A7250D7789910CBA5
                                                Function 05D9C660 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D9C6CE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: fabb4ce020dc656aa3ca0f609fefcb93840bd2188c62d461baf73fd078fae4d9
                                                • Instruction ID: a95e609035cfe4bea4613e3b15c85361086e40ab18143c67affc86c125ed0887
                                                • Opcode Fuzzy Hash: fabb4ce020dc656aa3ca0f609fefcb93840bd2188c62d461baf73fd078fae4d9
                                                • Instruction Fuzzy Hash: 7F1126729002499FDF10DFAAC845BDFBBF5AF88320F14881AE519A7250C775A950CBA5
                                                Function 05D9C099 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 318 5d9c099-5d9c09a 319 5d9c09c-5d9c09f 318->319 320 5d9c0a1-5d9c10f ResumeThread 318->320 319->320 323 5d9c118-5d9c13d 320->323 324 5d9c111-5d9c117 320->324 324->323
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 05D9C102
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 429b128398d9b95a0c6de433429a56bee89d6b18bfb089d1549a778ce75293e1
                                                • Instruction ID: c0827621566d8049850f378f30fce9d49b8b3ecc142a33d5ed8abfba3c358650
                                                • Opcode Fuzzy Hash: 429b128398d9b95a0c6de433429a56bee89d6b18bfb089d1549a778ce75293e1
                                                • Instruction Fuzzy Hash: 0A1164B18003498FEB20CFAAC4457AEFBF4AF88220F24841AD519A7210C779A941CBA5
                                                Function 05D9C0A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 05D9C102
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 6b2ba935fb9a80b7885f9f67ef3a0daa716332011a53e059de0b66cefb4480d5
                                                • Instruction ID: 9edbd6f014c6d3bafc1d3526331303caa831440756360be36971f34dc926f6e7
                                                • Opcode Fuzzy Hash: 6b2ba935fb9a80b7885f9f67ef3a0daa716332011a53e059de0b66cefb4480d5
                                                • Instruction Fuzzy Hash: BE113AB1D003498FEB14DFAAC44579FFBF4AF88724F24841AD519A7240CB79A940CBA5
                                                Function 010AB320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 010AB386
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2197436907.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_10a0000_outlooks.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 870fd28e91081eaedaf41bc3d6ac59ff5e5c91f1c5cda001b8229399e4781f1e
                                                • Instruction ID: 708fac116be8833fa87c1fd6abeea8b91cdac996f2fd25414d0f8a92aeadfca8
                                                • Opcode Fuzzy Hash: 870fd28e91081eaedaf41bc3d6ac59ff5e5c91f1c5cda001b8229399e4781f1e
                                                • Instruction Fuzzy Hash: AF110CB6C007498FDB10CF9AC444B9EFBF4AB88220F10846AD969A7210C3B9A545CFA1
                                                Function 05D992F4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 05D9EE05
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 03932449bf4a34bdc6646cd11c26e482a1dea0f0f499968d13bf3ab56b25954e
                                                • Instruction ID: 009ea04765a6fffe7253bd3a202fe526acb172b46de2d7cdd660a0286b2038e0
                                                • Opcode Fuzzy Hash: 03932449bf4a34bdc6646cd11c26e482a1dea0f0f499968d13bf3ab56b25954e
                                                • Instruction Fuzzy Hash: 9411E3B5804349DFDB10DF9AC588BDEBBF8EB48324F10845AE515A7200C3B5A954CFA1
                                                Function 05D9EDA0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 05D9EE05
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2234024045.0000000005D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_5d90000_outlooks.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 7194f2bc7586e1841671f6b535955a8571f37066cd5273d70aa36428124dc037
                                                • Instruction ID: 0c99d0ee6406cb5b211b9f35513adb3f06a4497176264bcbe73d157638f9069d
                                                • Opcode Fuzzy Hash: 7194f2bc7586e1841671f6b535955a8571f37066cd5273d70aa36428124dc037
                                                • Instruction Fuzzy Hash: 1D11F2B5800249DFDB20CF99C585BDEFBF8FB48324F20845AE559A7200C3B5A944CFA1
                                                Function 074506F1 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?), ref: 07450750
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2235106145.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7450000_outlooks.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 3f44036101b45a1f92f8c895f5c5d074ecba86c30cd8f78d9b455016f34f36f8
                                                • Instruction ID: 03061ceefc2b5965293c4d43b0e8285ae1dc284991e51d360949bacf53d42a74
                                                • Opcode Fuzzy Hash: 3f44036101b45a1f92f8c895f5c5d074ecba86c30cd8f78d9b455016f34f36f8
                                                • Instruction Fuzzy Hash: FD1158B5C006498FDB20CFA9C585BEEBBF0EF48320F10845AD958A7341D378A944CFA1
                                                Function 074506F8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?), ref: 07450750
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2235106145.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7450000_outlooks.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: d1272f76371e8e80ad80cdfce1cd658e00328b7b75c86402001ecb08292ad632
                                                • Instruction ID: 3468750d9172dce725697f6ee397d7507b78dcb6a383f0d91107a9b956f19374
                                                • Opcode Fuzzy Hash: d1272f76371e8e80ad80cdfce1cd658e00328b7b75c86402001ecb08292ad632
                                                • Instruction Fuzzy Hash: 2F1136B5800349CFDB10DF9AC584BDEBBF4EB48320F10841AD958A7341D778A544CFA5
                                                Function 00F8D1FC Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2195509399.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f8d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8505d085189931896b66a0a3ac545686174003686e19799bfc870249eb44fff1
                                                • Instruction ID: 7062ad13312f3117a4eb8f9628d104dcd14852ec0adb0ef0c18d14aec4c77a39
                                                • Opcode Fuzzy Hash: 8505d085189931896b66a0a3ac545686174003686e19799bfc870249eb44fff1
                                                • Instruction Fuzzy Hash: 5F210372504244EFDB05EF14D9C0B6ABF66FF88324F20C569ED094B296C376D816EBA1
                                                Function 00F8D4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2195509399.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f8d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25b4ccda4cc54f2264887c8c93693b64ed857b97c19d3434ab1e3c320e674a2d
                                                • Instruction ID: 172bc9cedee3521956155496276a71cce401b13f04d5223acff85dbd562bac4e
                                                • Opcode Fuzzy Hash: 25b4ccda4cc54f2264887c8c93693b64ed857b97c19d3434ab1e3c320e674a2d
                                                • Instruction Fuzzy Hash: BD21F472504244EFDB05EF14D9C0F66BF65FF84328F24856AD9090E296C336D856DBA1
                                                Function 00F9D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2196348275.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f9d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f5abeab6550d12a62994587b03f5a8696c3bbbf2324fa0827bd37f1b032f72c
                                                • Instruction ID: b7a34e122ccd4ebdf335bf03f6722056b9d1eddf879fb452730f60f357ef4dc8
                                                • Opcode Fuzzy Hash: 7f5abeab6550d12a62994587b03f5a8696c3bbbf2324fa0827bd37f1b032f72c
                                                • Instruction Fuzzy Hash: 85210376904200DFEF14DF14D580B26BB61FB84324F30C56DD90A0B26AC37AD806DA61
                                                Function 00F9D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2196348275.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f9d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c04cf7db24b54cb0ed4a876b7334e5ff5b3876cba16bffbc8bd70dc40445d291
                                                • Instruction ID: c0811480aeb48234307155ab4583bda359876e93d16f6b5874ed6d4d035d71f5
                                                • Opcode Fuzzy Hash: c04cf7db24b54cb0ed4a876b7334e5ff5b3876cba16bffbc8bd70dc40445d291
                                                • Instruction Fuzzy Hash: 53212676904304EFEF09DF14D9C0B26BBA5FB84324F30C56DE9094B292C776D846DA61
                                                Function 00F9D005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2196348275.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f9d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0f158e82cfdbda203ee5cfc5a181fdfdad109368303c8d0ecf8ae0bdbc3c631
                                                • Instruction ID: b18c3111aa799c929ae8b68878003d2ff3d2bacaded5c1931ae2c94a69b53175
                                                • Opcode Fuzzy Hash: e0f158e82cfdbda203ee5cfc5a181fdfdad109368303c8d0ecf8ae0bdbc3c631
                                                • Instruction Fuzzy Hash: A4215E755093C08FDB12CF24D994715BF71EB46324F28C5EAD8498B6A7C33A980ADB62
                                                Function 00F8D1F7 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2195509399.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f8d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                                                • Instruction ID: 17036d2af0bfe509ebc06ae72420a34cac177de2163979b56601fd1387fcfdb1
                                                • Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                                                • Instruction Fuzzy Hash: 74219D76904284DFCB06DF50D9C4B56BF62FF84324F24C6A9DC094A696C33AD826DBA1
                                                Function 00F8D4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2195509399.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f8d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: ba132b5c7599efb84d87ef1d97be719eb97838bced091461aeb9548b2a859a5f
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: E511CD76904280CFCB05DF10D5C4B56BF61FB84328F2886AAD8090B656C33AD856DBA1
                                                Function 00F9D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2196348275.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f9d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: 7c9020ec31f958e101d83bbdb83f08fa472e6a4f5ba26673156ece76edfb7f17
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: 23118B75904284DFDB15CF10DAC4B15BBA1FB84324F24C6A9D8494B6A6C33AD84ADB61
                                                Function 00F8D759 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2195509399.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f8d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c17a408d8d70defb2551a7d858398bd908a0b917062c93e05f4d88382f85b6a3
                                                • Instruction ID: 7c87e37bd361a031fda08786a62178ede8a0961026ef4ae54bce7d3ff397dd9f
                                                • Opcode Fuzzy Hash: c17a408d8d70defb2551a7d858398bd908a0b917062c93e05f4d88382f85b6a3
                                                • Instruction Fuzzy Hash: 44012672805340DAF7106A25CD84BABFFD8EF81334F18C41AEE080A2C6C7B89840D7B1
                                                Function 00F8D758 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2195509399.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_f8d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5c1f1a80358923c8e89ddc93cbc9ac60322571c8eb73557628a70e0aa89dfa9
                                                • Instruction ID: 6dc1561a3e32dd7fb973b4e785f2f62b6d3f9403d821f6227fd66b8a652a25c4
                                                • Opcode Fuzzy Hash: a5c1f1a80358923c8e89ddc93cbc9ac60322571c8eb73557628a70e0aa89dfa9
                                                • Instruction Fuzzy Hash: AFF062718053449EE7109A16DD84B66FFA8EF91735F18C45AED084A2C6C379AC44CBB1

                                                Execution Graph

                                                Execution Coverage:9.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:379
                                                Total number of Limit Nodes:32
                                                execution_graph 42204 10dd01c 42205 10dd034 42204->42205 42206 10dd08e 42205->42206 42211 52b2c08 42205->42211 42220 52b1ea8 42205->42220 42224 52b1e97 42205->42224 42228 52b0abc 42205->42228 42214 52b2c45 42211->42214 42212 52b2c79 42253 52b0be4 42212->42253 42214->42212 42216 52b2c69 42214->42216 42215 52b2c77 42237 52b2e6c 42216->42237 42243 52b2da0 42216->42243 42248 52b2d91 42216->42248 42221 52b1ece 42220->42221 42222 52b0abc CallWindowProcW 42221->42222 42223 52b1eef 42222->42223 42223->42206 42225 52b1ece 42224->42225 42226 52b0abc CallWindowProcW 42225->42226 42227 52b1eef 42226->42227 42227->42206 42229 52b0ac7 42228->42229 42230 52b2c79 42229->42230 42232 52b2c69 42229->42232 42231 52b0be4 CallWindowProcW 42230->42231 42233 52b2c77 42231->42233 42234 52b2e6c CallWindowProcW 42232->42234 42235 52b2d91 CallWindowProcW 42232->42235 42236 52b2da0 CallWindowProcW 42232->42236 42234->42233 42235->42233 42236->42233 42238 52b2e7a 42237->42238 42239 52b2e2a 42237->42239 42257 52b2e58 42239->42257 42260 52b2e47 42239->42260 42240 52b2e40 42240->42215 42244 52b2db4 42243->42244 42246 52b2e58 CallWindowProcW 42244->42246 42247 52b2e47 CallWindowProcW 42244->42247 42245 52b2e40 42245->42215 42246->42245 42247->42245 42250 52b2db4 42248->42250 42249 52b2e40 42249->42215 42251 52b2e58 CallWindowProcW 42250->42251 42252 52b2e47 CallWindowProcW 42250->42252 42251->42249 42252->42249 42254 52b0bef 42253->42254 42255 52b435a CallWindowProcW 42254->42255 42256 52b4309 42254->42256 42255->42256 42256->42215 42258 52b2e69 42257->42258 42265 52b4292 42257->42265 42258->42240 42261 52b2e43 42260->42261 42262 52b2e52 42260->42262 42261->42240 42263 52b2e69 42262->42263 42264 52b4292 CallWindowProcW 42262->42264 42263->42240 42264->42263 42266 52b0be4 CallWindowProcW 42265->42266 42267 52b42aa 42266->42267 42267->42258 42063 52b8068 42064 52b8095 42063->42064 42077 52b7bf8 42064->42077 42068 52b8161 42069 52b7bf8 2 API calls 42068->42069 42070 52b81c5 42069->42070 42071 52b7bf8 2 API calls 42070->42071 42072 52b81f7 42071->42072 42073 52b7bf8 2 API calls 42072->42073 42074 52b8682 42073->42074 42075 52b7bf8 2 API calls 42074->42075 42076 52b86b4 42075->42076 42078 52b7c03 42077->42078 42087 52b7d98 42078->42087 42080 52b812f 42081 52b7c08 42080->42081 42082 52b7c13 42081->42082 42157 52b9ccc 42082->42157 42086 52ba17d 42086->42068 42088 52b7da3 42087->42088 42092 1338690 42088->42092 42097 13370d4 42088->42097 42089 52b94d4 42089->42080 42094 13386cb 42092->42094 42093 1338991 42093->42089 42094->42093 42102 133d0e8 42094->42102 42108 133d0f8 42094->42108 42099 13370df 42097->42099 42098 1338991 42098->42089 42099->42098 42100 133d0f8 2 API calls 42099->42100 42101 133d0e8 2 API calls 42099->42101 42100->42098 42101->42098 42103 133d06b 42102->42103 42105 133d0f2 42102->42105 42103->42093 42104 133d13d 42104->42093 42105->42104 42113 133d297 42105->42113 42117 133d2a8 42105->42117 42109 133d119 42108->42109 42110 133d13d 42109->42110 42111 133d297 2 API calls 42109->42111 42112 133d2a8 2 API calls 42109->42112 42110->42093 42111->42110 42112->42110 42114 133d2b5 42113->42114 42115 133d2ef 42114->42115 42121 133ce10 42114->42121 42115->42104 42118 133d2b5 42117->42118 42119 133ce10 2 API calls 42118->42119 42120 133d2ef 42118->42120 42119->42120 42120->42104 42122 133ce1b 42121->42122 42124 133dc00 42122->42124 42125 133cf3c 42122->42125 42124->42124 42126 133cf47 42125->42126 42127 13370d4 2 API calls 42126->42127 42128 133dc6f 42127->42128 42131 133fa00 42128->42131 42129 133dca9 42129->42124 42133 133fa31 42131->42133 42134 133fb31 42131->42134 42132 133fa3d 42132->42129 42133->42132 42137 52b0da8 42133->42137 42142 52b0dc8 42133->42142 42134->42129 42139 52b0dad 42137->42139 42138 52b0ea2 42138->42138 42139->42138 42147 52b1ca0 42139->42147 42150 52b1b90 42139->42150 42143 52b0df3 42142->42143 42144 52b0ea2 42143->42144 42145 52b1ca0 CreateWindowExW 42143->42145 42146 52b1b90 2 API calls 42143->42146 42145->42144 42146->42144 42148 52b0a90 CreateWindowExW 42147->42148 42149 52b1cd5 42148->42149 42149->42138 42151 52b1cde CreateWindowExW 42150->42151 42152 52b1ca6 42150->42152 42156 52b1e14 42151->42156 42153 52b1cd5 42152->42153 42154 52b0a90 CreateWindowExW 42152->42154 42153->42138 42154->42153 42158 52b9cd7 42157->42158 42165 52bd38c 42158->42165 42160 52ba15c 42161 52b9cdc 42160->42161 42162 52b9ce7 42161->42162 42163 52bd38c 2 API calls 42162->42163 42164 52bf5f5 42163->42164 42164->42086 42166 52bd397 42165->42166 42168 1338690 2 API calls 42166->42168 42169 13370d4 2 API calls 42166->42169 42167 52bedae 42167->42160 42168->42167 42169->42167 42307 133d3c0 42308 133d406 42307->42308 42312 133d5a0 42308->42312 42315 133d590 42308->42315 42309 133d4f3 42318 133ced8 42312->42318 42316 133d5ce 42315->42316 42317 133ced8 DuplicateHandle 42315->42317 42316->42309 42317->42316 42319 133d608 DuplicateHandle 42318->42319 42320 133d5ce 42319->42320 42320->42309 42321 75eeb28 42322 75eeb4e 42321->42322 42323 75eecb3 42321->42323 42322->42323 42325 75e92f4 42322->42325 42326 75eeda8 PostMessageW 42325->42326 42328 75eee14 42326->42328 42328->42322 42170 7930518 42171 7930536 42170->42171 42172 7930540 42170->42172 42175 7930580 42171->42175 42181 793056b 42171->42181 42176 793058e 42175->42176 42177 79305ad 42175->42177 42186 79306f1 CloseHandle 42176->42186 42188 79306f8 CloseHandle 42176->42188 42177->42172 42178 79305a9 42178->42172 42182 793058b 42181->42182 42184 79306f1 CloseHandle 42182->42184 42185 79306f8 CloseHandle 42182->42185 42183 79305a9 42183->42172 42184->42183 42185->42183 42187 793075f 42186->42187 42187->42178 42189 793075f 42188->42189 42189->42178 42190 133b038 42191 133b047 42190->42191 42194 133b130 42190->42194 42199 133b12f 42190->42199 42195 133b164 42194->42195 42196 133b141 42194->42196 42195->42191 42196->42195 42197 133b368 GetModuleHandleW 42196->42197 42198 133b395 42197->42198 42198->42191 42200 133b164 42199->42200 42201 133b141 42199->42201 42200->42191 42201->42200 42202 133b368 GetModuleHandleW 42201->42202 42203 133b395 42202->42203 42203->42191 42268 1334668 42269 133467a 42268->42269 42270 1334686 42269->42270 42274 1334778 42269->42274 42279 1333e40 42270->42279 42272 13346a5 42275 133479d 42274->42275 42283 1334879 42275->42283 42287 1334888 42275->42287 42280 1333e4b 42279->42280 42295 1335e4c 42280->42295 42282 133706f 42282->42272 42285 13348af 42283->42285 42284 133498c 42284->42284 42285->42284 42291 13344c4 42285->42291 42288 13348af 42287->42288 42289 133498c 42288->42289 42290 13344c4 CreateActCtxA 42288->42290 42290->42289 42292 1335918 CreateActCtxA 42291->42292 42294 13359db 42292->42294 42296 1335e57 42295->42296 42299 1335e6c 42296->42299 42298 133751d 42298->42282 42300 1335e77 42299->42300 42303 13370a4 42300->42303 42302 13375fa 42302->42298 42304 13370af 42303->42304 42305 13370d4 2 API calls 42304->42305 42306 13376ed 42305->42306 42306->42302 42329 52bed50 42330 52bed60 42329->42330 42331 52bd38c 2 API calls 42330->42331 42332 52bed65 42331->42332 42333 75ed065 42335 75ecdc1 42333->42335 42334 75ed0b0 42335->42334 42338 75ed820 42335->42338 42359 75ed811 42335->42359 42339 75ed83a 42338->42339 42340 75ed85e 42339->42340 42380 75ee33e 42339->42380 42387 75edc61 42339->42387 42393 75ede20 42339->42393 42398 75ee284 42339->42398 42404 75edde7 42339->42404 42408 75ee689 42339->42408 42418 75edf8f 42339->42418 42423 75ee4d3 42339->42423 42427 75ede33 42339->42427 42432 75ee3d2 42339->42432 42439 75edf12 42339->42439 42446 75eddd4 42339->42446 42451 75ee0b6 42339->42451 42458 75ee019 42339->42458 42465 75edf39 42339->42465 42472 75edb39 42339->42472 42478 75edfdb 42339->42478 42485 75ee41c 42339->42485 42340->42334 42360 75ed83a 42359->42360 42361 75ed85e 42360->42361 42362 75ee33e 4 API calls 42360->42362 42363 75ee41c 2 API calls 42360->42363 42364 75edfdb 4 API calls 42360->42364 42365 75edb39 2 API calls 42360->42365 42366 75edf39 4 API calls 42360->42366 42367 75ee019 4 API calls 42360->42367 42368 75ee0b6 4 API calls 42360->42368 42369 75eddd4 2 API calls 42360->42369 42370 75edf12 4 API calls 42360->42370 42371 75ee3d2 4 API calls 42360->42371 42372 75ede33 2 API calls 42360->42372 42373 75ee4d3 2 API calls 42360->42373 42374 75edf8f 2 API calls 42360->42374 42375 75ee689 4 API calls 42360->42375 42376 75edde7 2 API calls 42360->42376 42377 75ee284 2 API calls 42360->42377 42378 75ede20 2 API calls 42360->42378 42379 75edc61 2 API calls 42360->42379 42361->42334 42362->42361 42363->42361 42364->42361 42365->42361 42366->42361 42367->42361 42368->42361 42369->42361 42370->42361 42371->42361 42372->42361 42373->42361 42374->42361 42375->42361 42376->42361 42377->42361 42378->42361 42379->42361 42382 75edff2 42380->42382 42381 75ee08a 42381->42340 42382->42381 42489 75ec658 42382->42489 42494 75ec660 42382->42494 42498 75ec809 42382->42498 42503 75ec810 42382->42503 42389 75edc43 42387->42389 42388 75edc17 42388->42340 42389->42388 42507 75ec99c 42389->42507 42512 75ec9a8 42389->42512 42394 75ede2d 42393->42394 42516 75ec099 42394->42516 42520 75ec0a0 42394->42520 42395 75edfbc 42395->42340 42399 75ede4a 42398->42399 42400 75ee2d8 42399->42400 42524 75ec718 42399->42524 42529 75ec720 42399->42529 42400->42340 42401 75edd99 42533 75ec588 42404->42533 42537 75ec580 42404->42537 42405 75ede01 42409 75ee68f 42408->42409 42411 75edff2 42409->42411 42414 75ec809 ReadProcessMemory 42409->42414 42415 75ec810 ReadProcessMemory 42409->42415 42410 75ee08a 42410->42340 42411->42410 42412 75ec658 VirtualAllocEx 42411->42412 42413 75ec660 VirtualAllocEx 42411->42413 42416 75ec809 ReadProcessMemory 42411->42416 42417 75ec810 ReadProcessMemory 42411->42417 42412->42411 42413->42411 42414->42411 42415->42411 42416->42411 42417->42411 42419 75edfa7 42418->42419 42421 75ec099 ResumeThread 42419->42421 42422 75ec0a0 ResumeThread 42419->42422 42420 75edfbc 42420->42340 42421->42420 42422->42420 42425 75ec718 WriteProcessMemory 42423->42425 42426 75ec720 WriteProcessMemory 42423->42426 42424 75ee4f7 42425->42424 42426->42424 42428 75ede39 42427->42428 42430 75ec718 WriteProcessMemory 42428->42430 42431 75ec720 WriteProcessMemory 42428->42431 42429 75edd99 42430->42429 42431->42429 42433 75edff2 42432->42433 42434 75ee08a 42433->42434 42435 75ec809 ReadProcessMemory 42433->42435 42436 75ec810 ReadProcessMemory 42433->42436 42437 75ec658 VirtualAllocEx 42433->42437 42438 75ec660 VirtualAllocEx 42433->42438 42434->42340 42435->42433 42436->42433 42437->42433 42438->42433 42441 75edf32 42439->42441 42440 75ee08a 42440->42340 42441->42440 42442 75ec809 ReadProcessMemory 42441->42442 42443 75ec810 ReadProcessMemory 42441->42443 42444 75ec658 VirtualAllocEx 42441->42444 42445 75ec660 VirtualAllocEx 42441->42445 42442->42441 42443->42441 42444->42441 42445->42441 42447 75ee6fb 42446->42447 42449 75ec588 Wow64SetThreadContext 42447->42449 42450 75ec580 Wow64SetThreadContext 42447->42450 42448 75ee716 42449->42448 42450->42448 42453 75edf32 42451->42453 42452 75ee08a 42452->42340 42453->42452 42454 75ec809 ReadProcessMemory 42453->42454 42455 75ec810 ReadProcessMemory 42453->42455 42456 75ec658 VirtualAllocEx 42453->42456 42457 75ec660 VirtualAllocEx 42453->42457 42454->42453 42455->42453 42456->42453 42457->42453 42460 75edff2 42458->42460 42459 75ee08a 42459->42340 42460->42459 42461 75ec809 ReadProcessMemory 42460->42461 42462 75ec810 ReadProcessMemory 42460->42462 42463 75ec658 VirtualAllocEx 42460->42463 42464 75ec660 VirtualAllocEx 42460->42464 42461->42460 42462->42460 42463->42460 42464->42460 42467 75edf4b 42465->42467 42466 75ee08a 42466->42340 42467->42466 42468 75ec809 ReadProcessMemory 42467->42468 42469 75ec810 ReadProcessMemory 42467->42469 42470 75ec658 VirtualAllocEx 42467->42470 42471 75ec660 VirtualAllocEx 42467->42471 42468->42467 42469->42467 42470->42467 42471->42467 42473 75edb7b 42472->42473 42474 75edc17 42473->42474 42476 75ec99c CreateProcessA 42473->42476 42477 75ec9a8 CreateProcessA 42473->42477 42474->42340 42475 75edd7a 42475->42340 42476->42475 42477->42475 42479 75edfe1 42478->42479 42480 75ee08a 42479->42480 42481 75ec809 ReadProcessMemory 42479->42481 42482 75ec810 ReadProcessMemory 42479->42482 42483 75ec658 VirtualAllocEx 42479->42483 42484 75ec660 VirtualAllocEx 42479->42484 42480->42340 42481->42479 42482->42479 42483->42479 42484->42479 42487 75ec718 WriteProcessMemory 42485->42487 42488 75ec720 WriteProcessMemory 42485->42488 42486 75ee44a 42487->42486 42488->42486 42490 75ec65f VirtualAllocEx 42489->42490 42491 75ec632 42489->42491 42493 75ec6dd 42490->42493 42491->42382 42493->42382 42495 75ec6a0 VirtualAllocEx 42494->42495 42497 75ec6dd 42495->42497 42497->42382 42499 75ec7e2 42498->42499 42500 75ec80f ReadProcessMemory 42498->42500 42499->42382 42502 75ec89f 42500->42502 42502->42382 42504 75ec85b ReadProcessMemory 42503->42504 42506 75ec89f 42504->42506 42506->42382 42508 75ec97a 42507->42508 42509 75ec9a7 CreateProcessA 42507->42509 42508->42340 42511 75ecbf3 42509->42511 42513 75eca31 CreateProcessA 42512->42513 42515 75ecbf3 42513->42515 42517 75ec0e0 ResumeThread 42516->42517 42519 75ec111 42517->42519 42519->42395 42521 75ec0e0 ResumeThread 42520->42521 42523 75ec111 42521->42523 42523->42395 42525 75ec6f2 42524->42525 42526 75ec71f WriteProcessMemory 42524->42526 42525->42401 42528 75ec7bf 42526->42528 42528->42401 42530 75ec768 WriteProcessMemory 42529->42530 42532 75ec7bf 42530->42532 42532->42401 42534 75ec5cd Wow64SetThreadContext 42533->42534 42536 75ec615 42534->42536 42536->42405 42538 75ec587 Wow64SetThreadContext 42537->42538 42540 75ec55a 42537->42540 42541 75ec615 42538->42541 42540->42405 42541->42405

                                                Executed Functions

                                                Function 075EC99C Relevance: 1.8, APIs: 1, Instructions: 260processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 75ec99c-75ec9a5 1 75ec97a-75ec990 0->1 2 75ec9a7-75eca3d 0->2 5 75eca3f-75eca49 2->5 6 75eca76-75eca96 2->6 5->6 7 75eca4b-75eca4d 5->7 13 75ecacf-75ecafe 6->13 14 75eca98-75ecaa2 6->14 8 75eca4f-75eca59 7->8 9 75eca70-75eca73 7->9 11 75eca5d-75eca6c 8->11 12 75eca5b 8->12 9->6 11->11 15 75eca6e 11->15 12->11 20 75ecb37-75ecbf1 CreateProcessA 13->20 21 75ecb00-75ecb0a 13->21 14->13 16 75ecaa4-75ecaa6 14->16 15->9 18 75ecaa8-75ecab2 16->18 19 75ecac9-75ecacc 16->19 22 75ecab6-75ecac5 18->22 23 75ecab4 18->23 19->13 34 75ecbfa-75ecc80 20->34 35 75ecbf3-75ecbf9 20->35 21->20 24 75ecb0c-75ecb0e 21->24 22->22 25 75ecac7 22->25 23->22 26 75ecb10-75ecb1a 24->26 27 75ecb31-75ecb34 24->27 25->19 29 75ecb1e-75ecb2d 26->29 30 75ecb1c 26->30 27->20 29->29 31 75ecb2f 29->31 30->29 31->27 45 75ecc82-75ecc86 34->45 46 75ecc90-75ecc94 34->46 35->34 45->46 47 75ecc88 45->47 48 75ecc96-75ecc9a 46->48 49 75ecca4-75ecca8 46->49 47->46 48->49 52 75ecc9c 48->52 50 75eccaa-75eccae 49->50 51 75eccb8-75eccbc 49->51 50->51 53 75eccb0 50->53 54 75eccce-75eccd5 51->54 55 75eccbe-75eccc4 51->55 52->49 53->51 56 75eccec 54->56 57 75eccd7-75ecce6 54->57 55->54 59 75ecced 56->59 57->56 59->59
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075ECBDE
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 0e0a32dd0b967ce1ce3e70917d80c404089aa0139ef807e20916f027caa8c380
                                                • Instruction ID: ca52e439fbc719ca5d902aa50f5c2c03554a7fa0617f29478cb28bb71014ec00
                                                • Opcode Fuzzy Hash: 0e0a32dd0b967ce1ce3e70917d80c404089aa0139ef807e20916f027caa8c380
                                                • Instruction Fuzzy Hash: BDA16CB1D0021ADFEF24CF68C841BDDBBB6BF48310F14856AE859A7240DB749985CFA1
                                                Function 052B1B90 Relevance: 1.8, APIs: 1, Instructions: 257COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 60 52b1b90-52b1ca4 61 52b1cde-52b1d56 60->61 62 52b1ca6-52b1ccd 60->62 65 52b1d58-52b1d5e 61->65 66 52b1d61-52b1d68 61->66 63 52b1cd5-52b1cd6 62->63 64 52b1cd0 call 52b0a90 62->64 64->63 65->66 67 52b1d6a-52b1d70 66->67 68 52b1d73-52b1e12 CreateWindowExW 66->68 67->68 70 52b1e1b-52b1e53 68->70 71 52b1e14-52b1e1a 68->71 75 52b1e60 70->75 76 52b1e55-52b1e58 70->76 71->70 77 52b1e61 75->77 76->75 77->77
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052B1E02
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2299063392.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_52b0000_outlooks.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 48675074f6107f9e8ccbacdb9a785aba33419d55aa5bc01e4e643687ed1f2f13
                                                • Instruction ID: 5a8e99633005e55ed28cc2d0bd79ea10da95c38efda7a6803ac281bd8fad5177
                                                • Opcode Fuzzy Hash: 48675074f6107f9e8ccbacdb9a785aba33419d55aa5bc01e4e643687ed1f2f13
                                                • Instruction Fuzzy Hash: FE915DB2D093899FDF02CFA5C850ADDBFB1BF5A300F1A819AE444AB262C3759915CF51
                                                Function 075EC9A8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 78 75ec9a8-75eca3d 80 75eca3f-75eca49 78->80 81 75eca76-75eca96 78->81 80->81 82 75eca4b-75eca4d 80->82 88 75ecacf-75ecafe 81->88 89 75eca98-75ecaa2 81->89 83 75eca4f-75eca59 82->83 84 75eca70-75eca73 82->84 86 75eca5d-75eca6c 83->86 87 75eca5b 83->87 84->81 86->86 90 75eca6e 86->90 87->86 95 75ecb37-75ecbf1 CreateProcessA 88->95 96 75ecb00-75ecb0a 88->96 89->88 91 75ecaa4-75ecaa6 89->91 90->84 93 75ecaa8-75ecab2 91->93 94 75ecac9-75ecacc 91->94 97 75ecab6-75ecac5 93->97 98 75ecab4 93->98 94->88 109 75ecbfa-75ecc80 95->109 110 75ecbf3-75ecbf9 95->110 96->95 99 75ecb0c-75ecb0e 96->99 97->97 100 75ecac7 97->100 98->97 101 75ecb10-75ecb1a 99->101 102 75ecb31-75ecb34 99->102 100->94 104 75ecb1e-75ecb2d 101->104 105 75ecb1c 101->105 102->95 104->104 106 75ecb2f 104->106 105->104 106->102 120 75ecc82-75ecc86 109->120 121 75ecc90-75ecc94 109->121 110->109 120->121 122 75ecc88 120->122 123 75ecc96-75ecc9a 121->123 124 75ecca4-75ecca8 121->124 122->121 123->124 127 75ecc9c 123->127 125 75eccaa-75eccae 124->125 126 75eccb8-75eccbc 124->126 125->126 128 75eccb0 125->128 129 75eccce-75eccd5 126->129 130 75eccbe-75eccc4 126->130 127->124 128->126 131 75eccec 129->131 132 75eccd7-75ecce6 129->132 130->129 134 75ecced 131->134 132->131 134->134
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075ECBDE
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 2de5b5562e463740f44b525fcb0306d31bea13521154d09447e52078b9529cdc
                                                • Instruction ID: 0fee55d983a8769ff8c01413feba5b78f7c38fed97290febb3059c8712d2ec29
                                                • Opcode Fuzzy Hash: 2de5b5562e463740f44b525fcb0306d31bea13521154d09447e52078b9529cdc
                                                • Instruction Fuzzy Hash: 60916EB1D0025ADFEF14CF68C841BDDBBB6BF48310F14856AE859A7240DB749985CFA1
                                                Function 0133B130 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 135 133b130-133b13f 136 133b141-133b14e call 133aaf4 135->136 137 133b16b-133b16f 135->137 142 133b150 136->142 143 133b164 136->143 139 133b183-133b1c4 137->139 140 133b171-133b17b 137->140 146 133b1d1-133b1df 139->146 147 133b1c6-133b1ce 139->147 140->139 190 133b156 call 133b3ba 142->190 191 133b156 call 133b3c8 142->191 143->137 148 133b203-133b205 146->148 149 133b1e1-133b1e6 146->149 147->146 154 133b208-133b20f 148->154 151 133b1f1 149->151 152 133b1e8-133b1ef call 133ab00 149->152 150 133b15c-133b15e 150->143 153 133b2a0-133b360 150->153 156 133b1f3-133b201 151->156 152->156 185 133b362-133b365 153->185 186 133b368-133b393 GetModuleHandleW 153->186 157 133b211-133b219 154->157 158 133b21c-133b223 154->158 156->154 157->158 160 133b230-133b239 call 133ab10 158->160 161 133b225-133b22d 158->161 166 133b246-133b24b 160->166 167 133b23b-133b243 160->167 161->160 168 133b269-133b276 166->168 169 133b24d-133b254 166->169 167->166 176 133b299-133b29f 168->176 177 133b278-133b296 168->177 169->168 171 133b256-133b266 call 133ab20 call 133ab30 169->171 171->168 177->176 185->186 187 133b395-133b39b 186->187 188 133b39c-133b3b0 186->188 187->188 190->150 191->150
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0133B386
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2263209080.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1330000_outlooks.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: c4e79af3dd8279e2876f09a1560d0fad96f5227797c7b4c92c0a5bd180959804
                                                • Instruction ID: ed237e2147d1bf0aa368739710b2e701c9f35923143ee35c507a77a4618f2919
                                                • Opcode Fuzzy Hash: c4e79af3dd8279e2876f09a1560d0fad96f5227797c7b4c92c0a5bd180959804
                                                • Instruction Fuzzy Hash: 8D713370A00B058FE728DF6AD44475ABBF1FF88304F108A2ED48ADBA54DB74E845CB95
                                                Function 052B0A90 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 192 52b0a90-52b1d56 194 52b1d58-52b1d5e 192->194 195 52b1d61-52b1d68 192->195 194->195 196 52b1d6a-52b1d70 195->196 197 52b1d73-52b1e12 CreateWindowExW 195->197 196->197 199 52b1e1b-52b1e53 197->199 200 52b1e14-52b1e1a 197->200 204 52b1e60 199->204 205 52b1e55-52b1e58 199->205 200->199 206 52b1e61 204->206 205->204 206->206
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052B1E02
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2299063392.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_52b0000_outlooks.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 42c97b293fd397326b991431c48bb736109dbf83dd4e28adf42a1d3c3f7f33f5
                                                • Instruction ID: f608fb091b34fc8a57f3ec44081872ea709f56d2d093df0c15e0037d940796b7
                                                • Opcode Fuzzy Hash: 42c97b293fd397326b991431c48bb736109dbf83dd4e28adf42a1d3c3f7f33f5
                                                • Instruction Fuzzy Hash: 4B51E3B1D10309DFEB14CF99C894ADEFBB5BF48350F24812AE819AB210D7B59855CF90
                                                Function 052B0BE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 207 52b0be4-52b42fc 210 52b43ac-52b43cc call 52b0abc 207->210 211 52b4302-52b4307 207->211 218 52b43cf-52b43dc 210->218 213 52b435a-52b4392 CallWindowProcW 211->213 214 52b4309-52b4340 211->214 216 52b439b-52b43aa 213->216 217 52b4394-52b439a 213->217 220 52b4349-52b4358 214->220 221 52b4342-52b4348 214->221 216->218 217->216 220->218 221->220
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 052B4381
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2299063392.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_52b0000_outlooks.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: e84f98a7d5ccdfd09c2c1b2e2422ba4961a1e1771418afd903d176a937334b4e
                                                • Instruction ID: ec0808f283b9e0e26aa5b005ee7add269ae1a7f2d59d9bfc7dae9f2b36642be5
                                                • Opcode Fuzzy Hash: e84f98a7d5ccdfd09c2c1b2e2422ba4961a1e1771418afd903d176a937334b4e
                                                • Instruction Fuzzy Hash: F7413AB5910305CFDB04DF99C488AAABBF6FF88314F288549D519A7361C7B4A841CFA0
                                                Function 013344C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 224 13344c4-13359d9 CreateActCtxA 227 13359e2-1335a3c 224->227 228 13359db-13359e1 224->228 235 1335a4b-1335a4f 227->235 236 1335a3e-1335a41 227->236 228->227 237 1335a51-1335a5d 235->237 238 1335a60 235->238 236->235 237->238 239 1335a61 238->239 239->239
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 013359C9
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2263209080.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1330000_outlooks.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 6da458f7f455333c0e8767e061ae76dc98d048ac65e14b915a23a6398a884744
                                                • Instruction ID: 58a8f4e3739d3b32607f433204199ffeb2fffc47fcbca18d3eb11acd6b1e2627
                                                • Opcode Fuzzy Hash: 6da458f7f455333c0e8767e061ae76dc98d048ac65e14b915a23a6398a884744
                                                • Instruction Fuzzy Hash: AC41D270C0071DCBEB24CFA9C984B9EBBF5BF89704F20806AD408AB251DB756946CF94
                                                Function 0133590D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 241 133590d-13359d9 CreateActCtxA 243 13359e2-1335a3c 241->243 244 13359db-13359e1 241->244 251 1335a4b-1335a4f 243->251 252 1335a3e-1335a41 243->252 244->243 253 1335a51-1335a5d 251->253 254 1335a60 251->254 252->251 253->254 255 1335a61 254->255 255->255
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 013359C9
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2263209080.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1330000_outlooks.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 5f224349743fa1371bef89c2e71a86cae49f5db682b68b38ab0e24bfc0067864
                                                • Instruction ID: c5003967d23e4cb263e1d0971fff5ea0e4f6b4c33a50cd6c5056fffbedb967fd
                                                • Opcode Fuzzy Hash: 5f224349743fa1371bef89c2e71a86cae49f5db682b68b38ab0e24bfc0067864
                                                • Instruction Fuzzy Hash: 8641CFB0C00719CBEB25CFA9C984B9EBBF5BF89304F20816AD408AB251DB756946CF54
                                                Function 075EC718 Relevance: 1.6, APIs: 1, Instructions: 85injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 257 75ec718-75ec71d 258 75ec71f-75ec76e 257->258 259 75ec6f2-75ec709 257->259 262 75ec77e-75ec7bd WriteProcessMemory 258->262 263 75ec770-75ec77c 258->263 265 75ec7bf-75ec7c5 262->265 266 75ec7c6-75ec7f6 262->266 263->262 265->266
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075EC7B0
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 910e57b53c1ca4befd66bb617dd1f0325a9797dc0de3e4d8cee67b872895a8bc
                                                • Instruction ID: 563f673426908ed2d6eb75f430eb7b12377ba99c54eedbfbe85a2680463bba57
                                                • Opcode Fuzzy Hash: 910e57b53c1ca4befd66bb617dd1f0325a9797dc0de3e4d8cee67b872895a8bc
                                                • Instruction Fuzzy Hash: 6C314AB6900259DFDB14CFA9D881BEEBBF5FF88320F10842AE519A7240C7759950DFA0
                                                Function 075EC580 Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 270 75ec580-75ec585 271 75ec55a-75ec572 270->271 272 75ec587-75ec5d3 270->272 275 75ec5d5-75ec5e1 272->275 276 75ec5e3-75ec613 Wow64SetThreadContext 272->276 275->276 280 75ec61c-75ec64c 276->280 281 75ec615-75ec61b 276->281 281->280
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075EC606
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: b9059fd4de77a12cbcee1bbb007299f9dfa4887e59c660c4083b6f2d7393d5c6
                                                • Instruction ID: a9d7fa283106b9044c26d880d184ccbaef644bc10914cbbe688c925cd7477a4e
                                                • Opcode Fuzzy Hash: b9059fd4de77a12cbcee1bbb007299f9dfa4887e59c660c4083b6f2d7393d5c6
                                                • Instruction Fuzzy Hash: EC2148B2D002099FDB14DFAAD4817EEBBF4FF88324F10842AD518A7640CB789945CFA1
                                                Function 075EC809 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 285 75ec809-75ec80d 286 75ec80f-75ec89d ReadProcessMemory 285->286 287 75ec7e2-75ec7f6 285->287 290 75ec89f-75ec8a5 286->290 291 75ec8a6-75ec8d6 286->291 290->291
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075EC890
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: a313408c97b9ff4bc75cb7c5af877b075601f0278bd5c430aa4cd2cc5ea3aff0
                                                • Instruction ID: 5afb3c4d13e892cd634c6f093dd1423618480fe28429558d5a5cf73c5d0a7779
                                                • Opcode Fuzzy Hash: a313408c97b9ff4bc75cb7c5af877b075601f0278bd5c430aa4cd2cc5ea3aff0
                                                • Instruction Fuzzy Hash: 6A2116B2D002099FDB14CF9AD881BDEFBF5FF88320F10842AE559A7240D7799515DBA1
                                                Function 075EC658 Relevance: 1.6, APIs: 1, Instructions: 70memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 295 75ec658-75ec65d 296 75ec65f-75ec6db VirtualAllocEx 295->296 297 75ec632-75ec64c 295->297 300 75ec6dd-75ec6e3 296->300 301 75ec6e4-75ec709 296->301 300->301
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075EC6CE
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: d127c1b0f6a7abf758255da3b8cf72a80083ce75dc1b25ecd418752b51bd1844
                                                • Instruction ID: e1a89033f2c4efe71ac401aa5764460495c3ab8ddef0146f3d23163c14631c1d
                                                • Opcode Fuzzy Hash: d127c1b0f6a7abf758255da3b8cf72a80083ce75dc1b25ecd418752b51bd1844
                                                • Instruction Fuzzy Hash: BF2178B29002498FDB10DF9AD8416EEBBF5EF88320F14882AD528A7240C7799514CFA1
                                                Function 075EC720 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 305 75ec720-75ec76e 307 75ec77e-75ec7bd WriteProcessMemory 305->307 308 75ec770-75ec77c 305->308 310 75ec7bf-75ec7c5 307->310 311 75ec7c6-75ec7f6 307->311 308->307 310->311
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075EC7B0
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 15a47ba3d7ab28666fb5fe5286f7da56504a66381f85f001ea593789aeafdbe8
                                                • Instruction ID: 19e934519239c0b54a2eb901260929144efea7da8ea472431fea994dbfb12dda
                                                • Opcode Fuzzy Hash: 15a47ba3d7ab28666fb5fe5286f7da56504a66381f85f001ea593789aeafdbe8
                                                • Instruction Fuzzy Hash: 1C2128B6900359DFDB14CFA9C881BDEBBF5FF48310F10842AE918A7240C7789950CBA4
                                                Function 0133CED8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 315 133ced8-133d69c DuplicateHandle 317 133d6a5-133d6c2 315->317 318 133d69e-133d6a4 315->318 318->317
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0133D5CE,?,?,?,?,?), ref: 0133D68F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2263209080.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1330000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 8ace8369db16637a647e4a709a8973b5972488941711ed79d501f9202e89d537
                                                • Instruction ID: fefd18715fdca54dfdb2a49714875fe84e194655aae58cd5c762408261c5b955
                                                • Opcode Fuzzy Hash: 8ace8369db16637a647e4a709a8973b5972488941711ed79d501f9202e89d537
                                                • Instruction Fuzzy Hash: FD21E3B5904209DFDB10CF9AD984ADEFBF9FB48324F54841AE958A3310D378A954CFA4
                                                Function 075EC588 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 321 75ec588-75ec5d3 323 75ec5d5-75ec5e1 321->323 324 75ec5e3-75ec613 Wow64SetThreadContext 321->324 323->324 326 75ec61c-75ec64c 324->326 327 75ec615-75ec61b 324->327 327->326
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075EC606
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 249251c5eea0e50e2bc1bae4d020577e3051ec633755382f1c0e6267de9a586d
                                                • Instruction ID: 13b1b87a7d17d50ebd596f32829f816f443b503eaaea364486a5733fecdf8489
                                                • Opcode Fuzzy Hash: 249251c5eea0e50e2bc1bae4d020577e3051ec633755382f1c0e6267de9a586d
                                                • Instruction Fuzzy Hash: 4D2138B19003099FDB14DFAAC4857EEBBF4BF88320F14842AD519A7240CBB89944CFA5
                                                Function 075EC810 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075EC890
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: a7a795164c75ee23372bec1b04a025a8337ab60fb4b38581af0ade81acd746cb
                                                • Instruction ID: a22af85f93963e15973724d9ba666bbb8bf909539bb3defdaf0867c693577954
                                                • Opcode Fuzzy Hash: a7a795164c75ee23372bec1b04a025a8337ab60fb4b38581af0ade81acd746cb
                                                • Instruction Fuzzy Hash: BC2116B1C003599FDB14CFAAC881BDEBBF5FF48310F10842AE518A7240D7799910CBA5
                                                Function 0133D600 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0133D5CE,?,?,?,?,?), ref: 0133D68F
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2263209080.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1330000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 4f03488690ddf520d4ed98732af4dab4e2f3911f6766678b856b72040c890e9a
                                                • Instruction ID: b1abaa03560da92401ab65e4c13a2b2c0bfcb4155fca545508602e8f1cc79767
                                                • Opcode Fuzzy Hash: 4f03488690ddf520d4ed98732af4dab4e2f3911f6766678b856b72040c890e9a
                                                • Instruction Fuzzy Hash: D921E4B6900209DFDB10CFA9D584ADEFBF4FB48324F14841AE958A7310D378A954CF64
                                                Function 075EC660 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075EC6CE
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 78e70f095d9b646bfe12076e3e323d40bd0a8977c86e8f45bde2dee1581ce7dc
                                                • Instruction ID: befe13f782e7ba6a40a3240c3d450d46d4cb6c6ebdefe5047ce4084d98f80d93
                                                • Opcode Fuzzy Hash: 78e70f095d9b646bfe12076e3e323d40bd0a8977c86e8f45bde2dee1581ce7dc
                                                • Instruction Fuzzy Hash: B41156B2800249DFDF10DFAAC844BDFBBF5AF88320F10881AE519A7250C775A910CBA0
                                                Function 075EC099 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 0dbe292983a055cd333bf9efee90e085924e586f306002a99748834e84d56202
                                                • Instruction ID: 084518f14fcb4e66011eb8464609d257761434572643901d8383a28567ba1986
                                                • Opcode Fuzzy Hash: 0dbe292983a055cd333bf9efee90e085924e586f306002a99748834e84d56202
                                                • Instruction Fuzzy Hash: 21115BB1900349CFDB14DFAAD4457DEFBF4EF88220F14841AD519A7240C779A905CBA5
                                                Function 075EC0A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 67bfaca1e32378d2adb7093ed58629c5f82544320230393cab502f4b8a6a551e
                                                • Instruction ID: 53955757e9028fecb450929270a688ba2451394a9e3e380a1281fe786d6bb7f5
                                                • Opcode Fuzzy Hash: 67bfaca1e32378d2adb7093ed58629c5f82544320230393cab502f4b8a6a551e
                                                • Instruction Fuzzy Hash: 99113AB1900349CFEB14DFAAC4457DEFBF5AF88724F24841AD519A7240CB79A940CBA5
                                                Function 075E92F4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 075EEE05
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: a80e3ec9913b20fcc495b163efa329d83465619b012773e4df2274ce10bf72f9
                                                • Instruction ID: 3e4dc597912cb434dbb6d6e9d2e09b10e9393435e50f9f50dce92d3a69d52570
                                                • Opcode Fuzzy Hash: a80e3ec9913b20fcc495b163efa329d83465619b012773e4df2274ce10bf72f9
                                                • Instruction Fuzzy Hash: C011F5B5810349DFDB50DF9AC545BDEBBF8FB48324F10841AE918A7600D3B5A954CFA1
                                                Function 0133B320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0133B386
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2263209080.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_1330000_outlooks.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: cb1253a2c19e4150e46ef76b81083ce600cd8c682e47269905955e51ab707fe7
                                                • Instruction ID: e5680be0864ec9b6d045a019a643bb565a22a9ba72880124f7905e56d4eea80c
                                                • Opcode Fuzzy Hash: cb1253a2c19e4150e46ef76b81083ce600cd8c682e47269905955e51ab707fe7
                                                • Instruction Fuzzy Hash: 6F110CB6C003598FDB10CF9AC444B9EFBF4EB88224F10842AD928B7210C3B9A545CFA5
                                                Function 075EEDA0 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 075EEE05
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2306673854.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_75e0000_outlooks.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 98f8da85b77a1017f0aa40ca9ab1471b7e71eee1db5c84f185c8e3021845a6a5
                                                • Instruction ID: 4689041e81a999a6314b6c4d995b3e51ad0e37752a4292551813f21e54ac3db6
                                                • Opcode Fuzzy Hash: 98f8da85b77a1017f0aa40ca9ab1471b7e71eee1db5c84f185c8e3021845a6a5
                                                • Instruction Fuzzy Hash: 261103B580034ACFEB14CF99D589BDEBBF8FB48324F10841AD558A7610C3B9A554CFA5
                                                Function 079306F1 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?), ref: 07930750
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2307855620.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7930000_outlooks.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 3dcce41b3371edb535a54aeefac44b179788093fd728617433294f74c256743a
                                                • Instruction ID: 8f1c5411a739aaad76c0a3219deaf87f9bb67237225bb22afca09da566f90e41
                                                • Opcode Fuzzy Hash: 3dcce41b3371edb535a54aeefac44b179788093fd728617433294f74c256743a
                                                • Instruction Fuzzy Hash: 8D1128B6800249CFDB10DF9AC544BDEBBF4EB48324F10842AD959A7340D379A944CFA5
                                                Function 079306F8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?), ref: 07930750
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2307855620.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7930000_outlooks.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 07e7502b6531489f541deaeffdaa750c09752640d1a30be362dc7f1572a48e14
                                                • Instruction ID: 865c28e2adc1f8207efa2ed41df74fb22a3802921aa867f79c3100f035d38214
                                                • Opcode Fuzzy Hash: 07e7502b6531489f541deaeffdaa750c09752640d1a30be362dc7f1572a48e14
                                                • Instruction Fuzzy Hash: 4C1106B5800349CFDB10DF9AC585BDEBBF4EB48324F10841AD559A7340D779A544CFA5
                                                Function 010DD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2262750283.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_10dd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3bd5dedd408aee735b76435f9f428b15c91c3e70fa34a57609538f04962ca2e3
                                                • Instruction ID: cdb2e4391930ceb5b103f33a997be02eb04812c677801ecbcbcd85ba68523cbd
                                                • Opcode Fuzzy Hash: 3bd5dedd408aee735b76435f9f428b15c91c3e70fa34a57609538f04962ca2e3
                                                • Instruction Fuzzy Hash: B7210375504300DFDB15DF54D980B26BFA5EBC4314F20C5ADE98A0B296C376D406CB61
                                                Function 010DD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2262750283.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_10dd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24100400dc07fc9c2966547c750dd2f5ee45fef9c69ba4ac0f183f1b04204290
                                                • Instruction ID: f68ba257aed05bc5f31982c17d1797df0f43f5b791a090c94b562644ec10bf81
                                                • Opcode Fuzzy Hash: 24100400dc07fc9c2966547c750dd2f5ee45fef9c69ba4ac0f183f1b04204290
                                                • Instruction Fuzzy Hash: 07213475504300EFDB05DF94D9C0B3ABBA5FB84324F20C5ADE9894B292C376D406CB61
                                                Function 010DD006 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2262750283.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_10dd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e93d663f2d8fa96ef793be1b52416b3998e6d18ebfec23a4cd132292d27f844a
                                                • Instruction ID: 30c20b20ca1d6401e0108be77510cc5e11a03a08c70501e0817084fdfbcfa01e
                                                • Opcode Fuzzy Hash: e93d663f2d8fa96ef793be1b52416b3998e6d18ebfec23a4cd132292d27f844a
                                                • Instruction Fuzzy Hash: 1021C3755093808FCB13CF64D990715BFB1EB85314F28C5EAD8898B6A7C33AD40ACB62
                                                Function 010DD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2262750283.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_10dd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: 3552822558d7aa7554ae0ba6e1d5da35f62fc41bd2ca60e8adf069dc54f04fb9
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: 5511BB75504380DFCB02CF54C5C0B25BBB1FB84224F24C6A9D8894B6A6C33AD40ACB61
                                                Function 010CD759 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2262586561.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_10cd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e594cc7be21f9506e6c720bb207cabf34fb844f19059e155a2a50d4245d8502
                                                • Instruction ID: b1446bcaf090ba876886756e10140ae239a2ca04547182d9c504a4c365fc34da
                                                • Opcode Fuzzy Hash: 5e594cc7be21f9506e6c720bb207cabf34fb844f19059e155a2a50d4245d8502
                                                • Instruction Fuzzy Hash: 4001F771004380DAE7504BA9CD84B2EFFD8FF81A20F18866EEE494A286D7799440CBF1
                                                Function 010CD758 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2262586561.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_10cd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa4e4070f9c064fcb094d2908cd0a466bac326aff0b038ec66cb78bd830855c7
                                                • Instruction ID: fe46d829cbe0ef1e91fc1dbb71337fccd6e9f6d024415b4ce92ad3cf769ce588
                                                • Opcode Fuzzy Hash: aa4e4070f9c064fcb094d2908cd0a466bac326aff0b038ec66cb78bd830855c7
                                                • Instruction Fuzzy Hash: 1DF0C871404384AEE7508B09DC84B66FFD8EF80624F14C55AEE484A286C3799844CBB1

                                                Execution Graph

                                                Execution Coverage:9.5%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:80
                                                Total number of Limit Nodes:8
                                                execution_graph 23230 1516540 23231 1516545 23230->23231 23235 1516720 23231->23235 23241 151670f 23231->23241 23232 1516673 23236 1516721 23235->23236 23247 151611c 23236->23247 23239 151678c DuplicateHandle 23240 151681e 23239->23240 23240->23232 23242 1516713 23241->23242 23243 151678c DuplicateHandle 23241->23243 23245 151611c DuplicateHandle 23242->23245 23244 151681e 23243->23244 23244->23232 23246 151674e 23245->23246 23246->23232 23246->23243 23248 1516788 DuplicateHandle 23247->23248 23250 151674e 23248->23250 23250->23232 23250->23239 23251 1514668 23252 1514669 23251->23252 23256 1516de0 CreateActCtxA 23252->23256 23253 15146e9 23254 151421c KiUserCallbackDispatcher 23253->23254 23255 1514704 23254->23255 23256->23253 23257 151bf08 23260 151bff0 23257->23260 23258 151bf17 23261 151c034 23260->23261 23262 151c011 23260->23262 23261->23258 23262->23261 23263 151c238 GetModuleHandleW 23262->23263 23264 151c265 23263->23264 23264->23258 23164 151485e 23168 15146d9 23164->23168 23165 15146e9 23167 1514721 23165->23167 23176 151421c 23165->23176 23168->23164 23168->23165 23168->23167 23171 1516de0 23168->23171 23169 1514704 23172 1516e05 23171->23172 23180 1516ef0 23172->23180 23184 1516edf 23172->23184 23173 1516e0f 23173->23165 23177 1514227 23176->23177 23192 1518560 23177->23192 23179 1518806 23179->23169 23182 1516ef5 23180->23182 23181 1516ff4 23181->23181 23182->23181 23188 1516414 23182->23188 23185 1516ee4 23184->23185 23186 1516414 CreateActCtxA 23185->23186 23187 1516ff4 23185->23187 23186->23187 23189 1517370 CreateActCtxA 23188->23189 23191 1517433 23189->23191 23193 151856b 23192->23193 23196 1518580 23193->23196 23195 15188dd 23195->23179 23197 151858b 23196->23197 23200 15185b0 23197->23200 23199 15189ba 23199->23195 23201 15185bb 23200->23201 23204 15185e0 23201->23204 23203 1518aad 23203->23199 23206 15185eb 23204->23206 23205 1519ed1 23205->23203 23206->23205 23208 151df70 23206->23208 23209 151df91 23208->23209 23210 151dfb5 23209->23210 23212 151e120 23209->23212 23210->23205 23213 151e12d 23212->23213 23214 151e166 23213->23214 23216 151c464 23213->23216 23214->23210 23217 151c469 23216->23217 23219 151e1d8 23217->23219 23220 151c498 23217->23220 23219->23219 23221 151c4a3 23220->23221 23222 15185e0 KiUserCallbackDispatcher 23221->23222 23223 151e247 23222->23223 23226 151e2c0 23223->23226 23224 151e256 23224->23219 23228 151e2ee 23226->23228 23227 151e3bf 23228->23227 23229 151e3ba KiUserCallbackDispatcher 23228->23229 23229->23227

                                                Executed Functions

                                                Function 0817B6E0 Relevance: .7, Instructions: 711COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 588 817b6e0-817b6fc 589 817b786-817b7df 588->589 590 817b702-817b70f 588->590 607 817b7e5-817b7eb 589->607 608 817b8a0-817b901 589->608 593 817b726-817b732 590->593 594 817b711-817b71f call 817b120 590->594 599 817b734-817b758 593->599 600 817b75a 593->600 597 817b721-817b724 594->597 601 817b763-817b783 597->601 599->600 599->601 600->601 609 817b815-817b826 607->609 610 817b7ed-817b7f0 607->610 627 817b903-817b92a 608->627 628 817b92b-817b979 608->628 615 817b82e-817b832 609->615 616 817b828 609->616 611 817b7f2-817b814 610->611 612 817b86b-817b899 610->612 612->608 619 817b83a-817b86a 615->619 616->619 620 817b82a-817b82c 616->620 620->615 620->619 633 817b97b-817b984 call 817b588 628->633 634 817b989-817b98d 628->634 633->634 636 817b9a3-817b9b4 634->636 637 817b98f-817b99e 634->637 638 817beb2-817bec0 636->638 639 817b9ba-817b9cf 636->639 640 817bd38-817bd3f 637->640 647 817bec2-817bed2 638->647 648 817be6d-817be86 638->648 641 817b9d1-817b9d6 639->641 642 817b9db-817b9ee 639->642 641->640 643 817b9f4-817ba00 642->643 644 817bd40-817bd5e 642->644 643->638 646 817ba06-817ba3d 643->646 654 817bd65-817bd83 644->654 649 817ba3f-817ba44 646->649 650 817ba49-817ba4d 646->650 652 817bed4-817bed8 647->652 653 817beeb-817bf36 647->653 680 817be8d-817beab 648->680 649->640 650->654 655 817ba53-817ba5f 650->655 657 817beda-817bee5 652->657 658 817bee8-817beea 652->658 689 817bf45-817bf4a 653->689 690 817bf38-817bf44 653->690 669 817bd8a-817bda8 654->669 655->638 660 817ba65-817ba9c 655->660 657->658 664 817ba9e-817baa3 660->664 665 817baa8-817baac 660->665 664->640 668 817bab2-817babe 665->668 665->669 668->638 672 817bac4-817bafb 668->672 679 817bdaf-817bdcd 669->679 676 817bb07-817bb0b 672->676 677 817bafd-817bb02 672->677 678 817bb11-817bb1d 676->678 676->679 677->640 678->638 682 817bb23-817bb5a 678->682 691 817bdd4-817bdf2 679->691 680->638 685 817bb66-817bb6a 682->685 686 817bb5c-817bb61 682->686 685->691 692 817bb70-817bb7c 685->692 686->640 694 817bf4c-817bf4f 689->694 695 817bf88-817bf8c 689->695 708 817bdf9-817be17 691->708 692->638 698 817bb82-817bbb9 692->698 696 817bf7d-817bf86 694->696 696->695 703 817bf51-817bf65 696->703 701 817bbc5-817bbc9 698->701 702 817bbbb-817bbc0 698->702 707 817bbcf-817bbdb 701->707 701->708 702->640 713 817bf67-817bf7b call 8173820 703->713 714 817bf7c 703->714 707->638 710 817bbe1-817bc18 707->710 718 817be1e-817be3c 708->718 715 817bc24-817bc28 710->715 716 817bc1a-817bc1f 710->716 714->696 715->718 719 817bc2e-817bc3a 715->719 716->640 727 817be43-817be61 718->727 719->638 723 817bc40-817bc77 719->723 725 817bc83-817bc87 723->725 726 817bc79-817bc7e 723->726 725->727 728 817bc8d-817bc99 725->728 726->640 736 817be68 727->736 728->638 730 817bc9f-817bcd6 728->730 733 817bcdf-817bce3 730->733 734 817bcd8-817bcdd 730->734 735 817bce9-817bcf2 733->735 733->736 734->640 735->638 739 817bcf8-817bd2d 735->739 736->648 739->680 740 817bd33 739->740 740->640
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ad4c81c5ea13062d8bc336d06d7dc6bf0c25648bbdc8d109900dfc968bbd921
                                                • Instruction ID: 6e25608b2d1102c2dbb15032ffd23e310927f25b29d8840a7f8510333cfd0c9c
                                                • Opcode Fuzzy Hash: 5ad4c81c5ea13062d8bc336d06d7dc6bf0c25648bbdc8d109900dfc968bbd921
                                                • Instruction Fuzzy Hash: B4425974B057168FCB19DFA9C49466EBBF2FF88311F14892ED55A97391CB30A802CB90
                                                Function 0151BFF0 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0151C256
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3356461642.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1510000_outlooks.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 4f644dbafa544cb4dedf8edc731515295a55ddf4a7804e29fb20e8c8ea06b5e7
                                                • Instruction ID: af6b31ad9fe9da194ba69c1679d50a8ed57b817b4362c6eec6d076b925fdc07c
                                                • Opcode Fuzzy Hash: 4f644dbafa544cb4dedf8edc731515295a55ddf4a7804e29fb20e8c8ea06b5e7
                                                • Instruction Fuzzy Hash: 858169B0A00B059FE726DF6AC44475ABBF1FF88700F00892DD48ADBA54DB76E845CB90
                                                Function 0151670F Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 59 151670f-1516711 60 1516713-151671a 59->60 61 151678c-151681c DuplicateHandle 59->61 64 1516721-1516749 call 151611c 60->64 65 151671c-1516720 60->65 62 1516825-1516842 61->62 63 151681e-1516824 61->63 63->62 70 151674e-1516774 64->70 65->64 70->61
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0151674E,?,?,?,?,?), ref: 0151680F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3356461642.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1510000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 527bb321bde9d78f36ea0076b52a2f152fd1ad20030e0fae97bd09bf2e09668c
                                                • Instruction ID: 20cade48b18804f73bc02239c255defd62e59c29e38d7a0bfb61f1baa38e8056
                                                • Opcode Fuzzy Hash: 527bb321bde9d78f36ea0076b52a2f152fd1ad20030e0fae97bd09bf2e09668c
                                                • Instruction Fuzzy Hash: C3411776900249AFDF01CF99D844ADEBFF5FB48320F14806AEA14A7361D775A954CFA0
                                                Function 01517364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 73 1517364-151736e 74 1517370-1517374 73->74 75 1517375-1517431 CreateActCtxA 73->75 74->75 77 1517433-1517439 75->77 78 151743a-1517494 75->78 77->78 85 15174a3-15174a7 78->85 86 1517496-1517499 78->86 87 15174a9-15174b5 85->87 88 15174b8 85->88 86->85 87->88 90 15174b9 88->90 90->90
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01517421
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3356461642.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1510000_outlooks.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: c4c51b3e52972bb989e6e0a3537c7ba390ae443abad689f7efd85b1a26b3a040
                                                • Instruction ID: 67e30c0485fcb1dbc0a9ef8068c99e2f07db670fc5aa5763d860097a7d82432b
                                                • Opcode Fuzzy Hash: c4c51b3e52972bb989e6e0a3537c7ba390ae443abad689f7efd85b1a26b3a040
                                                • Instruction Fuzzy Hash: 1041F1B1C0071DCBEB25CFA9C944B8EBBF5BF88304F20816AD408AB255DBB56945CF90
                                                Function 01516414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 91 1516414-1517431 CreateActCtxA 95 1517433-1517439 91->95 96 151743a-1517494 91->96 95->96 103 15174a3-15174a7 96->103 104 1517496-1517499 96->104 105 15174a9-15174b5 103->105 106 15174b8 103->106 104->103 105->106 108 15174b9 106->108 108->108
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01517421
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3356461642.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1510000_outlooks.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: f5c9f12cbecf7416f16f5340355f6c039bf5a3a99cec096e7ca821013b689ca0
                                                • Instruction ID: 81b3d8f12a6c7941ee5f0a12c3b07e1e8e2d678d8faf8ba52eaef7510b1c1854
                                                • Opcode Fuzzy Hash: f5c9f12cbecf7416f16f5340355f6c039bf5a3a99cec096e7ca821013b689ca0
                                                • Instruction Fuzzy Hash: 6941E0B1C0071DCBEB25DFA9C944B9EBBF5BF88304F20816AD408AB255DBB56945CF90
                                                Function 01516780 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 109 1516780-151678b 112 151678c-151681c DuplicateHandle 109->112 113 1516825-1516842 112->113 114 151681e-1516824 112->114 114->113
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0151674E,?,?,?,?,?), ref: 0151680F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3356461642.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1510000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: cd1c527ed9ea3088cc6371a9c137396ef4145d850b2b4a9f3b7299112cd9f423
                                                • Instruction ID: 170d87d76d9d13b78ca720d7ada84135014d2565f47e271bedb1700d39794293
                                                • Opcode Fuzzy Hash: cd1c527ed9ea3088cc6371a9c137396ef4145d850b2b4a9f3b7299112cd9f423
                                                • Instruction Fuzzy Hash: 3D2124B5800349AFDB11CFAAD884ADEBFF4FB48320F14846AE914A7351D378A940CF60
                                                Function 0151611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 117 151611c-151681c DuplicateHandle 120 1516825-1516842 117->120 121 151681e-1516824 117->121 121->120
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0151674E,?,?,?,?,?), ref: 0151680F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3356461642.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1510000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 485d91d082d7e16b1b9a47dfe5bf8b5b7b454abad8698689d4136690a09f9034
                                                • Instruction ID: fbe1969db8b7e74b6161c4bfa54081b7ce2ffe62008cf1fc5a77e48f9c2d5307
                                                • Opcode Fuzzy Hash: 485d91d082d7e16b1b9a47dfe5bf8b5b7b454abad8698689d4136690a09f9034
                                                • Instruction Fuzzy Hash: F821E4B5900209EFDB10CF9AD984ADEBFF8FB48320F14842AE914A7350D374A950CFA1
                                                Function 0151C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 124 151c1f0-151c230 126 151c232-151c235 124->126 127 151c238-151c263 GetModuleHandleW 124->127 126->127 128 151c265-151c26b 127->128 129 151c26c-151c280 127->129 128->129
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0151C256
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3356461642.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_1510000_outlooks.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 454f41b87391a90615321fe29f24fb69f9f090ea6070b053b5b919a6e8f8844f
                                                • Instruction ID: d2817b937a676c75a8ae1fc4959ebb0a4613689711cb2a569a00116a931260c4
                                                • Opcode Fuzzy Hash: 454f41b87391a90615321fe29f24fb69f9f090ea6070b053b5b919a6e8f8844f
                                                • Instruction Fuzzy Hash: BD110FB6C002498FDB10DF9AC444ADEFBF4BB88320F10852AD969A7210C3B9A545CFA1
                                                Function 08179700 Relevance: .7, Instructions: 728COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 406 8179700-817970e 407 8179714-817971a 406->407 408 81799de-8179a03 406->408 409 8179720-8179722 407->409 410 8179808-817980b 407->410 417 8179a0a-8179a12 408->417 411 81798ad-81798b1 409->411 412 8179728-817972b 409->412 414 8179836-8179842 410->414 415 817980d-8179810 410->415 419 81798b3-81798c4 call 81791e0 411->419 420 81798c9-81798d5 411->420 416 8179731-817973d 412->416 412->417 421 8179874-817988f call 81796c8 414->421 422 8179844-8179848 414->422 415->417 418 8179816-8179831 call 81791e0 415->418 423 8179763-817976e 416->423 424 817973f-8179743 416->424 436 8179a19-8179a36 417->436 445 81799d8-81799dd 418->445 419->445 430 8179907-817991a 420->430 431 81798d7-81798db 420->431 421->445 428 8179860-817986b 422->428 429 817984a-817985e 422->429 423->436 437 8179774-8179783 423->437 433 8179894-81798a8 424->433 434 8179749-817975d 424->434 428->421 429->421 429->428 435 8179920-8179934 430->435 430->436 441 81798f3-81798fe 431->441 442 81798dd-81798f1 431->442 433->423 434->423 434->433 435->436 443 817993a-817994e 435->443 456 8179a48-8179a9c 436->456 457 8179a38-8179a47 436->457 437->436 444 8179789-8179798 437->444 441->430 442->430 442->441 443->436 452 8179954-8179968 443->452 444->436 454 817979e-81797ad 444->454 452->436 458 817996e-8179982 452->458 454->436 459 81797b3-81797bc 454->459 478 8179aa2-8179aa4 456->478 479 8179b7a-8179b9f 456->479 458->436 460 8179988-8179991 458->460 459->436 461 81797c2-81797cc 459->461 460->436 464 8179997-81799a1 460->464 461->436 465 81797d2-81797dc 461->465 464->436 466 81799a3-81799ad 464->466 465->436 467 81797e2-81797ec 465->467 466->436 469 81799af-81799b9 466->469 467->436 470 81797f2-8179803 call 81796c8 467->470 469->436 472 81799bb-81799c5 469->472 470->445 472->436 474 81799c7-81799ce 472->474 474->445 476 81799d3 call 81796c8 474->476 476->445 480 8179ba6-8179bcb 478->480 481 8179aaa-8179ab1 478->481 479->480 490 8179bd2-8179bf6 480->490 483 8179ab7 481->483 484 8179b6b-8179b73 481->484 483->484 485 8179b00-8179b03 483->485 486 8179abe-8179ac1 483->486 487 8179b0b-8179b1d call 81791e0 483->487 484->479 492 8179bfd-8179c6a 485->492 493 8179b09 485->493 489 8179ac7-8179ad2 486->489 486->490 502 8179b27-8179b2b 487->502 503 8179b1f-8179b24 487->503 496 8179ad4-8179ad6 489->496 497 8179ade-8179afd call 81796c8 489->497 490->492 518 8179c70-8179c77 492->518 519 8179ed8-8179efd 492->519 493->489 496->497 502->489 507 8179b2d-8179b33 502->507 507->489 508 8179b35-8179b68 507->508 520 8179f04-8179f0d 518->520 521 8179c7d-8179c88 518->521 519->520 522 8179f14-8179f1d 520->522 521->522 523 8179c8e-8179c9a 521->523 533 8179f24-8179f48 522->533 526 8179cad-8179cb7 523->526 527 8179c9c-8179ca5 523->527 529 8179cdf-8179ce3 526->529 530 8179cb9-8179cdc call 81791e0 526->530 527->526 529->533 534 8179ce9 529->534 550 8179f4f-8179f80 533->550 536 8179cf0-8179d0a 534->536 537 8179d0f-8179d30 534->537 538 8179da8-8179db8 534->538 548 8179ea8-8179eb7 536->548 549 8179d36-8179d40 537->549 537->550 540 8179dbd-8179dc0 538->540 542 8179dc2-8179dc6 540->542 543 8179dba 540->543 546 8179de3-8179df5 542->546 547 8179dc8-8179dd1 542->547 543->540 553 8179df7-8179dfa 546->553 554 8179e03-8179e2b 546->554 547->550 552 8179dd7-8179dde 547->552 555 8179ece-8179ed5 548->555 556 8179eb9-8179ec3 548->556 549->550 557 8179d46-8179d4d 549->557 569 8179f92-8179fb8 550->569 570 8179f82-8179f86 550->570 552->548 553->554 565 8179e2e-8179e43 554->565 556->555 559 8179ec5 556->559 557->550 560 8179d53-8179d5c 557->560 559->555 560->550 563 8179d62-8179d6b 560->563 563->550 566 8179d71-8179d7b 563->566 565->550 568 8179e49-8179e50 565->568 566->550 567 8179d81-8179d8b 566->567 567->550 571 8179d91-8179d99 567->571 568->565 572 8179e52-8179e5a 568->572 581 8179fbd-8179fd4 569->581 570->569 573 8179f88 570->573 571->550 574 8179d9f-8179da3 571->574 572->550 575 8179e60-8179e7a 572->575 578 8179f8e-8179f91 573->578 574->548 575->550 577 8179e80-8179ea5 575->577 577->548 581->581 582 8179fd6-8179fe2 581->582 583 8179fe4-8179fee 582->583 584 8179ff1-817a003 582->584 583->584
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 85efcea7efe6dddd374ba44800b71f0ce9ae0a7fb32529c650f2c93327c0c358
                                                • Instruction ID: f2f975d662056d9c0042dc100b43079117861f25fb5d442355273244f0f24ba6
                                                • Opcode Fuzzy Hash: 85efcea7efe6dddd374ba44800b71f0ce9ae0a7fb32529c650f2c93327c0c358
                                                • Instruction Fuzzy Hash: 5E52D230A04605CFCB15CB68C49496EBFF2FF85212B588A5DD446DB795CB38EC4ACB91
                                                Function 081721B0 Relevance: .4, Instructions: 437COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1006 81721b0-8172253 1013 8172336-81723bc 1006->1013 1014 8172259-817226f 1006->1014 1033 81725fd-817260c 1013->1033 1017 81722b5-81722ee call 81719d0 1014->1017 1018 8172271-817227b 1014->1018 1030 81722f0-8172303 1017->1030 1031 817231b-8172331 1017->1031 1018->1013 1019 8172281-8172294 1018->1019 1019->1013 1024 817229a-81722b0 1019->1024 1024->1013 1030->1031 1037 8172305-8172313 1030->1037 1031->1013 1035 8172625 1033->1035 1036 817260e-8172623 1033->1036 1038 8172627-8172629 1035->1038 1036->1038 1037->1031 1039 81723c1-81723d4 1038->1039 1040 817262f-8172654 call 8170dc8 1038->1040 1044 81723d6-81723dc 1039->1044 1045 81723ec-8172411 1039->1045 1049 8172656-8172696 1040->1049 1050 8172698-81726c4 1040->1050 1047 81723e0-81723e2 1044->1047 1048 81723de 1044->1048 1052 8172417-81724bf call 8170a20 call 8170658 1045->1052 1053 81724d0-8172511 call 8170a20 1045->1053 1047->1045 1048->1045 1069 81726cb-8172762 call 8170a20 1049->1069 1050->1069 1115 81724c5 call 8172891 1052->1115 1116 81724c5 call 81728a0 1052->1116 1073 8172513-8172529 1053->1073 1074 8172549-8172575 1053->1074 1105 8172764-8172777 1069->1105 1106 817278f-8172793 1069->1106 1082 81727e4 1073->1082 1083 817252f-8172547 1073->1083 1086 8172577-8172580 1074->1086 1087 81725e2-81725f8 1074->1087 1089 81727e9-81727f0 1082->1089 1083->1073 1083->1074 1086->1082 1090 8172586-81725e0 1086->1090 1087->1033 1091 81727f2 1089->1091 1092 81727fe 1089->1092 1090->1086 1090->1087 1091->1092 1095 81727ff 1092->1095 1094 81724cb 1094->1087 1095->1095 1105->1106 1111 8172779-8172787 1105->1111 1107 8172795-81727a8 1106->1107 1108 81727cf-81727e2 1106->1108 1107->1108 1112 81727aa-81727c7 1107->1112 1108->1089 1111->1106 1112->1108 1115->1094 1116->1094
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 298a3398b4b0ac5a34d9c204544940205c5805193da3d10d4c78ee1bb270d5dd
                                                • Instruction ID: 74015384d44faa835918cb89e28b2d81786b56b77fd99d22012129e12486158c
                                                • Opcode Fuzzy Hash: 298a3398b4b0ac5a34d9c204544940205c5805193da3d10d4c78ee1bb270d5dd
                                                • Instruction Fuzzy Hash: D3120834A002198FCB54EF78C894A9DB7B2BF89301F5185A8D54AAB365DF30ED86CF50
                                                Function 081728A0 Relevance: .4, Instructions: 365COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1117 81728a0-81728b0 1118 81728b6-81728ba 1117->1118 1119 81729c9-81729ee 1117->1119 1120 81729f5-8172a1a 1118->1120 1121 81728c0-81728c9 1118->1121 1119->1120 1122 8172a21-8172a57 1120->1122 1121->1122 1123 81728cf-81728f6 1121->1123 1139 8172a5e-8172abd 1122->1139 1134 81729be-81729c8 1123->1134 1135 81728fc-81728fe 1123->1135 1136 8172900-8172903 1135->1136 1137 817291f-8172921 1135->1137 1136->1139 1140 8172909-8172913 1136->1140 1141 8172924-8172928 1137->1141 1157 8172ae1-8172af8 1139->1157 1158 8172abf-8172ac4 1139->1158 1140->1139 1142 8172919-817291d 1140->1142 1144 817292a-8172939 1141->1144 1145 8172989-8172995 1141->1145 1142->1137 1142->1141 1144->1139 1150 817293f-8172986 1144->1150 1145->1139 1146 817299b-81729b8 1145->1146 1146->1134 1146->1135 1150->1145 1167 8172afe-8172be3 call 81719d0 call 8170dc8 1157->1167 1168 8172be8-8172bf8 1157->1168 1221 8172ac7 call 8172d78 1158->1221 1222 8172ac7 call 8172d88 1158->1222 1160 8172acd-8172ad3 1216 8172ad6 call 8172e38 1160->1216 1217 8172ad6 call 8172e28 1160->1217 1218 8172ad6 call 8172fc8 1160->1218 1219 8172ad6 call 8173098 1160->1219 1220 8172ad6 call 81730a8 1160->1220 1163 8172adc 1166 8172d0a-8172d15 1163->1166 1172 8172d17-8172d27 1166->1172 1173 8172d44-8172d65 1166->1173 1167->1168 1174 8172ce5-8172d01 1168->1174 1175 8172bfe-8172cd7 call 81719d0 1168->1175 1182 8172d37-8172d3d 1172->1182 1183 8172d29-8172d2f 1172->1183 1174->1166 1213 8172ce2 1175->1213 1214 8172cd9 1175->1214 1182->1173 1183->1182 1213->1174 1214->1213 1216->1163 1217->1163 1218->1163 1219->1163 1220->1163 1221->1160 1222->1160
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ae587e30fab24a582cae85c6daaab99b21b15e6564c95a7ff193f0e118d7938
                                                • Instruction ID: c192a8f2635ecccb58c4301031db194f03760ad4f78bb2ad30c000bff989e056
                                                • Opcode Fuzzy Hash: 2ae587e30fab24a582cae85c6daaab99b21b15e6564c95a7ff193f0e118d7938
                                                • Instruction Fuzzy Hash: 51E14174A01209DFCB54EFA4D4949ADBBB2FF89300F148569E906AB364DF34ED42CB91
                                                Function 0817B2C0 Relevance: .3, Instructions: 316COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1315 817b2c0-817b2ce 1316 817b2d0-817b2d4 1315->1316 1317 817b2df-817b2e3 1315->1317 1316->1317 1318 817b2e5-817b2ee 1317->1318 1319 817b2f3-817b2ff 1317->1319 1320 817b4ae-817b4b2 1318->1320 1321 817b305-817b315 1319->1321 1322 817b56e-817b59e 1319->1322 1323 817b317-817b31c 1321->1323 1324 817b321-817b32b 1321->1324 1329 817b5a0-817b5b7 1322->1329 1330 817b5b9-817b5c5 1322->1330 1323->1320 1326 817b4b5-817b4d3 1324->1326 1327 817b331-817b33a 1324->1327 1339 817b4da-817b4f8 1326->1339 1327->1322 1328 817b340-817b358 1327->1328 1331 817b364-817b368 1328->1331 1332 817b35a-817b35f 1328->1332 1334 817b5df-817b5fe 1329->1334 1333 817b5c7-817b5dc 1330->1333 1330->1334 1338 817b36e-817b377 1331->1338 1331->1339 1332->1320 1333->1334 1336 817b647-817b64b 1334->1336 1337 817b600-817b610 1334->1337 1345 817b66d-817b673 1336->1345 1346 817b64d-817b651 1336->1346 1341 817b612 1337->1341 1342 817b618-817b61e 1337->1342 1338->1322 1344 817b37d-817b395 1338->1344 1356 817b4ff-817b51d 1339->1356 1341->1336 1348 817b614-817b616 1341->1348 1342->1336 1349 817b397-817b39c 1344->1349 1350 817b3a1-817b3a5 1344->1350 1353 817b675-817b679 1345->1353 1354 817b67b-817b681 1345->1354 1346->1345 1352 817b653-817b66b 1346->1352 1348->1336 1348->1342 1349->1320 1350->1356 1357 817b3ab-817b3b4 1350->1357 1352->1345 1365 817b620-817b630 1352->1365 1353->1354 1358 817b684-817b6c4 1353->1358 1368 817b524-817b542 1356->1368 1357->1322 1359 817b3ba-817b3d2 1357->1359 1400 817b6c6 call 817b6d0 1358->1400 1401 817b6c6 call 817b6e0 1358->1401 1363 817b3d4-817b3d9 1359->1363 1364 817b3de-817b3e2 1359->1364 1363->1320 1364->1368 1369 817b3e8-817b3ee 1364->1369 1365->1336 1367 817b632-817b644 1365->1367 1367->1336 1380 817b549-817b567 1368->1380 1369->1322 1373 817b3f4-817b409 1369->1373 1375 817b415-817b41b 1373->1375 1376 817b40b-817b410 1373->1376 1379 817b421-817b42d 1375->1379 1375->1380 1376->1320 1379->1380 1381 817b433-817b437 1379->1381 1380->1322 1381->1380 1383 817b43d-817b444 1381->1383 1383->1322 1386 817b44a-817b44f 1383->1386 1386->1380 1389 817b455-817b459 1386->1389 1389->1322 1391 817b45f-817b464 1389->1391 1390 817b6cc 1391->1380 1393 817b46a-817b46e 1391->1393 1393->1322 1394 817b474-817b479 1393->1394 1394->1380 1395 817b47f-817b483 1394->1395 1395->1322 1396 817b489-817b48e 1395->1396 1396->1380 1397 817b494-817b498 1396->1397 1397->1322 1398 817b49e-817b4a3 1397->1398 1398->1380 1399 817b4a9 1398->1399 1399->1320 1400->1390 1401->1390
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08f7583f23be95d3b1a1440a3d151090f213601d0b0bd959f16e0a68a43250a0
                                                • Instruction ID: 57d60d45445305d92dea864639ab680a39fd4c3cfded903a9befc155fcd60aac
                                                • Opcode Fuzzy Hash: 08f7583f23be95d3b1a1440a3d151090f213601d0b0bd959f16e0a68a43250a0
                                                • Instruction Fuzzy Hash: FBC19431A08741CFCB29CF25C454A2EBBF2BF84321F198A5DE5978B691CB35E842CB51
                                                Function 08176680 Relevance: .3, Instructions: 309COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 089c49f38f98612f99cec7b3b52aebaa8703ddcfa7409f0b40c4d36f348fb97a
                                                • Instruction ID: 77e8c2c72ed4d7c6bb11002687ecef3cf4d60835123bfdb7b9e81f31b6d600b3
                                                • Opcode Fuzzy Hash: 089c49f38f98612f99cec7b3b52aebaa8703ddcfa7409f0b40c4d36f348fb97a
                                                • Instruction Fuzzy Hash: 45D1EC74B11218AFDB44EFA9D994E9EBBB6FF88700F108058E505AB3A5DB71EC41CB50
                                                Function 08177912 Relevance: .3, Instructions: 308COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de24e23b331df5e9a07c19428c53ceb865b433b5eaf692e4b948564600d22bd5
                                                • Instruction ID: d39597c43272a4a4fc110dcc657240c3a88c6bbf2820519d5bce4aef731ae088
                                                • Opcode Fuzzy Hash: de24e23b331df5e9a07c19428c53ceb865b433b5eaf692e4b948564600d22bd5
                                                • Instruction Fuzzy Hash: 23D1E975B00218CFCB44DFA8D994AAEB7B6FF88301F104568E506AB3A5DB71ED42CB50
                                                Function 08177920 Relevance: .3, Instructions: 295COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9271fa9061b92ef648583cb0e8dba192b5b71b37fd0b2014b1e877b67c1b08e4
                                                • Instruction ID: 161d2c9771e8884b493f5ab14fdd1e4b93449af102d7ed4d7776d5779ee3f691
                                                • Opcode Fuzzy Hash: 9271fa9061b92ef648583cb0e8dba192b5b71b37fd0b2014b1e877b67c1b08e4
                                                • Instruction Fuzzy Hash: ECC1C775B00218CFCB44EFA8C994AADB7B6FF88301F504569E506AB3A5DB71ED42CB50
                                                Function 08172E38 Relevance: .3, Instructions: 293COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d11b83fefd1ae887f68e57e73898399294f6556ffb7585f191493660da6f2487
                                                • Instruction ID: 74af0a379e9cae73144b57f83229b98787112451959a85ec59211e2d001b8d31
                                                • Opcode Fuzzy Hash: d11b83fefd1ae887f68e57e73898399294f6556ffb7585f191493660da6f2487
                                                • Instruction Fuzzy Hash: D2A18E353042409FD71A9F68D894E2A7BB2EF89310B1585ADE2068F3B6CB35EC42DB51
                                                Function 08176672 Relevance: .3, Instructions: 260COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53f3acbad53f8c6ae8ca189fe70b1670612593f2dc0cc5abd2583c7be65a806f
                                                • Instruction ID: d9da124cc01eb4f8cb29d461ead897506545ab6f56766b5d677fc881eafa9b20
                                                • Opcode Fuzzy Hash: 53f3acbad53f8c6ae8ca189fe70b1670612593f2dc0cc5abd2583c7be65a806f
                                                • Instruction Fuzzy Hash: 53B1FC74B112189FCB44DFA9D894E9EBBB6FF88700F148059E506AB3A5DB71EC41CB90
                                                Function 08176B38 Relevance: .3, Instructions: 259COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 546c99952cc54a18aae2cf035778cfff8a872b75ab7ca078848fbd716cecd2e4
                                                • Instruction ID: afd4ea6f1bea743cdae8ffb80d12efd61453a658058e2043496707d8dbbe2925
                                                • Opcode Fuzzy Hash: 546c99952cc54a18aae2cf035778cfff8a872b75ab7ca078848fbd716cecd2e4
                                                • Instruction Fuzzy Hash: 11A129747006148FCB44EF68C854A6E7BB2AF89700F50896CE5169F3A4EF75ED42CB91
                                                Function 08176B48 Relevance: .3, Instructions: 256COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9426ecde69ae6901947a24eb7be968c13561b9c5587d86d789568a4b115ed60
                                                • Instruction ID: 86e1bc82b5938b65af41bfeb52d468d0da8a81712450ccba79345c44c5860472
                                                • Opcode Fuzzy Hash: a9426ecde69ae6901947a24eb7be968c13561b9c5587d86d789568a4b115ed60
                                                • Instruction Fuzzy Hash: 8BA129747006148FCB48EF68D854A6E7BB2AF89700F50896CE5169F3A4EF74ED42CB91
                                                Function 08173170 Relevance: .2, Instructions: 228COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ab2d0022a4a9de478bce69fbb17640abe682fa32224e67af1367edfa29d5f9a
                                                • Instruction ID: 9342c1e609dc34cca75c8967e4ed6d07819eff4b993264e6e7fd55bd8bf111fa
                                                • Opcode Fuzzy Hash: 7ab2d0022a4a9de478bce69fbb17640abe682fa32224e67af1367edfa29d5f9a
                                                • Instruction Fuzzy Hash: 01915A747102149FCB58DF68C898A6DBBB6AF89601F5480ADE516DF3A5DB30EC42CB90
                                                Function 08175AC8 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 824c6cb018c4333d22c09f9a76853477a7d56a35e3cec3700ff8c9a3b5872e61
                                                • Instruction ID: 96399f18ae87f3f151d5da3eb5d9f70700613dd7dff317fb2feb1501e1e2bc93
                                                • Opcode Fuzzy Hash: 824c6cb018c4333d22c09f9a76853477a7d56a35e3cec3700ff8c9a3b5872e61
                                                • Instruction Fuzzy Hash: 8D813774B006199FDB48EB64D454BAEB7B3EF88701F20852DD502AB390DF75AD42CB90
                                                Function 0817A6CB Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 55503ce87154db50f9deba29a11e0588bc61bd32154b4b5043a69dcd0ccae050
                                                • Instruction ID: 6b9541bd219051190d7505799c59592932faf6937562de8e317b22a303f6823a
                                                • Opcode Fuzzy Hash: 55503ce87154db50f9deba29a11e0588bc61bd32154b4b5043a69dcd0ccae050
                                                • Instruction Fuzzy Hash: 6E810574A21229EFDB54CF98D880EADB7B2FF88311F164159E905AB361E731EC41CB50
                                                Function 0817AE38 Relevance: .2, Instructions: 175COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33e5e68413403a3800386ce82a02f414841da67ead33a3150b81c75b3ffa266e
                                                • Instruction ID: 7b4007ba3c2e1de8d0f906777aef7f111046ca3813f44c4d38fd3268e418151d
                                                • Opcode Fuzzy Hash: 33e5e68413403a3800386ce82a02f414841da67ead33a3150b81c75b3ffa266e
                                                • Instruction Fuzzy Hash: 3851DF713047519FD728DF2AC890B5EBBF2EF84720F10852EE5568B2A1DB75E8058B60
                                                Function 08170F18 Relevance: .2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33574e195f0bdfaa8b09e8834755bc8d37fadae96dd1cd6cf69d1d73f163dff6
                                                • Instruction ID: e2bd497114579e81abb8b7c6058a670d450a5def982e7fdf3a51a401bf3cae1a
                                                • Opcode Fuzzy Hash: 33574e195f0bdfaa8b09e8834755bc8d37fadae96dd1cd6cf69d1d73f163dff6
                                                • Instruction Fuzzy Hash: 91516F74B006158FC744EF78C95496EBBB6FF8A700B1045AAE506DB365EB30ED06CBA1
                                                Function 08173161 Relevance: .2, Instructions: 170COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d94fe5af42f8a44e9c08615be0ac6d681061f1e7c277824d63e39f571f44c93
                                                • Instruction ID: 64b908d7814096f77900c794705885669d86dfe49ece2554abafc416f02916b4
                                                • Opcode Fuzzy Hash: 9d94fe5af42f8a44e9c08615be0ac6d681061f1e7c277824d63e39f571f44c93
                                                • Instruction Fuzzy Hash: 41613974B102049FCB54DF68C894A6DB7B6BF88701F5480ADE5169F3A5DB30EC42CB90
                                                Function 08177238 Relevance: .2, Instructions: 164COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21009ae5230c1d0bb35be295acdde88a9c5f6fbd72c408c195720666e513d73a
                                                • Instruction ID: 53fef6ccccdd7645b03d9c07200518fc66f02abf5d11d9df700cfb1b7828080f
                                                • Opcode Fuzzy Hash: 21009ae5230c1d0bb35be295acdde88a9c5f6fbd72c408c195720666e513d73a
                                                • Instruction Fuzzy Hash: 8241E3327041596FCF029EA69C509FFBBFEEF88111B04407AFA55E3291DA35C9159BB0
                                                Function 08175AB8 Relevance: .2, Instructions: 157COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f018a0f0903a73a2b6e9f89d39d09546d679278bf124920a9505c673634b8a7
                                                • Instruction ID: b11e702a268a07ffab6a7a5e219734bd49d8eb0f4520f669d2a8c8b00caae15b
                                                • Opcode Fuzzy Hash: 8f018a0f0903a73a2b6e9f89d39d09546d679278bf124920a9505c673634b8a7
                                                • Instruction Fuzzy Hash: E5514974B016159FDB19EF64D494BAEB7B3EF88301F20452DD402AB390DB75AD42CB91
                                                Function 08171F70 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 812f7ff849c50ae078414b3568cee57944c7ef75d6e8b0af52671a8240c635de
                                                • Instruction ID: a9ce9c3016b5c8dac241babb7610da5f09beb4e5e01d41274517ae1b875e60a3
                                                • Opcode Fuzzy Hash: 812f7ff849c50ae078414b3568cee57944c7ef75d6e8b0af52671a8240c635de
                                                • Instruction Fuzzy Hash: 69418070B106148FCB54AB78C894A6EB7BBAFC9700F50446DD512AF3A4DF74AC06CB91
                                                Function 0817B158 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9f6ddf5d578101cffb9513acd719ef4a03d2843bae7b1515c089874d3721274
                                                • Instruction ID: c79a5d509527f39a878515b2fc6c10de709f3d21e514ef2f84d89c305bb5cdec
                                                • Opcode Fuzzy Hash: a9f6ddf5d578101cffb9513acd719ef4a03d2843bae7b1515c089874d3721274
                                                • Instruction Fuzzy Hash: 4841DE31B09704CFCB64DB79E55029EBBF2EF84621B44896ED15ACBA90DB30F841CB91
                                                Function 0817AA70 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7d782f94634a51c836f07368683c92bdec86c691ca303e6f235ca95eab1b677
                                                • Instruction ID: c14d8c8eab2ab39462628f63ef17ed20cfcc20b0250d0da2c5cf110eec5e0e67
                                                • Opcode Fuzzy Hash: a7d782f94634a51c836f07368683c92bdec86c691ca303e6f235ca95eab1b677
                                                • Instruction Fuzzy Hash: 52418E31B006159FC744DB69C854A9EBBF6FF8C310B2585AAE609EB365DB31EC01CB90
                                                Function 08173CE5 Relevance: .1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f4449a38dad0282bdd5f76c3844fbea34ada9559455e704b72dad1436fc52fa
                                                • Instruction ID: 5ba59946ce93296dcced8e771bb1face45bfc1abb84c56cc6f44ff33d2b31751
                                                • Opcode Fuzzy Hash: 9f4449a38dad0282bdd5f76c3844fbea34ada9559455e704b72dad1436fc52fa
                                                • Instruction Fuzzy Hash: 363128357406149FD7589B69C854F2A7BEAAFC8704F10446CE20A8B3A5DF71EC42C7A1
                                                Function 08173CE8 Relevance: .1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9063c94c639f362199e52d4de58c6ca0444d8ddb06c5476d811a13e8019a646d
                                                • Instruction ID: e14ccecc90f9ae12253dec3e62d19aba53f849cf856298dbf610704de999a9aa
                                                • Opcode Fuzzy Hash: 9063c94c639f362199e52d4de58c6ca0444d8ddb06c5476d811a13e8019a646d
                                                • Instruction Fuzzy Hash: D93128357406149FD758DB69C898F2B7BAAAFC8704F104468E20A8B3A5DF71EC02C7A1
                                                Function 08171F41 Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 486f956d92b3077303b29243b97d05fe1408010fe66819827f16dea129f21bb5
                                                • Instruction ID: 89da94b0b7a4374caee3fa237303ea284bf2135577845a54b3459764b6da3e7c
                                                • Opcode Fuzzy Hash: 486f956d92b3077303b29243b97d05fe1408010fe66819827f16dea129f21bb5
                                                • Instruction Fuzzy Hash: 1F31AF70B002549BCB59AB7488A467EBBB6AF8A700F14406EE107EF395CF74AC06C751
                                                Function 08175E11 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f4ef0b9698820d114efe9b5fae253d58436a7ed39772b4395da6be6fe3f04b6
                                                • Instruction ID: ec6fb683be3f30bab27a760e78611201852c409c7e67a2ec943b77554637d3df
                                                • Opcode Fuzzy Hash: 5f4ef0b9698820d114efe9b5fae253d58436a7ed39772b4395da6be6fe3f04b6
                                                • Instruction Fuzzy Hash: F5317E74B146188FCB45EF78C854A6EBBB6AFC9700B10816AD502DB365EF349D06CBE1
                                                Function 081734A0 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c44f8bf70b0cd833c899f439799562d78fd313e57394c81d8ea31efdf45d00a7
                                                • Instruction ID: 682c8c55bb3c1056f7088b57b7e5cc778f28a967deaafe305494982245698e58
                                                • Opcode Fuzzy Hash: c44f8bf70b0cd833c899f439799562d78fd313e57394c81d8ea31efdf45d00a7
                                                • Instruction Fuzzy Hash: CD313E35A011189BDF14DFA8D854AEEB7B6FF88311F108029E812B73A4CB719D05DFA0
                                                Function 08175E28 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a1720d3a820f461650dac8bbed93a4287fd967c4d053a683d8a73a4c7afb19c
                                                • Instruction ID: 1443f2310b31b8c98385ebeb0924b462c92fb5fef25023d2afa6eb5700dc05d9
                                                • Opcode Fuzzy Hash: 0a1720d3a820f461650dac8bbed93a4287fd967c4d053a683d8a73a4c7afb19c
                                                • Instruction Fuzzy Hash: 83314D74B105188FCB84EF74C894A6EBBB6AFC8700F10856AD5069F364DF7499028BE1
                                                Function 0817A5C8 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc93f120aac5820e48c864bb3236801491225c1b3090623d86600bf3d779942c
                                                • Instruction ID: 10bdee20a0bffca926d76e9d017771f7ab0db94eb144fb71a2b2d2d07eae7364
                                                • Opcode Fuzzy Hash: fc93f120aac5820e48c864bb3236801491225c1b3090623d86600bf3d779942c
                                                • Instruction Fuzzy Hash: 76317E75E01264DFDB04CFA9E895BEDBFB1AF48310F05815EE511AB261DB70A845CF60
                                                Function 0817ABB8 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ce2a889d374c3f7e5472df009a24d608c471cd58e44b9958e422484c6513a55c
                                                • Instruction ID: 36170af43844ac0c09dc71da346cd68d1d7a63d4d387a16e4782a4082830adcd
                                                • Opcode Fuzzy Hash: ce2a889d374c3f7e5472df009a24d608c471cd58e44b9958e422484c6513a55c
                                                • Instruction Fuzzy Hash: 10212A31A04219EFCB15DFA8C8449EE7FB6FF8D320F149529E515AB290DB719841CBA4
                                                Function 014CD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3355636221.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_14cd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2cb0334916352c4eb20e69cd4813cbbf27673605837384cf6e069887c37e01e7
                                                • Instruction ID: 552aa9a770e1dac28c2e25425a7dfcb5f520488853304d3d1b9432b96360256c
                                                • Opcode Fuzzy Hash: 2cb0334916352c4eb20e69cd4813cbbf27673605837384cf6e069887c37e01e7
                                                • Instruction Fuzzy Hash: 512125B9904200EFDB55DF59D9C0B26BBA1FB84B18F20C57ED90A0B366C376D407CAA1
                                                Function 08172D78 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 734fb7a288e07b20a0bfbe767599460450b20762e9f690b51e358341576b613b
                                                • Instruction ID: e25a94c6cd9e9458415ad7de900317a835d41f5cb6d0e87dc4d1eb0eb3a5f665
                                                • Opcode Fuzzy Hash: 734fb7a288e07b20a0bfbe767599460450b20762e9f690b51e358341576b613b
                                                • Instruction Fuzzy Hash: 4421AE706002048FCB55EF34D894AAABBF6FF89310F1485ADE5469B361EB70ED05CBA1
                                                Function 08170E78 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 17365dce747072c9924d137c50a272e3730a547286df20c2f91c66eb62d5886a
                                                • Instruction ID: d04df68db31f445ed1c4d2720f922d7c5ac8bed8cd32e180c8708a7a5d189e96
                                                • Opcode Fuzzy Hash: 17365dce747072c9924d137c50a272e3730a547286df20c2f91c66eb62d5886a
                                                • Instruction Fuzzy Hash: EF11A576200614EFCB069F94D804D7A7BB6EF8D311B0540EAE6458F272DF72D992DB90
                                                Function 0817ABC8 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3927bff0b2cbe35bb4fdc9b321b03b1a29d08451c412c5bda1004fad788ef348
                                                • Instruction ID: e194d319e7f3013c83eb9deca37116a594c3a20a82ad401c278c34344ee8617b
                                                • Opcode Fuzzy Hash: 3927bff0b2cbe35bb4fdc9b321b03b1a29d08451c412c5bda1004fad788ef348
                                                • Instruction Fuzzy Hash: E3214C31A04218EFCB159FA8C8449DE7FB6FF8C320F145529E515A7390DF719841CBA0
                                                Function 0817B2B0 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6687682ef63843bad176b4ea1f447127de83dae2bc716d926a6c1274fbb2b778
                                                • Instruction ID: ebe2fa5a341c9f3ab3cd9f972138f7f499b922fe3bb5d319ef79f801916b580b
                                                • Opcode Fuzzy Hash: 6687682ef63843bad176b4ea1f447127de83dae2bc716d926a6c1274fbb2b778
                                                • Instruction Fuzzy Hash: EA11C8717097408FC319CB39D81561A7FF2EFCA721B45886FE14ACB691DB70A845C750
                                                Function 014CD006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3355636221.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_14cd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 99dec4fc0d55957a228c20318506daf9e035b76c9f70cebe0eb76d5d35044129
                                                • Instruction ID: d6ae720b2a8a35e9d0c2cdc976120d38feb284fd606569160ad49deee097d295
                                                • Opcode Fuzzy Hash: 99dec4fc0d55957a228c20318506daf9e035b76c9f70cebe0eb76d5d35044129
                                                • Instruction Fuzzy Hash: D52183755093808FC712CF24D594716BF71EB46614F28C5EFD8498B667C33A980ACBA2
                                                Function 08172D88 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aaaabee8efc629cb98b9e9ac04aff4ebb512f2c47d68b0daea749dca1cbd9f8e
                                                • Instruction ID: fafed661703b9577a0c072d0e9521065aa14cae565a61a3a3aecf4b623c1226d
                                                • Opcode Fuzzy Hash: aaaabee8efc629cb98b9e9ac04aff4ebb512f2c47d68b0daea749dca1cbd9f8e
                                                • Instruction Fuzzy Hash: 9C115B74B106048FCB54EF38D994AAEB7F6EF88310F148569E5069B360DB70ED06CBA1
                                                Function 08170E88 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fbdfa41fcb3b8fe2691e0df0e6185d14fd8d6a01b32926016079aa7fafdd60c
                                                • Instruction ID: 144ec5d008d85548879daea031f269ac5589238a9c1516811ca6eeb8733d873c
                                                • Opcode Fuzzy Hash: 0fbdfa41fcb3b8fe2691e0df0e6185d14fd8d6a01b32926016079aa7fafdd60c
                                                • Instruction Fuzzy Hash: 990142613087519FC71A27398420A3E7AA69FC6A01F1840BFD541CB382EF789D02C3E2
                                                Function 0817A8C8 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70d87cbf270efb30c41918fa260e46e7e935df633106528fb98e256ea1a67ff1
                                                • Instruction ID: cc9e097d43111c3df4f877d660b9a0502e24d2bbfad3353051a50b9abbc1c34e
                                                • Opcode Fuzzy Hash: 70d87cbf270efb30c41918fa260e46e7e935df633106528fb98e256ea1a67ff1
                                                • Instruction Fuzzy Hash: DD112A70A11229DFCB54CB68D894EADBBB2FF48321F05009AE515AB3A2CB759C45CB40
                                                Function 08170991 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4bbbabcbb71fca86044242a493d2a45c6da16c4403b324b5ae2ca245911108f
                                                • Instruction ID: c41ec908af231f5323e66cefad1feb559211b391ddddbcb8787c324f54aa3805
                                                • Opcode Fuzzy Hash: a4bbbabcbb71fca86044242a493d2a45c6da16c4403b324b5ae2ca245911108f
                                                • Instruction Fuzzy Hash: 130171793006149FC7099B24E46891EBBB6EFCD7107108569E9068B3A5CF31EC42CB95
                                                Function 081735D9 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0489ee781bfafc86dfc60ffd0bee40ad3b2aa251eeae485a7fbda81596451c7
                                                • Instruction ID: 305885b7641d11112e3857d346e47dd057cda315200cb7e319247266773372fc
                                                • Opcode Fuzzy Hash: f0489ee781bfafc86dfc60ffd0bee40ad3b2aa251eeae485a7fbda81596451c7
                                                • Instruction Fuzzy Hash: 1201D6313057809FC72A9B34D454A3ABBB2EFCA311F5886ADE0568B791CB71ED02DB51
                                                Function 081735E8 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27172805111efb2f5410bb1ea994377e79d0a3f96bb24beb0c8c5d7177365de4
                                                • Instruction ID: 957ee9bff79de7c620286ff9252d0b3eae8d3ec6eb12b7e0b2de6989908d0bc0
                                                • Opcode Fuzzy Hash: 27172805111efb2f5410bb1ea994377e79d0a3f96bb24beb0c8c5d7177365de4
                                                • Instruction Fuzzy Hash: D00171353017009FD7299B24E454A2BBBB3EFC9311F54896CE5668B790CB75ED02DB90
                                                Function 0817B6D0 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ede05e8595cb8701dab2df43eef426b5e5bf72e52de9536868fc838f751251a
                                                • Instruction ID: 2aa73e2741eb86777e3d5cac4cb94cae1cece7157f404b070976eeddeec31069
                                                • Opcode Fuzzy Hash: 8ede05e8595cb8701dab2df43eef426b5e5bf72e52de9536868fc838f751251a
                                                • Instruction Fuzzy Hash: B901B131E086099FCB01DFACD4049DDBFB5BF89311B0185AEE049E7360EB309A08CB61
                                                Function 08170718 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bf61141dd406ce243f7fd265bd58964ec5ad101fb95998a9abea433e5ee80f7
                                                • Instruction ID: 196399cf11989e7996e9ff65dd37fce4f07062b9f305c232f98507a7c906fc07
                                                • Opcode Fuzzy Hash: 6bf61141dd406ce243f7fd265bd58964ec5ad101fb95998a9abea433e5ee80f7
                                                • Instruction Fuzzy Hash: 83013C753003409FC715DB29C858D3A7BB6EF8A761B1544AAEA46CF3A1CA71EC42DB90
                                                Function 081709A0 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09d861def330d744da148bb32d9cfdad741731d19c832637cecc8ade2f820da6
                                                • Instruction ID: 14087eb521b991d59d3fa7808841573bfa634ac3a467b80ca0921e378fc8d7fd
                                                • Opcode Fuzzy Hash: 09d861def330d744da148bb32d9cfdad741731d19c832637cecc8ade2f820da6
                                                • Instruction Fuzzy Hash: BD014F793006109FC7099B28D46892EB7A7EFCC711B108569EA1A8B794CF75FD02CBD0
                                                Function 014BD603 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3355499118.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_14bd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 649c589f8f27fc8b18b4562adb1f5881b342cf0aa66d7c6b68c9c5dab711d3c7
                                                • Instruction ID: 45df04bc6eea7ed410048ef8bc4b7a35cad8cadb544dff24f6d62f78d684618c
                                                • Opcode Fuzzy Hash: 649c589f8f27fc8b18b4562adb1f5881b342cf0aa66d7c6b68c9c5dab711d3c7
                                                • Instruction Fuzzy Hash: 5AF0FF75600604AF97108F0AD885C63FBADFBD4774715C59AE94A4B722C671EC41CEB0
                                                Function 014BD5F4 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3355499118.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_14bd000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 305ed6f8fa8ed7ad02a4ef17ca8e1e012abcc65b560c84d35fe0712eb8dc6afe
                                                • Instruction ID: 1200c7a0874fde1461c2e28cf4e9323d774600b8a9259003528a9ce2e4ca9fc1
                                                • Opcode Fuzzy Hash: 305ed6f8fa8ed7ad02a4ef17ca8e1e012abcc65b560c84d35fe0712eb8dc6afe
                                                • Instruction Fuzzy Hash: 2EF01975104640AFD715CF06C884C63BFB9EB857607198489E84A8B362C671FC42CB60
                                                Function 08170728 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 451fcf7f3fc4fc32cc4d90188b3baa2a4c3377cdf281eda21e8e6d941c60866a
                                                • Instruction ID: 872f0811d1188c68556e654b6f6e83cbcecbfe8debd6f8cc5ee83926413ce219
                                                • Opcode Fuzzy Hash: 451fcf7f3fc4fc32cc4d90188b3baa2a4c3377cdf281eda21e8e6d941c60866a
                                                • Instruction Fuzzy Hash: 8EF05E753002009FC704DB29D858D3A77AAEFC9721B1040B9FA468B360CA31EC42CB90
                                                Function 0817388F Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e794870654b0d936d35d9f3bc5f51bd3ad6a4a766805e0764eb2d482d6258f3
                                                • Instruction ID: 70c029846d08e5f58fc5c73e7a440459ed8ec973a963e703b8a7f5b028e42164
                                                • Opcode Fuzzy Hash: 2e794870654b0d936d35d9f3bc5f51bd3ad6a4a766805e0764eb2d482d6258f3
                                                • Instruction Fuzzy Hash: 18E0323004E3C0AEC713AB38C8A0650BFB4EE17210B8A44EBD4C68B06BDA211816CB66
                                                Function 0817A551 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 825a8928a6623c24c981430e6b57961d45617a8169c1554324e502795b25dd67
                                                • Instruction ID: 3f28a33416cac73a37cb31158ef904bad9b0f68cba3dcf07605d05e2e25ff117
                                                • Opcode Fuzzy Hash: 825a8928a6623c24c981430e6b57961d45617a8169c1554324e502795b25dd67
                                                • Instruction Fuzzy Hash: B0F0A0717001009FDB04CB19D980A99BBF1EF88314F15809DE509AB361C772FC028B50
                                                Function 0817A96C Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b613b3d3c83d760d7d4578b28a91bae990c40955e2e9e01b5b442a7a06e2a31
                                                • Instruction ID: d2d2e7b0dc49a47455e440cf55f80270b1e96008ff6d85bdf59c4982c2416490
                                                • Opcode Fuzzy Hash: 0b613b3d3c83d760d7d4578b28a91bae990c40955e2e9e01b5b442a7a06e2a31
                                                • Instruction Fuzzy Hash: 50F065B0A11129EFDB64CF64DC99BAEBBB1FF08302F12006CE006AB2A0CB355C54CB00
                                                Function 0817AA20 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8110d3030cc0c607e280cfc00af0328b871df2007eae2a728e51475ff63d940d
                                                • Instruction ID: 455c503484ace46aa26ad1ef1d42cac7377d29f8a2e9f819f9f9e3c5a440cbe3
                                                • Opcode Fuzzy Hash: 8110d3030cc0c607e280cfc00af0328b871df2007eae2a728e51475ff63d940d
                                                • Instruction Fuzzy Hash: 2AE02B313063918FE385F3B4242049B7B975F8628174880DFE58AC7A81DE718C03474D
                                                Function 0817B120 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4856ccacb829287528452a9ca84332cbd87345b53e53c319e280806cdd695b7
                                                • Instruction ID: 64c1f244977a50ea283cacbfbf334f1c27a27013893ad868c775bdbf4e51e67c
                                                • Opcode Fuzzy Hash: d4856ccacb829287528452a9ca84332cbd87345b53e53c319e280806cdd695b7
                                                • Instruction Fuzzy Hash: 31D062341092409FC346CF58C861911BBF5AF5B304728C8DED585CF152CA325913EB51
                                                Function 0817AA30 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a746e0ac35b97cb54cccc8daa79fc0874c3ec8178a271e78c1a1784b53fd7770
                                                • Instruction ID: dc8f8b57a379dc2627667842565570e825c6ad39984bc0de3b30bd8bd025e833
                                                • Opcode Fuzzy Hash: a746e0ac35b97cb54cccc8daa79fc0874c3ec8178a271e78c1a1784b53fd7770
                                                • Instruction Fuzzy Hash: 3BD0C97530122457C748A6BAA41456F729F9BC9291B05806AAA0AC7744DD71AC02479D
                                                Function 08170E51 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11c4d2e05b5477e1f8fa06c5ae7cc8a05ad9a9177e1ede7c8a7dbe0fabc652e0
                                                • Instruction ID: ae3e30dde296928808df689a709fd9fa646f8b23898449c699bdb8d8f39c9ff2
                                                • Opcode Fuzzy Hash: 11c4d2e05b5477e1f8fa06c5ae7cc8a05ad9a9177e1ede7c8a7dbe0fabc652e0
                                                • Instruction Fuzzy Hash: 14D05E301093818FD70BCB3080288117BB2EF8330030488AAD1C6CB192C630AC54DB51
                                                Function 081706F1 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f3f7a4e8ec5c3e38f5acd8d169901c7e151ea6e725d077cea6d66f154ae5532
                                                • Instruction ID: f8f2a3638aaa57ca7efd79b95730aeb26015b8ab7d72157164246acff69087b2
                                                • Opcode Fuzzy Hash: 6f3f7a4e8ec5c3e38f5acd8d169901c7e151ea6e725d077cea6d66f154ae5532
                                                • Instruction Fuzzy Hash: 14D092760496849FC7028B64E9A58607FB1AF5A62132A80D7E489CB6B3C2269C56DB12
                                                Function 0817AA43 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3bb57dd8e674f2ecae6e192626a94463a44a95e3835408c2a183ca1a6322458a
                                                • Instruction ID: c61f68cbb545cc2c72985d2540084c5f163d08083b7aabcfbf0cd6be8ee5602b
                                                • Opcode Fuzzy Hash: 3bb57dd8e674f2ecae6e192626a94463a44a95e3835408c2a183ca1a6322458a
                                                • Instruction Fuzzy Hash: 9FB012B35919199769011EF47C0CECF3B17EF342ED7580072F29DC22109B0AC6078B84
                                                Function 08178F08 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a26bb0edc37e7caf55dcd9bbda8e79e0b3ad715d3aa9fa048ad275b99b31930
                                                • Instruction ID: f4ae67ad32c9b4bd67c688e8ffe8eb37e0ab0f82a1f10581992fe55eb7a5b722
                                                • Opcode Fuzzy Hash: 7a26bb0edc37e7caf55dcd9bbda8e79e0b3ad715d3aa9fa048ad275b99b31930
                                                • Instruction Fuzzy Hash: 88D0C9351082809FC352CB14C860810BBF1AF95308B18C4EEAAC98B253EB33AC57DB81
                                                Function 08170700 Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                                • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                                Function 081738C0 Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.3396875213.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_8170000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 437acedf342e23a17788c8e0958f874cfa27dfb54ca69f850d6cf33571bed906
                                                • Instruction ID: 602a9815e1cb42afdf32ccd15e0b4301fb70bab2649b17bd162a2c5a59400dfb
                                                • Opcode Fuzzy Hash: 437acedf342e23a17788c8e0958f874cfa27dfb54ca69f850d6cf33571bed906
                                                • Instruction Fuzzy Hash: D9B09232005208AB8A009B84E904855BB69AB58600B408025B649071218B32A822DB94

                                                Execution Graph

                                                Execution Coverage:7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:76
                                                Total number of Limit Nodes:7
                                                execution_graph 15074 1594668 15075 1594676 15074->15075 15080 1596de0 15075->15080 15078 1594704 15081 1596e05 15080->15081 15089 1596edf 15081->15089 15093 1596ef0 15081->15093 15082 15946e9 15085 159421c 15082->15085 15086 1594227 15085->15086 15101 1598560 15086->15101 15088 1598806 15088->15078 15091 1596f17 15089->15091 15090 1596ff4 15090->15090 15091->15090 15097 1596414 15091->15097 15095 1596f17 15093->15095 15094 1596ff4 15094->15094 15095->15094 15096 1596414 CreateActCtxA 15095->15096 15096->15094 15098 1597370 CreateActCtxA 15097->15098 15100 1597433 15098->15100 15102 159856b 15101->15102 15105 1598580 15102->15105 15104 15988dd 15104->15088 15106 159858b 15105->15106 15109 15985b0 15106->15109 15108 15989ba 15108->15104 15110 15985bb 15109->15110 15113 15985e0 15110->15113 15112 1598aad 15112->15108 15114 15985eb 15113->15114 15116 1599e93 15114->15116 15119 159bed1 15114->15119 15115 1599ed1 15115->15112 15116->15115 15125 159df70 15116->15125 15120 159beda 15119->15120 15122 159be91 15119->15122 15129 159bf08 15120->15129 15132 159bef8 15120->15132 15121 159bee6 15121->15116 15122->15116 15126 159df91 15125->15126 15127 159dfb5 15126->15127 15140 159e120 15126->15140 15127->15115 15135 159bff0 15129->15135 15130 159bf17 15130->15121 15133 159bf17 15132->15133 15134 159bff0 GetModuleHandleW 15132->15134 15133->15121 15134->15133 15136 159c034 15135->15136 15137 159c011 15135->15137 15136->15130 15137->15136 15138 159c238 GetModuleHandleW 15137->15138 15139 159c265 15138->15139 15139->15130 15141 159e12d 15140->15141 15142 159e166 15141->15142 15144 159c464 15141->15144 15142->15127 15145 159c46f 15144->15145 15146 159e1d8 15145->15146 15148 159c498 15145->15148 15149 159c4a3 15148->15149 15150 15985e0 2 API calls 15149->15150 15151 159e247 15150->15151 15154 159e2c0 15151->15154 15152 159e256 15152->15146 15155 159e2ee 15154->15155 15156 159e3ba KiUserCallbackDispatcher 15155->15156 15157 159e3bf 15155->15157 15156->15157 15158 1596540 15159 1596586 15158->15159 15163 159670f 15159->15163 15167 1596720 15159->15167 15160 1596673 15164 1596713 15163->15164 15166 159674e 15163->15166 15170 159611c 15164->15170 15166->15160 15168 159611c DuplicateHandle 15167->15168 15169 159674e 15168->15169 15169->15160 15171 1596788 DuplicateHandle 15170->15171 15173 159681e 15171->15173 15173->15166

                                                Executed Functions

                                                Function 0159BFF0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0159C256
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2278416431.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_1590000_outlooks.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: d5b4cda5f58b7760cd22cb77b7f3fe2cbabe848a732f34cde3b9f90a8138adee
                                                • Instruction ID: bea36386d2f3bb85af3a7c2bed22ccfda1ecf40267ab729555c15865769d6f08
                                                • Opcode Fuzzy Hash: d5b4cda5f58b7760cd22cb77b7f3fe2cbabe848a732f34cde3b9f90a8138adee
                                                • Instruction Fuzzy Hash: DF8158B0A00B06CFDB25DF69C54575ABBF1FF88204F00892ED59ADBA40DB75E845CB92
                                                Function 01596414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 57 1596414-1597431 CreateActCtxA 60 159743a-1597494 57->60 61 1597433-1597439 57->61 68 15974a3-15974a7 60->68 69 1597496-1597499 60->69 61->60 70 15974a9-15974b5 68->70 71 15974b8 68->71 69->68 70->71 72 15974b9 71->72 72->72
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01597421
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2278416431.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_1590000_outlooks.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 2ad660a247473bc66100daaa2815544f63f3f900891a99bf46502ec36bc0934b
                                                • Instruction ID: fa2c11969e7eab2955d3d1234121f7a30c4671ad9ef358ce0fbbea83d068a86f
                                                • Opcode Fuzzy Hash: 2ad660a247473bc66100daaa2815544f63f3f900891a99bf46502ec36bc0934b
                                                • Instruction Fuzzy Hash: 1941CEB1C0071DCBEB24DFA9C944B9EBBF6BF48714F20806AD408AB251DBB56945CF91
                                                Function 01597364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 74 1597364-1597431 CreateActCtxA 76 159743a-1597494 74->76 77 1597433-1597439 74->77 84 15974a3-15974a7 76->84 85 1597496-1597499 76->85 77->76 86 15974a9-15974b5 84->86 87 15974b8 84->87 85->84 86->87 88 15974b9 87->88 88->88
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 01597421
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2278416431.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_1590000_outlooks.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 2b0725ff41d71f6e6f7503c60ed8a9222be1610d2c6a8c2504f541851d5cd6be
                                                • Instruction ID: c6322ee2e0316cf6199550604f5d8dc5aa2eaf02120eecf9a5d60ab0181db9fb
                                                • Opcode Fuzzy Hash: 2b0725ff41d71f6e6f7503c60ed8a9222be1610d2c6a8c2504f541851d5cd6be
                                                • Instruction Fuzzy Hash: 1741EFB1C00719CBEF24CFA9C944BDEBBB6BF48704F20816AD418AB251DB756949CF91
                                                Function 01596780 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 90 1596780-15967dc 93 15967df-159681c DuplicateHandle 90->93 94 159681e-1596824 93->94 95 1596825-1596842 93->95 94->95
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159674E,?,?,?,?,?), ref: 0159680F
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2278416431.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_1590000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 2584eab78cf7a541f4a890a06dce1b38269b42c97d721dfab631cc4d647725b6
                                                • Instruction ID: 4639c1adbe3ae891ff016f7a0b82c95a7266e91ab55e5fa2549a5349f46c1fc7
                                                • Opcode Fuzzy Hash: 2584eab78cf7a541f4a890a06dce1b38269b42c97d721dfab631cc4d647725b6
                                                • Instruction Fuzzy Hash: E53139B1800248DFDF10CFAAD984AEEBFF4FB08324F14851AE864A7251D779A945CF65
                                                Function 0159611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 98 159611c-159681c DuplicateHandle 101 159681e-1596824 98->101 102 1596825-1596842 98->102 101->102
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0159674E,?,?,?,?,?), ref: 0159680F
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2278416431.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_1590000_outlooks.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 00bb62b60f8a5ccd997830a906274037afbfe7811f6563657ccd42bcceec91c2
                                                • Instruction ID: 2e4fdff0acf9224ad216f78300bbfe54f8ad581e6c92a7ebd9db8799dabb0cc9
                                                • Opcode Fuzzy Hash: 00bb62b60f8a5ccd997830a906274037afbfe7811f6563657ccd42bcceec91c2
                                                • Instruction Fuzzy Hash: 4321E3B5900209DFDB10CF9AD984AEEBFF4FB48320F14841AE918A7310D378A954CFA5
                                                Function 0159C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 105 159c1f0-159c230 106 159c238-159c263 GetModuleHandleW 105->106 107 159c232-159c235 105->107 108 159c26c-159c280 106->108 109 159c265-159c26b 106->109 107->106 109->108
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0159C256
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2278416431.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_1590000_outlooks.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 23337e2934a0818e99b868915210bf852f3c8e52942c44751dbc3faa753255ac
                                                • Instruction ID: b6909d1df15ff8c8218cf1c465178960d10e3cefb408898f9de7b13f4a468b85
                                                • Opcode Fuzzy Hash: 23337e2934a0818e99b868915210bf852f3c8e52942c44751dbc3faa753255ac
                                                • Instruction Fuzzy Hash: 21110FB6C002498FDB14CF9AC544A9EFBF4BB88620F10855AD569A7200C3B9A545CFA1
                                                Function 0127D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2272993537.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_127d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01fd90657d8049bf5174b7943910dccfed8dd931c3bca895e3da033507e89949
                                                • Instruction ID: 520e580695bfeba180556daa5f78a407f6ec34ced3384829bd878c98233c3cb1
                                                • Opcode Fuzzy Hash: 01fd90657d8049bf5174b7943910dccfed8dd931c3bca895e3da033507e89949
                                                • Instruction Fuzzy Hash: EB212275614208EFDB16DF64D9C0B27BB61FF84314F20C56DDA0A0B252C37AD407CA61
                                                Function 0127D006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2272993537.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_127d000_outlooks.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bd1a421bad9f891139ec3d1ead6c4986ebcadd6e5ef1d9e2ea4f24934432c8c
                                                • Instruction ID: 5cf80f4d4e31d6e5d5a8d2a0e0e6b6c14dbbc6fe6f211ee19705fee131259272
                                                • Opcode Fuzzy Hash: 9bd1a421bad9f891139ec3d1ead6c4986ebcadd6e5ef1d9e2ea4f24934432c8c
                                                • Instruction Fuzzy Hash: 53218E755093848FCB03CF24D990716BF71EF46314F28C5EAD9498B6A7C33A980ACB62